Mollie

Mollie B.V. is a Dutch besloten vennootschap (private limited company) registered at Keizersgracht 126, 1015 CW Amsterdam with Kamer van Koophandel number 30204462 and VAT identification NL81.58.39.091.B01. EEA and Swiss merchants sign the Mollie B.V. user agreement, which is governed by Dutch law with disputes heard in Amsterdam; Mollie B.V. is licensed under the Dutch Financial Supervision Act (Wft) and supervised by De Nederlandsche Bank under relation number F0038. UK merchants sign a separate user agreement with Mollie UK Ltd (Companies House 14013554, FCA FRN 977968), authorised since 2 November 2023 by the Financial Conduct Authority under the Payment Services Regulations 2017, with disputes covered by the UK Financial Ombudsman Service. Continental European countries (Germany, France, Belgium, Italy, Spain, Portugal, Austria, Poland, Czech Republic, Hungary, Slovenia, Romania, Greece, Denmark, Sweden, Finland, Norway, Ireland, Luxembourg) are served via EEA passporting from the Dutch licence; there is no separate Mollie GmbH or Mollie SAS.

Mollie holds two Dutch financial licences on the same DNB relation number F0038: a Payment Institution licence under PSD2 (DNB public register code WFTBI, held since 2012) and an Electronic Money Institution licence under EMD2 (DNB register code WFTEG, added on 16 January 2024). The EMI licence extends Mollie's capability to issue e-money, offer stored-value accounts and provide local IBAN accounts. Mollie UK Ltd is a separate UK Payment Institution authorised by the Financial Conduct Authority under FCA Firm Reference Number 977968 since 2 November 2023; it is not a UK EMI as of latest verification. Mollie also self-declares compliance with the European Banking Authority Guidelines on the security of internet payments. There is no German BaFin, French ACPR or Belgian NBB authorisation because EEA passporting from the Dutch licence covers those markets.

Mollie has no US subsidiary. The group consists of Mollie B.V. (Netherlands, parent and DNB-regulated), Stichting Mollie Payments (Netherlands, safeguarding foundation under DNB supervision via Mollie B.V.) and Mollie UK Ltd (United Kingdom, FCA-regulated subsidiary). There is therefore no Mollie legal entity that a US court could compel directly under the CLOUD Act. Exposure runs through subprocessors and the Google Cloud underlay: Mollie has migrated its application platform to Google Cloud (GKE compute, Cloud SQL, Cloud Storage, Cloud CDN, Cloud Load Balancing, Cloud DNS) per the public Google Cloud customer case study and observed via: 1.1 google headers on api.mollie.com. Additional US-incorporated subprocessors include Zendesk (helpdesk on help.mollie.com), Cloudflare (edge in front of help.mollie.com and docs.mollie.com), ReadMe (developer documentation), Instatus (status page), Ekata (a Mastercard company, used for AML / KYC identity verification, named in Mollie's privacy policy) and Salesforce (advertising cookies and commerce integration). Mollie's privacy policy explicitly contemplates non-EEA transfers under EU Standard Contractual Clauses; the security page asserts that data is stored on Dutch servers, which a procurement-grade buyer should ask Mollie to confirm in writing as pinning to Google Cloud's europe-west4 (Eemshaven, Netherlands) region.

Not as a dedicated consolidated list. Unlike Stripe, Adyen and Square, Mollie does not maintain a single public subprocessor index. Subprocessors are referenced in two surfaces: (1) the privacy policy at mollie.com/legal/privacy names Ekata explicitly (identity verification, AML and KYC screening) and references categories of processor including infrastructure providers, customer-service and CRM SaaS, advertising networks and AML/CFT screening partners; (2) the cookie policy at mollie.com/cookies names Google DoubleClick, X (formerly Twitter) and Salesforce as advertising cookie operators. The Google Cloud relationship is documented separately on Google's public customer case-study page at cloud.google.com/customers/mollie. Live DNS and HTTP probes additionally surface Zendesk, Cloudflare, ReadMe, Instatus and Framer as the operators of Mollie's auxiliary subdomains. The absence of a consolidated DPA-grade list is a documented gap relative to Mollie's larger PSP competitors.

Mollie does not sign a standard Article 28 processor DPA with merchants. The position documented on the help-center DPA page is that Mollie and the merchant are not acting upon each other's instructions but are both independent controllers responsible for the personal data they process. This reflects Mollie's standing under PSD2 and the Dutch Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme): the Payment Institution has its own AML, KYC and transaction-monitoring obligations that are independent of the merchant's controller status. Practically, merchants who request a controller-controller agreement or a joint-controller arrangement can obtain one; merchants expecting Mollie to act as their processor under their own template DPA will find that Mollie pushes back. The published Data Processing Agreement landing page at mollie.com/legal/data-processing-agreement and the relevant help-center article walk merchants through the workflow.

Mollie holds PCI DSS Level 1 for card-data handling at the highest tier; an Attestation of Compliance is available to merchants on request, although the AoC validity period is not published on the public security page. Mollie also publishes annual ISAE 3402 Type 2 assurance with Deloitte as the external auditor, covering the payment process and the IT applications that support it. ISO/IEC 27001 and SOC 2 are not advertised on Mollie's public security pages; either Mollie holds them but does not publicise them, or it relies on its ISAE 3402 plus PCI DSS plus DNB and FCA supervision stack as the assurance baseline. The newer security page also references an in-house penetration-testing team running regular cyberattack simulations.

On 11 December 2025 Mollie agreed to acquire GoCardless Ltd, a UK direct-debit specialist (Companies House 07495895, FCA FRN 597190 authorised under the Payment Services Regulations 2017), for around EUR 1.05 billion. More than 90 percent of the consideration is in Mollie shares with the remainder in cash. The transaction closing is expected mid-2026 subject to regulatory approval from DNB, the FCA and the relevant competition authorities. Once closed, the combined group will serve a stated 350,000 European merchants and will materially extend Mollie's coverage in UK Bacs Direct Debit. The post-close legal-entity stack will add GoCardless Ltd (UK) alongside Mollie UK Ltd (UK) and Mollie B.V. (Netherlands); the DPA, privacy policy and subprocessor exposure will be revisited at closing. As of May 2026 the deal had not yet closed and the existing Mollie B.V. user agreement, privacy policy and licences remain the contractual basis for European merchants.