This Data Processing Agreement (the “Agreement”) is executed by and between Payermax (hereinafter referred to as Controller, which expression shall unless it is repugnant to the meaning or context thereof be deemed to mean and include its legal heirs, executors, administrators, legal representatives, successors and permitted assigns of the Controller) and you (hereinafter referred to as Processor, which expression shall unless it is repugnant to the meaning or context thereof be deemed to mean and include its legal heirs, executors, administrators, legal representatives, successors and permitted assigns of the Processor). This agreement is part of our Service Agreement. By using Payermax Services, you signify your assent to this data protection policy, as revised from time to time.

The Controller and Processor shall be collectively referred to as the ‘Parties’, and individually referred to as a ‘Party’.

NOW, THEREFORE, for good and valuable consideration the sufficiency of which is hereby acknowledged, the Parties hereto agree as follows:

1.Definitions

1.1

Applicable Law(s)” are:

(a)In the EU Member States, the General Data Protection Regulation(GDPR) or any other applicable laws of the EU or Member State;

(b)In countries outside the EU – similar or equivalent laws, regulations or rules related to Personal Data, such as the California Consumer Privacy Act(CCPA), Singapore Personal Data Protection Act (PDPA);

(c)Enforceable guidelines and codes of conduct issued by a local regulatory authority which is responsible for the management of the application of Data Protection Laws; and/or

(d)Amendments, alterations or supplements that are from time to time made to the documents set out in subclauses (a) to (c) above.

1.2Authorized Employee” means an employee of Processor or a Processor Affiliate who has a need to know or otherwise access Personal Data in order to enable Processor to perform its obligations under this Addendum and who has undergone appropriate background screening and training by Processor.

1.3Authorized Person” means an Authorized Employee or Authorized Subcontractor.

1.4Authorized Subcontractor” means a third-party subcontractor, agent, reseller, or auditor engaged by Processor, or employee of same, that has a need to know or otherwise access Personal Data to enable Processor to perform its obligations under this Addendum and that has been previously approved by Controller in writing to do so, and who is bound in writing by a data processing Agreement pursuant to which their duties and obligations to protect Personal Data are in strict accordance with the terms hereof.

1.5Controller Affiliate” means any entity that owns or controls, is owned or controlled by, or is under common control or ownership with Controller (where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether by contract, exercise of voting rights, common management, or otherwise).

1.6Data Subject” means an identified or identifiable person to whom Personal Data relates.

1.7Data Subject Rights” means the rights recognized and granted to Data Subjects with respect to their Personal Data under Applicable Laws, including, when effective, the GDPR, the CCPA, the applicable India data protect laws and the PDPA of Singapore.

1.8Data Protection Impact Assessment” means an assessment, conducted pursuant to Controller’s Instructions, of the impact of one or more Processing operations on the protection of Personal Data and the privacy of Data Subjects that takes into account the nature, scope, context, and purposes of such Processing and includes, without limitation, an analysis of the necessity and proportionality of such Processing as well as the appropriateness of the Technical and Organizational Measures used in connection with such Processing.

1.9Incident” means a situation whereby Personal Data in either Processor’s or any Authorized Person’s systems, backups, networks, servers, databases, computers, or other hardware or technical infrastructure, was lost with a low risk of potential harm or damage to Data Subjects.

1.10Including” and its derivatives (such as “include” and “includes”) (whether or not capitalized) means “including, without limitation” unless expressly indicated otherwise.

1.11Industry Standards” means the then-current industry best data protection and data processing practices relating to the Processing of the Personal Data.

1.12Instruction” means a direction issued by Controller to Processor and/or any Authorized Person, documented either in textual form (including without limitation by e-mail) or by using a software or online tool, regarding the Processing of Personal Data.

1.13Personal Data” means any information relating to a Data Subject which is subject to Data Protection Laws and which Processor receives from or on behalf of Controller for Processing in connection with the Services and includes Sensitive Personal Information.

1.14Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.15Privacy Shield Principles” means the privacy and data protection principles outlined in the Privacy Shield Framework and Principles, available at https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004qAg.

1.16Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

1.17Processor Affiliate” means any entity that owns or controls, is owned or controlled by, or is under common control or ownership with Processor (where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether by contract, exercise of voting rights, common management, or otherwise) and that assists or enables Processor to fulfill its obligations under the Agreement.

1.18Restricted Transfer” means Restricted Transfer that does not comply with the Applicable Law(s), such as, from the European Economic Area or Switzerland to any country or recipient: (i) not deemed by the European Commission as providing an adequate level of protection for Personal Data, and (ii) not covered by or a suitable framework or certification recognized by the relevant Supervisory Authority as providing an adequate level of protection for Personal Data, such as the Privacy Shield Framework and Principles.

1.19Sensitive Personal Information” means a Data Subject’s (including without limitation a Controller employee’s, where applicable) (i) government-issued identification number (including social security number, driver’s license number or state-issued identification number); (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; (iii) genetic, biometric or health data; (iv) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or sexual activity, or trade union membership; (iv) Personal Data relating to criminal convictions and offences (including commission of or proceedings for any offense committed or alleged to have been committed) and (v) any other Personal Data designated as sensitive or deserving of heightened protection under applicable individual Member State Law.

1.20Services” shall have the meaning set forth in the Agreement.

1.21Supervisory Authority” means any other court, tribunal, or governmental or quasi-governmental entity or agency that has jurisdiction, under Applicable Law, over the Agreement, the Personal Data or Processing, and/or Controller or Processor, including the United States Department of Commerce and the data protection authorities of the nations of the European Economic Area and of Switzerland.

1.22Suspected Incident” means an interruption in either Processor’s or any Authorized Person’s systems, backups, networks, servers, databases, computers, or other hardware or technical infrastructure, whether or not connected to the Internet, whereby an Incident is suspected.

1.23Technical and Organizational Security Measures” means measures taken by Processor and Authorized Persons aimed at (i) ensuring the confidentiality, security, integrity, and availability of Personal Data, including protecting against an Incident, a Personal Data Breach, or other accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure or access to Personal Data (in particular where Processing involves the transmission of Personal Data over a network) and other unlawful forms of Processing and/or (ii) assisting and enabling Controller to comply with its obligations to respond to requests by Data Subjects to exercise their Data Subject Rights.

2.Processing of Data

2.1Processor agrees to comply with this Addendum, at no additional cost to Controller, at all times during the term of the Agreement. Any failure by Processor to comply with the obligations set forth in this Addendum, or any Personal Data Breach, will be considered a material breach of the Agreement, and Controller will have the right, without limiting any of the rights or remedies under this Addendum, or at law or in equity, to immediately terminate the cooperation between the parties for cause. Processor acknowledges that Controller may be the controller of the Personal Data or may be a processor of the Personal Data on behalf of another controller.

2.2Controller warrants that the personal data is processed for legitimate and objective purposes and that the Data Processor is not processing more personal data than required for fulfilling such purposes.

2.3Controller warrants that the data subjects to which the personal data pertains have been provided with sufficient information on the processing of their personal data.

2.4Processor acknowledges and agrees that it shall only Process Personal Data for the limited and specified purposes and in strict compliance with the Controller’s obligations which shall include Controller’s rights and obligations regarding onward transfer.

2.5Processor represents and warrants that its Processing of Personal Data does and will comply with all Applicable Laws.

2.6To the extent that any Personal Data is transmitted, transferred, shared or otherwise disclosed to Processor from any Member State, Processor represents, warrants, and covenants that it shall comply with the Directive and, when effective, the GDPR, the CCPA, the PDPA, the India data protect law(s) with respect to any Processing, including in particular any transfer, of such Personal Data.

3.Security of Data

3.1At a minimum, and without limiting the foregoing, Processor represents and warrants that it shall maintain all Personal Data in strict confidence, using at least the same level of privacy protection as is required by the Privacy Shield Principles (if applicable), which is more than or equal to the degree of care and Technical and Organizational Security Measures that meet or exceed applicable Industry Standards and that ensure a level of security appropriate to the particular risks of accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure or access of Personal Data presented by the Processing and the Personal Data (collectively, “Risks”), including (i) limiting access to Personal Data to Authorized Persons only; (ii) ensuring that all Authorized Persons are made aware of the confidential nature of Personal Data before they may access such data; (iii) securing its physical, technical, and administrative infrastructure, including all relevant business facilities, data centers, paper files, servers, networks, platforms, databases, cloud computing resources, back-up systems, passwords and credentials, hardware, and mobile devices; (iv) implementing authentication and access controls within all relevant media, applications, networks, operating systems and equipment; (v) encrypting Sensitive Personal Information at all times and Personal Data when transmitted over public or wireless networks or where otherwise appropriate in light of the Risks; (vi) strictly segregating Personal Data from information of Processor or its employees or other customers; (vii) maintaining appropriate personnel security and integrity procedures and practices, as set forth in Section 4; (viii) maintaining written plans and policies for responding to Suspected Incidents, Incidents, and Personal Data Breaches; (ix) maintaining and regularly testing processes for restoring the availability and access to Personal Data in a timely manner in the event of an Incident or Suspected Incident; (x) regularly testing, assessing, and evaluating the effectiveness of all Technical and Organizational Security Measures; and (xi) any other measures necessary to ensure the ongoing confidentiality, integrity, and availability of Personal Data and the ongoing security and resilience of systems and services used for Processing.

3.2Processor shall promptly notify Controller if Processor makes a determination that it can no longer meet its obligations to provide the same level of protection as is required by the Applicable Law(s) or any of the security measures outlined in Section 3.1 above. Upon such notice, Processor shall assist Controller by (i) taking reasonable and appropriate steps to stop and remediate unauthorized processing and (ii) providing a summary or a representative copy of the relevant privacy provisions of this Addendum to the Department upon request.

3.3Upon Controller’s written request, or, upon the termination or expiration of the Agreement for any reason, Processor shall, and shall ensure that all Authorized Persons, (i) promptly and securely dispose of or return to Controller in an encrypted format, at Controller’s choice, all copies of Personal Data, including backup or archival copies, and (ii) promptly certify in writing to Controller when the measures described in subsection (i) hereof have been completed. Processor shall, and shall ensure that all Authorized Persons, comply with all Instructions provided by Controller with respect to the return or disposal of Personal Data. Any disposal of Personal Data must ensure that such data is rendered permanently unreadable and unrecoverable. Processor and/or Authorized Persons shall be excused from performing the foregoing obligations only if, and solely to the extent that, Applicable Law(s) explicitly prevent them from doing so.

3.4Where and to the extent disposal of Personal Data in accordance with Section 3.3 is explicitly prevented by Applicable Law(s) or technically infeasible, Processor and/or Authorized Persons, as applicable, shall (i) take measures to block such Personal Data from any further Processing (except to the extent necessary for continued Processing explicitly required by Applicable Law(s)) and (ii) continue to exercise appropriate Technical and Organizational Security Measures to protect such Personal Data until it may be disposed of in accordance with Section 3.3, whereupon Processor shall (a) promptly and securely dispose of such Personal Data and (b) promptly certify in writing to Controller that such disposal is complete.

4.Authorized Persons

4.1Processor represents, warrants, and covenants that it has previously informed Controller and obtained its prior written consent to any Processing of Personal Data by third parties other than Processor and its Authorized Employees. Processor shall promptly send Controller a copy of any Authorized Subcontractor agreement relevant to this Addendum.

4.2Processor shall perform appropriate screening of all Authorized Persons, including without limitation background checks in accordance with Applicable Laws, and shall ensure the reliability and appropriate training of all Authorized Persons.

4.3Processor represents, warrants, and covenants that it has executed written agreements with each Authorized Subcontractor that bind them to all obligations set forth in this Addendum with respect to the Processing of the Personal Data.

4.4Processor represents, warrants, and covenants that it has executed confidentiality agreements with each Authorized Person that prevents them from disclosing or otherwise Processing, both during and after their engagement by Processor, any Personal Data except in accordance with their obligations in connection with the Services.

4.5Processor shall be fully responsible for the acts and omissions of Authorized Subcontractors and any other of its subcontractors, independent contractors, and other service providers to the same extent that Processor would itself be liable under this Addendum had it conducted such acts or omissions, and shall fully indemnify Controller for all losses arising from or related to such acts and omissions.

5.Suspected Incident, Incident, and Personal Data Breach Notification

5.1Processor shall notify Controller of a Suspected Incident as soon as reasonably practicable, but in any event, not more than forty-eight (48) hours after becoming aware of such Suspected Incident. If such Suspected Incident becomes an Incident or a Personal Data Breach, Processor shall notify Controller pursuant to Section 5.2.

5.2Processor shall notify Controller immediately upon becoming aware of an Incident or a Personal Data Breach and shall, in a written report, provide sufficient information to enable Controller to comply with its obligations under Applicable Laws with respect to such Incident or Personal Data Breach, including any obligation to report or notify such Incident or Personal Data Breach to Supervisory Authorities and/or Data Subjects, as applicable. Such report will include (i) a description of the nature of the Incident or Personal Data Breach, (ii) the categories and approximate number of Data Subjects and Personal Data sets affected or alleged to be affected, (iii) the likely consequences of the Incident or Personal Data Breach, and (iv) any measures that have been or may be taken to address and mitigate the Incident or Personal Data Breach.

5.3As soon as reasonably practicable after providing the report described in Section 5.2, Processor shall provide Controller with a comprehensive report on its initial findings regarding the Incident or Personal Data Breach, and thereafter shall provide regular updates describing subsequent findings with respect to such Incident or Personal Data Breach. As soon as reasonably practicable after Processor has concluded its examination of the Incident or Personal Data Breach, it shall provide Controller with a comprehensive final report regarding the Incident or Personal Data Breach.

5.4Processor and/or any relevant Authorized Subcontractor shall use its best efforts to immediately mitigate and remedy any Incident or Personal Data Breach and prevent any further Personal Data Breach or recurrence thereof, at Processor’s own expense and in accordance with Applicable Laws.

5.5Neither Processor nor any Authorized Subcontractor shall publicly disclose any information regarding any Suspected Incident, Incident or Personal Data Breach without Controller’s prior written consent, except that Processor and any relevant Authorized Subcontractor may disclose any Suspected Incident, Incident or Personal Data Breach to (i) its own employees, customers, advisors, agents, or contractors, or (ii) where and to the extent explicitly compelled to do so by Applicable Laws, to applicable Supervisory Authorities and/or Data Subjects without Controller’s prior written consent.

5.6Processor and/or any relevant Authorized Subcontractor shall, at Processor’s expense, fully cooperate with Controller and provide any assistance necessary for Controller to comply with any obligations under Applicable Laws with respect to an Incident or Personal Data Breach, including obligations to report or notify an Incident or Personal Data Breach to Supervisory Authorities and/or Data Subjects. Such assistance may include drafting disclosures, press releases and/or other communications for Controller with respect to such Incident or Personal Data Breach.

6.Rights of Data Subjects

6.1

Processor shall, to the extent permitted by Applicable Laws, provide all necessary assistance to Controller to support Controller’s response to requests by Data Subjects to exercise Data Subject Rights, including, as applicable, a Data Subject’s right to:

(a)confirm whether his or her Personal Data has been or is being Processed;

(b)access a copy of all Personal Data of his or hers that has been or is being Processed;

(c)rectify or supplement his or her Personal Data;

(d)transfer his or her Personal Data to another Controller;

(e)confirm that his or her Personal Data has been or is being subject to Processing that constitutes automated decision-making;

(f)restrict or cease the Processing of his or her Personal Data; and

(g)withdraw consent to the Processing of his or her Personal Data held by Processor. Such assistance shall also include

(x)maintaining records sufficient to demonstrate Processor’s performance of its obligations under Applicable Laws with respect to Data Subject Rights,

(y)promptly notifying Controller if Processor or an Authorized Subcontractor receives a request from a Data Subject to exercise a Data Subject Right and refraining from responding to such requests (and ensuring that Authorized Subcontractors refrain from responding to such requests) except upon receipt of, and in accordance with, Instructions from Controller, and

(z)informing Controller in the event that Applicable Laws or any judicial, law enforcement, or Supervisory Authority operate to prevent Processor (or any Authorized Subcontractor) from performing the obligations described in this Section 6.1.

7.Transfers of Personal Data

7.1The Processor may not, without prior instructions from the Controller, transfer Personal Data or any other information relating to the Processing of Personal Data to any third party. In the event, the Processor, according to Applicable Law(s), is required to disclose Personal Data that the Processor Processes on behalf of the Controller, the Processor shall be obliged to inform the Controller thereof immediately and request confidentiality in conjunction with the disclosure of requested information.

7.2Processor represents and warrants that every Restricted Transfer made by Processor or any Authorized Subcontractor shall be undertaken in accordance with the Applicable Law(s).

7.3If applicable, Processor represents, warrants, and covenants that every transfer of Personal Data by Processor from the European Economic Area or Switzerland to the United States shall be made pursuant to the Privacy Shield Framework and Principles, and further represents and warrants that it self-certifies to, and complies with, the Privacy Shield Framework and Principles, and shall maintain such self-certification and compliance for the duration of the Agreement.

7.4If applicable, Processor represents and warrants that every Authorized Subcontractor that transfers Personal Data from the European Economic Area or Switzerland to the United States adheres to the Privacy Shield Principles.

8.Actions and Access Requests

8.1Upon Controller’s request, Processor shall make available to Controller all information available to Processor and to Authorized Subcontractors that Controller reasonably deems necessary to demonstrate compliance by Controller with its obligations under Applicable Laws relating to the Personal Data and the Processing conducted by Processor and Authorized Subcontractors.

8.2

Upon Controller’s request, Processor shall provide all necessary assistance to Controller in connection with any data protection impact assessments (“DPIA(s)”) that Controller determines (in its sole discretion) it must conduct or cause to be conducted in order to comply with Applicable Laws, to the extent that such DPIA(s) relate to the Processing.

8.2.1Upon Controller’s request, Controller shall provide all necessary assistance to Controller in connection with any consultation with a Supervisory Authority that Controller determines (in its sole discretion) it must undertake as a result of a DPIA, to the extent that such DPIA relates to the Processing.

8.3Upon Controller’s request, Processor shall provide all necessary assistance to Controller in the event of any investigation, action, or request made by a Supervisory Authority, to the extent that such investigation, action, or request relates to the Personal Data or the Processing.

8.4Upon Controller’s request, Processor shall provide Controller, and any Supervisory Authority with whom Controller is consulting or cooperating, with a designated contact for all queries and requests relating to the Processing of Personal Data.

8.5Upon Controller’s request, Processor shall provide all necessary assistance to Controller in connection with any certification or re-certification efforts by Controller with respect to the EU-US Privacy Shield Framework (if applicable).

8.6In the event Processor determines that any Processing violates Applicable Laws (including the valid exercise of a Data Subject Right) or this Addendum, it shall immediately inform Controller and follow Instructions for stopping such Processing and/or remediating the violation.

8.7Without limiting the foregoing, in the event of a change in Applicable Laws affecting this Addendum, Processor agrees to work in good faith with Controller to make any amendments to this Addendum pursuant to Section 11.1, and further agrees to make any changes to its Technical and Organizational Security Measures as are reasonably necessary to ensure continued compliance with Applicable Laws.

9.Audit Rights

9.1Processor shall maintain complete and accurate records in connection with Processor’s performance under this Addendum, and shall retain such records for a period of three (3) years after the termination or expiration of the Agreement.

9.2Controller shall have reasonable access during regular business hours upon reasonable notice to review, audit and copy such records relevant to Processor’s provision of Services and discharge of obligations under this Addendum.

9.3Controller also reserves the right to actively test Processor’s compliance with Controller’s security requirements, including without limitation security configuration (e.g., server parameters, security settings and control environment) and network perimeter controls, provided that such tests are not unreasonably disruptive to Processor’s business. Processor agrees, at its cost, to make any changes requested by Controller to correct inadequacies discovered in such audits or tests.

10.Indemnity

10.1Processor shall, at its own expense, protect, defend, indemnify and hold harmless Controller and its officers, directors, employees, successors, assigns, distributors, contractors, agents, affiliates and customers, from all claims or actions, damages, liabilities, assessments, losses, costs, and other expenses (including, without limitation, reasonable attorneys’ fees and legal expenses and breach notification expenses) arising out of or resulting from (a) any breach by Processor of its warranties or representations in this Addendum, (b) any acts and omissions of any Authorized Subcontractors with respect to the Processing of any Personal Data; or (c) any Incident or Personal Data Breach (collectively, “Claims”).

10.2Controller shall provide Processor with prompt written notice of any Claim. Upon receipt of any such notice, Processor must immediately take all necessary and appropriate action to protect Controller’s interests with regard to any Claims. Controller shall provide reasonable cooperation, information, and assistance in connection with any Claim (except that failure to do so shall only excuse Processor from its obligations to the extent such failure materially prejudiced the defense of the Claim). Processor shall have sole control and authority to defend, settle or compromise any Claim, provided that Processor shall not make any settlement that requires a materially adverse act or admission by Controller without Controller's written consent (such consent not to be unreasonably delayed, conditioned or withheld). If Processor provides counsel for the defense of any Claim and Controller, in its sole discretion, determines that such counsel is unacceptable or that a conflict of interest exists between Controller and such counsel, Controller may request Processor replace the counsel. If Processor fails to timely replace counsel, the Processor agrees that its counsel shall work in good faith with Controller’s counsel until the Claim is resolved.

11.Miscellaneous

11.1This Addendum may be amended or modified only by a writing signed by both Parties. Processor acknowledges and agrees that the Controller (whether it is acting as a controller or a processor on behalf of another controller) may disclose this Addendum to third parties (including other controllers, data subjects and regulators) for purposes of demonstrating compliance with Applicable Laws.

11.2The Parties hereby acknowledge and agree that any remedies arising from any Personal Data Breach or any breach by Processor or any Authorized Person of the terms of this Addendum are not and shall not be subject to any limitation of liability provision that applies to Processor under the Agreement.

11.3This Addendum shall be governed by the law of the same jurisdiction as the Agreement, except where and to the extent that Applicable Laws require that the Addendum be governed by the law of another jurisdiction.