Data Processing Agreement

This Data Processing Agreement (“DPA”) is dated and effective as of February 6th, 2025 and entered into by and between Kaizen Pay Corporation(“Company”, “Kaizen”, “we”, “us”, or “our”)and any user or visitor to the Website who utilizes any Products or Services involving the collection, use, processing, or storage of Personal Information(“you,” “your,” or a “user”). (Company and user, collectively, are the “Parties”; each, a “Party.”)

Your use of some of our Products or Services or the Site may require us to process Personal Information (defined below) provided by or collected for you. This DPA governs, and provides additional terms, requirements, and conditions regarding, the use, disclosure, transfer, processing, and storage ofPersonal Information in connection with the use of any of our Products orServices or the Site. This DPA is in compliance with Privacy and Data Protection Laws (defined below). The Parties agree to comply with this DPA in full.

This DPA is governed by the Company’s Website Terms of Use [kaizen-payments.com/terms-conditions](“Website Terms”), which includes all disclaimers of warranties and limitations of liabilities, and this DPA is incorporated and made part of theWebsite Terms by this reference. Capitalized terms that are used but not otherwise defined in this DPA have the respective meanings assigned to such terms in the Website Terms or in applicable other Website documents incorporated in the Website Terms, including in additional or separate or subsequent agreements entered into by you with us.

‍

1.         Definitions and Interpretation

1.1          The following definitions and rules of interpretation apply in this DPA.

‍

“Business Purpose” has the meaning given to it by Privacy and Data Protection Laws and refers to and is described by Products and/or Services or any other purpose specifically identified by the Parties in any additional agreements entered into between you and us.

‍

“Collects” (and other forms of this word) has the meaning given to it by Privacy and Data Protection Laws, including the CCPA.

‍

“Contractor” has the meaning given to it by the CCPA.

‍

“Data Subject” means an individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly, and includes the definition of“consumer” in the CCPA.

‍

“Deidentified Information” has the meaning given to it by Privacy and Data Protection Laws, including the CCPA.

‍

“Personal Information” means any information uploaded to the Website or any Product or Service and used, stored, accessed, or processed by us for you that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in our possession or control or that we are likely to have access to, or (b) the relevant Privacy and Data Protection Laws (including the CCPA) otherwise define as protected personal information.

‍

“Processing” (and other forms of that word, including “Process”) means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Laws may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties and include the definition of “processing” under the CCPA.

‍

“Privacy and Data Protection Laws” means all applicable state and federal laws and regulations relating to the processing, protection, or privacy of Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.This includes, but is not limited to, the California Consumer Privacy Act of 2018, California Civil Code Sections 1798.100 – 1789.199, as amended (the “CCPA”).

‍

“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and DataProtection Requirements.

‍

“Sell” (and other forms of this word) has the has the meaning given to it by Privacy and Data Protection Laws, including the CCPA.

‍

“Service Provider” has the meaning given to it by the CCPA.

‍

“Share” (and other forms of this word) has the meaning given to it by Privacy and Data Protection Laws, including the CCPA.

‍

[“Standard Contractual Clauses (SCC)” means the European Commission's standard contractual clauses for the transfer of personal data from the European Union to third countries (Module [One/Two/Three/Four]),as set out in the Annex to Commission Decision (EU) 2021/914, a completed copy of which comprises Appendix ___.]

‍

1.2          This DPA is subject to the terms of the Website Terms, including any separate or subsequent agreements entered into by you and us with respect to any Products or Services or the Site. Interpretations and defined terms set forth in the Website Terms (and any such separate or subsequent agreements)apply to the interpretation of this DPA.

‍

1.3          In the case of conflict or ambiguity between this DPA and any provision in the Website Terms, the provisions of this DPA will prevail.

‍

‍

2.         Personal Information Types and General Processing Purposes

2.1          To the extent you Collect, disclose, Sell, Share, or otherwise make available Personal Information in connection with the Products or Services or the Website, you do so for the limited and specific purposes necessary to utilize the Products, Services, or Website.

‍

2.2          You retain control of the Personal Information and remain responsible for your compliance obligations under the applicable Privacy and Data Protection Laws, including providing any required notices and obtaining any required consents, and for the processing instructions given to us.

‍

2.3          You will disclose Personal Information to us only for the limited and specified Business Purposes governing the use of the Products, Services, or Website and as set forth in the Website Terms (including thePrivacy Policy and other agreements between you and us).

‍

3.         Additional Terms Regarding Retention, Use, Processing, and Disclosure of Personal Information

‍

3.1          We will process, retain, use, or disclose Personal Information you upload or otherwise provide to us only to the extent and in such a manner as is necessary for the Business Purposes in accordance with your instructions (as communicated by and through the Products and Services and/or the Website). We will not process, retain, use, or disclose the Personal Information for any other purposes, outside of the Parties’ business relationship, or in a way that does not comply with this DPA or the Privacy and Data Protection Laws.

‍

3.2          We will not combine Personal Information with any personal information or data that we receive from, or on behalf of another person or entity or otherwise obtained outside of the Website Terms and this DPA, unless such combination is necessary to perform any Business Purpose to provide the Products or Services and is permitted by the Privacy and Data Protection Laws.

‍

3.3          We will notify you if, in our reasonable opinion, any of your instruction would not comply with the Privacy and Data Protection Laws.

‍

3.4          We will promptly comply with any requests or instructions from you requiring us to amend, transfer, or delete the PersonalInformation, or to stop, mitigate, or remediate any unauthorized Processing.

‍

3.5          We will maintain the confidentiality of all Personal Information. We will not Sell or Share Personal Information. We will not Share it for cross-context behavioral advertising (targeted advertising) with anyone, or disclose it to third parties without specific authorization from you or this DPA, unless required by law. If we are required by law to Process or disclose Personal Information, we will first inform you of such legal requirement and provide you an opportunity to object or challenge the requirement, unless the law prohibits such notice.

‍

3.6          We will reasonably assist you to meet your compliance obligations under the Privacy and Data Protection Laws, taking into account the nature of the Processing we do and the information available to us.

‍

3.7          We will notify you of any changes in our ability to meet our obligations under Privacy and Data Protection Laws or that may adversely affect our performance of the terms of the Website Terms (including any subsequent or separate agreements with you) or this DPA.

‍

3.8          You acknowledge that we are under no duty to investigate the completeness, accuracy, or sufficiency of any specific instructions from you or of any Personal Information, other than as required under the Privacy and Data Protection Laws.

‍

3.9          You represent and agree that any Personal Information you disclose to us will have been  Collected using a notice and method in compliance with Privacy and Data Protection Laws that, among other things, informs the Data Subject of your identity, the purpose or purposes for which their Personal Information will be processed, and any other information that is required by applicable Privacy and DataProtection Laws. If we Collect Personal Information for or on your behalf, we will use a notice approved by you, and we will not modify or alter the notice in any way without your prior consent.

‍

3.10       To the extent you disclose or otherwise make available Deidentified Information, you and we agree to (i) take reasonable measures to ensure the information cannot be associated with a Data Subject, and (ii) maintain and use the information in deidentified form and not to attempt to reidentify the information except as permitted under Privacy andData Protection Laws.

‍

3.11       We will limit Personal Information access to:

(a)          those employees who require Personal Information access to meet our obligations under this DPA and Website Terms (including separate or subsequent agreements); and

(b)          the part or parts of the Personal Information that those employees require for the performance of their duties.

3.12       We will ensure that all employees:

(a)          are informed of the Personal Information's confidential nature and use restrictions and are obliged to keep the Personal Information confidential;

(b)          have undertaken reasonable and appropriate training on the Privacy and Data Protection Laws relating to handling Personal Information and how it applies to their particular duties; and

(c)          are aware of our duties and their personal duties and obligations under the Privacy and Data Protection Laws and this DPA.

3.13       We agree to take reasonable steps to ensure the reliability and integrity of our employees with access to the PersonalInformation.

‍

4.         Security

4.1          We will at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage. You agree that you also will implement and maintain appropriate technical and organizational measures designed to safeguard any Personal Information you disclose to us and that, at all time when you access or use our Products and Services, you will use secure equipment, will maintain the confidentiality of your account and password, and will be responsible for any and all consequences of use or misuse of your account and password. You and we agree that, as reasonable and appropriate, you or we may be required to document our respective security measures in writing and periodically review them to ensure they remain current and complete.

‍

4.2          Each Party will notify the other if it becomes aware of any advance in technology or methods of working that indicate that either or both Parties should adjust their respective security measures.

‍

4.3          We will take reasonable precautions to preserve the integrity of any Personal Information we Process and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.

‍

5.         Security Breaches and PersonalInformation Loss

5.1          We agree to notify you if we become aware that anyPersonal Information is lost or destroyed or becomes damaged, corrupted, or unusable.

5.2          We will promptly notify you if we become aware of:

(a)          any unauthorized or unlawful processing of the PersonalInformation; or

(b)          any Security Breach.

5.3          Promptly following any unauthorized or unlawfulPersonal Information processing or Security Breach, the Parties will reasonably coordinate with each other to investigate the matter. We agree to reasonably cooperate with you in your investigation of the matter, including:

(a)          providing reasonable assistance with any such investigation;

(b)          providing you with reasonable access to affected operationsor facilities;

(c)          facilitating interviews as deemed necessary withpersons involved in the matter; and

(d)          making available relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Laws or as otherwise reasonably required.

5.4          We agree not to inform any third parties of a SecurityBreach without first obtaining your prior written consent, except when law orregulation requires it.

5.5          We agree that you may determine:

(a)          whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in your discretion, including the contents and delivery method of the notice; and

(b)          whether to offer any type of remedy to affected DataSubjects, including the nature and extent of such remedy.

‍

5.6  We agree to cover reasonable expenses associated with the performance of the obligations under Section 5.2 and Section 5.3, unless the matter arose from your specific instructions, negligence, willful default,or breach of this DPA, in which case you will cover all reasonable expenses.

5.7          We will reimburse you for actual reasonable and documented expenses you incur when responding to and mitigating damages, to the extent that we caused a Security Breach, including the costs of notice and any remedy as set out in Section 5.5.

‍

6.         Cross-Border Transfers of Personal Information

6.1          The Parties agree that all Personal Information originates in the United States and is Processed in the United States.

6.2          The Parties agree that there will not be any cross-border transfers of Personal Information. You agree that you will transfer Personal Information to us only under the following conditions:

(a)          you obtained valid Data Subject consent to the transfer under the Privacy and Data Protection Laws; or

(b)          the transfer otherwise complies with the Privacy andData Protection Laws.

6.3          Unless the transfer complies with the Privacy and DataProtection Laws, you will not transfer to us Personal Information that originates outside the United States, and we will not transfer any PersonalInformation to another country.

‍

7.         Subcontractors

7.1          If we engage any other person or entity to assist in Processing Personal Information for a Business Purpose on your behalf, the engagement shall be pursuant to a written contract binding the other person or entity to observe the requirements set forth herein and in accordance with Privacy and Data Protection Laws. We may disclose Personal Information to (i) persons or entities who are Service Providers or Contractors to enable the ServiceProviders or Contractors to provide the Products or Services for your benefit, and (ii) our employees and contractors who have a need to know in order to provide the Products or Services for your benefit, have been informed of requirements under Privacy and Data Protection Laws regarding handling DataSubject inquiries, and are under a duty of confidentiality.We will maintain control over all Personal Information we entrusts to such person or entity, and we agree that any contract with such person or entity will terminate automatically on termination of this DPA for any reason.]

‍

7.2          As deemed necessary, we will audit a subcontractor’s compliance with its obligations regarding your Personal Information and provide you with the audit results.

‍

8.         Data Subject Requests, Complaints, and Third-Party Rights

8.1          We will notify you promptly if we receive a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like Sales, disclosures, or other Processing actions.

‍

8.2          We will notify you promptly if we receive any other complaint, notice, or communication that directly or indirectly relates to the Personal Information Processing or to either Party’s compliance with thePrivacy and Data Protection Laws.'

‍

8.3          We will provide reasonable cooperation and assistance in responding to any complaint, notice, communication, or Data Subject request.

‍

8.4          We agree that we will not disclose the PersonalInformation to any Data Subject or to a third party unless the disclosure is either at your request or instruction, permitted by this DPA, or is otherwise required by law.

‍

9.         Term and Termination

9.1          This DPA will remain in full force and effect so long as:

(a)          you use any of our Products or Services; or

(b)          we retain any Personal Information related to our Products, Services, or Website in our possession or control (the “Term”).

9.2          Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of our relationship with you in order to protect Personal Information will remain in full force and effect.

9.3          A Party’s failure to comply with the terms of this DPA is a material breach of the Website Terms (including any separate or subsequent agreement between the Parties). In such event, the non-breaching Party may terminate any agreement with the other Party authorizing the Processing of Personal Information effective immediately upon written notice and without further liability or obligation.

9.4          If a change in any Privacy and Data Protection Laws or either Party’s circumstances prevents a Party from fulfilling all or part of obligations with respect to Personal Information under the Website Terms or any other separate or subsequent agreement between the Parties, the Parties will suspend the Processing of Personal Information until the Party’s Processing complies with such laws. If the Parties are unable to bring the PersonalInformation Processing into compliance with the Privacy and Data Protection Laws within thirty (30) days, they may terminate their relationship as it relates to the Processing of Personal Information upon written notice to the other Party.

‍

‍

10.       Data Return and Destruction

10.1       At your request, we will provide to you a copy of or access to all or part of your Personal Information in our possession or control in the format and on the media reasonably specified by you.

‍

10.2       On termination of the our relationship with respect to any Products or Services for any reason or expiration of the term of any applicable agreement between us, we will securely destroy or, if directed in writing by you, return and not retain, Personal Information related to such relationship or agreement that is in our possession or control, except for one copy that we may retain and use for audit purposes.

‍

10.3       Subject to Section 10.2, if any law, regulation, or government or regulatory body requires us to retain any documents or materials that we would otherwise be required to return or destroy, we will notify you in writing of that retention requirement, providing information regarding the documents or materials that we must retain, the legal basis for retention, and establishing a timeline for destruction once the retention requirement ends. We may use this retained Personal Information for the required retention reason or for audit purposes.

‍

10.4       If we are instructed to destroy the PersonalInformation, we will certify in writing that we have destroyed the Personal Information within ten days after we complete the destruction.

‍

11.       Records

11.1       We will keep accurate, and up-to-date records regarding any Processing of Personal Information we carry out for you, including, but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the Processing purposes, and any other records required by the applicable Privacy and Data Protection Laws (the “Records”).

‍

11.2       We will ensure that the Records are sufficient toenable you to verify our compliance with our obligations under this DPA.

‍

11.3       .

‍

12.       Audit

12.1       At least once per year, we will conduct site audits of ourPersonal Information processing practices and the information technology and information security controls for all facilities and systems used in complying with our obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices.

‍

12.2       Upon your written request, we will make relevant audit reports available to you for review, including as applicable: Our latest Payment Card Industry(PCI) Compliance Report. You will treat such audit reports as our confidential information under this DPA.

‍

12.3       We will promptly address any material issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan.

‍

13.       Warranties

13.1       We warrant and represent that:

(a)          our employees, subcontractors, agents, and any other person or persons accessing Personal Information on our behalf have received the required training on the Privacy and Data Protection Laws relating to thePersonal Information; and

‍

(b)          we and anyone operating on our behalf will Process thePersonal Information in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Laws and other laws, enactments, regulations, orders, standards, and other similar instruments; and

‍

(c)          we have no reason to believe that any Privacy and DataProtection Laws prevent us from providing any of Products or Services; and

‍

(d)          considering the current technology environment and implementation costs, we will take reasonable and appropriate technical and organizational measures to prevent the unauthorized or unlawful Processing of Personal Information and the accidental loss or destruction of, or damage to,Personal Information, and ensure a level of security appropriate to:

‍

(i)           the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and

(ii)          the nature of the Personal Information protected; and

(iii)        comply with all applicable Privacy and Data Protection Laws and our information and security policies.

13.2       You warrant and represent that our expected use of thePersonal Information for the Business Purpose and as specifically instructed by you will comply with all Privacy and Data Protection Laws.

‍

‍