Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between ProofVault ("Processor") and the Merchant subscribing to the ProofVault platform ("Controller"). It governs the processing of personal data by ProofVault on behalf of the Merchant in connection with the delivery of the ProofVault platform services.

This DPA is intended to comply with the requirements of the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the UK GDPR, and other applicable data protection laws that impose requirements on data processors. In the event of any conflict between this DPA and the main Terms of Service, this DPA shall govern with respect to data protection matters.

The following definitions apply in this DPA:

"Controller" means the Merchant who determines the purposes and means of the processing of personal data through the ProofVault platform.

"Processor" means ProofVault, which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable data protection law.

"Processing" means any operation or set of operations performed on personal data, including collection, storage, use, disclosure, and deletion.

"Data Subject" means the natural person to whom personal data relates. In the context of ProofVault, this typically refers to the Merchant's customers whose transaction data is processed through the platform.

"Sub-Processor" means any third party engaged by ProofVault to carry out processing activities on the Controller's behalf.

"Supervisory Authority" means a public authority responsible for monitoring the application of applicable data protection law.

ProofVault processes personal data for the purpose of delivering transaction assurance services to the Merchant. This includes:

- Capturing and storing transaction evidence records associated with the Merchant's transactions, including confirmation logs, policy acceptance records, fulfillment documentation, and customer acknowledgment data - Generating dispute-ready export packs on behalf of the Merchant - Providing evidence organization and timeline tools - Delivering platform functionality including analytics, reporting, and notification services

Processing is carried out for the duration of the Merchant's active subscription and any applicable retention period thereafter.

The categories of personal data processed by ProofVault on behalf of the Merchant include:

- Identifiers: Names, email addresses, IP addresses, and device identifiers associated with End Customers - Transaction data: Purchase details, confirmation timestamps, policy acceptance records, and fulfillment confirmations - Communications data: Customer acknowledgment records, survey responses, and communication trail data - Behavioral data: Access records and usage signals captured as part of the assurance workflow

The data subjects are the Merchant's customers (End Customers) and, where applicable, the Merchant's own personnel who use the platform.

ProofVault, as Processor, agrees to:

Process personal data only on documented instructions from the Controller (the Merchant), including with regard to transfers of personal data to a third country or international organisation, unless required by applicable law. In that case, ProofVault will inform the Controller before processing unless prohibited by law.

Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including measures against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Assist the Controller in ensuring compliance with data subject rights, including rights of access, rectification, erasure, restriction, portability, and objection.

Assist the Controller in fulfilling obligations related to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and the information available.

Delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage.

Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor.

ProofVault engages sub-processors to assist in delivering platform services. The Merchant agrees to ProofVault's use of sub-processors, subject to the following conditions:

ProofVault will maintain a current list of sub-processors, available at proofvault.com/sub-processors or upon written request to privacy@proofvault.com.

ProofVault will impose equivalent data protection obligations on sub-processors by contract, including appropriate technical and organisational security measures.

ProofVault will notify the Merchant of any intended changes to sub-processors (additions or replacements) providing the Merchant with an opportunity to object within 14 days. Where the Merchant objects and ProofVault cannot accommodate the objection, either party may terminate the relevant services on reasonable notice.

Current sub-processor categories include cloud infrastructure providers, security monitoring services, customer communication tools, and analytics platforms. A full list is available upon request.

Where ProofVault transfers personal data to a country outside the EEA or UK that does not benefit from an adequacy decision, ProofVault shall ensure such transfers are subject to appropriate safeguards in accordance with applicable data protection law.

Appropriate safeguards used by ProofVault include Standard Contractual Clauses (SCCs) as approved by the European Commission and adopted under UK GDPR, supplemented by additional technical measures where required by a transfer impact assessment.

Details of the applicable transfer mechanisms and a copy of the relevant SCCs are available upon request to privacy@proofvault.com.

ProofVault implements and maintains technical and organisational measures to ensure a level of security appropriate to the risk, including:

- Encryption of personal data in transit using industry-standard TLS - Encryption of personal data at rest - Access controls and role-based permissions to restrict data access to authorised personnel - Audit logging of access to personal data and system events - Regular security assessments and vulnerability management - Incident response procedures and breach notification processes - Vendor security assessments for sub-processors

ProofVault will notify the Controller without undue delay after becoming aware of a personal data breach affecting data processed on the Controller's behalf, providing sufficient information for the Controller to meet notification obligations under applicable law.

ProofVault will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law.

When ProofVault receives a request directly from a Data Subject relating to data processed on behalf of the Controller, ProofVault will promptly forward the request to the Controller. The Controller is responsible for responding to such requests.

ProofVault will provide reasonable technical assistance to the Controller in fulfilling verified data subject requests, including access requests, erasure requests, and portability requests, within the timeframes required by applicable law.

ProofVault retains personal data processed on behalf of the Merchant for the duration of the Merchant's active subscription and for the following periods after subscription termination:

- Transaction evidence records: retained for 18 months following subscription termination to cover the maximum Visa dispute window (540 days), after which they are deleted or anonymised unless the Merchant has requested earlier deletion or extended retention is required by law. - Account data: retained for 90 days following account closure, after which it is deleted. - Backup data: may be retained in encrypted backups for up to 90 days beyond the deletion date of live data.

The Merchant may request earlier deletion of transaction evidence records by submitting a written request to privacy@proofvault.com, subject to any legal hold requirements.

Upon the Controller's written request (no more than once per calendar year absent a security incident), ProofVault will provide information sufficient to demonstrate compliance with this DPA, including responses to security questionnaires and, where applicable, provision of relevant certifications or audit summaries.

Where the Controller requires a more comprehensive audit, this may be conducted by a mutually agreed independent auditor, at the Controller's cost, subject to reasonable notice and confidentiality protections. ProofVault reserves the right to object to auditors who are competitors.

This DPA is effective from the date the Merchant accepts the Terms of Service and remains in effect for as long as ProofVault processes personal data on behalf of the Merchant.

Upon termination of the main services agreement, ProofVault's processing obligations under this DPA continue until all personal data has been deleted or returned in accordance with the retention and deletion provisions above.

This DPA and any disputes arising in connection with it are governed by the law applicable to the main Terms of Service. Where the Merchant is established in the EU or UK, this DPA is interpreted in accordance with GDPR and UK GDPR requirements respectively, regardless of the governing law of the main agreement.