Data Processing Agreement

1. General

Pursuant to the Technology Integration Agreement and the <Terms of Service> (“Agreement”), in which Pajily Labs, LLC, a company registered in St. Vincent and the Grenadines, having its registered office at Suite 305, Griffith Corporate Centre, Beachmont, Kingston, St. Vincent and the Grenadines, company ID 3748 LLC 2024 and/or any of its Affiliate (collectively referred to herein as “Pajily”) provide Pajily Service, where Pajily processes Personal Data on behalf of Merchant. Pajily and the Merchant collectively shall be referred to hereinafter as “Parties” and individually as “Party”.

This Data Processing Agreement (“DPA”) is entered into between Pajily and the Merchant. Pajily reserves the right to involve its Affiliated in the exercise of its rights and the fulfillment of its obligations under this DPA. As a result, the term "Pajily" used in this context may also encompass Affiliates and these Affiliates have been duly authorized by Pajily to provide and distribute the Pajily Services.

This DPA is additional to the terms in the Agreement and, to the extent that the terms in this DPA are in conflict with the terms of the Agreement, the terms in this DPA will take precedence and supersede the terms of the Agreement.

Capitalized terms shall have the meaning given to them above and otherwise shall have the meaning given to them in the Agreement.

2. Definitions

As used herein, the following terms shall have the following meanings:

Agreement” shall have the meaning ascribed to it in the preamble of this Agreement;

Affiliates” means, in respect of a Party, any entity that directly or indirectly Controls, is Controlled by, or is under common Control with, that Party from time to time.

Control” means, in respect of a person, the holding, or controlling, in each case, directly or indirectly, of shares or any similar rights of ownership in that person bearing the majority of voting rights attaching to all the shares or other rights of ownership in that person or having the power to direct or cause the direction and management of the policies of that person whether as a result of the ownership of shares, control of the board of directors, contract or any power conferred by the articles of association or other constitutional documents of such person and “Controlling” and “Controlled” shall be construed accordingly.

Data Controller” means the party who alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Privacy Laws” shall refer to all applicable laws, statutes, rules, regulations, orders, decisions, interpretations, opinions, industry self-regulatory principles and guidelines, and other requirements, whether promulgated by any applicable jurisdiction including, not by way of limitation, (i) the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq. ("CCPA"); (iv) the Controlling the Assault of Non-Solicited Pornography and Marketing Act ("CAN-SPAM"); (v) information security breach notification laws (such as Cal. Civ. Code §§ 1798.29, 1798.82 - 1798.84); (vi) laws imposing minimum information security requirements (such as Cal. Civ. Code § 1798.81.5 and (vii) any federal or national data protection laws made under, pursuant to, replacing or succeeding (i), (ii), (iii), (iv), (v), (vi) related or applicable to Personal Data processed by the Company; and successors of the foregoing, as they may be now or in the future promulgated, supplemented, revised or amended from time to time.

Data Processor” means the party processing personal data on behalf of the Data Controller.

Data Subject” shall refer to a Buyer of the Merchant whose Personal Data and/or Sensitive Personal Data is collected and processed.

Government Authority” means any nation or government, any state or other political subdivision thereof, any entity exercising legislative, executive, judicial or administrative functions of or pertaining to government, including any government authority, agency, department, board, commission or instrumentality, and any court, tribunal or arbitrator(s) of competent jurisdiction, and any self-regulatory organization.

Personal Data” refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Personal Data Breach” shall refer to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data and/or Sensitive Personal Data transmitted, stored, or otherwise processed.

Processing” shall refer to any operation or any set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.

Retention Period” shall have the meaning ascribed to it in Section 7.2 (e) of this DPA.

Sensitive Personal Data” shall refer to Personal Data: (a) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations; (b) about an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; (c) issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (d) specifically established by an executive order or an act of Congress to be kept classified.

3. Authority to Process Personal Data

Pajily is acting solely as a Data Processor with respect to Personal Data. The Merchant is acting as the Data Controller with respect to Personal Data and shall have the exclusive authority to determine the purposes for and means of Processing Personal Data.

Pajily shall Processing Personal Data (i) on behalf of the Merchant; (ii) as necessary to perform Pajily Services specified in the Agreement; and (iii) as otherwise permitted by the Data Protection Laws.

4. Coverage

4.1. This DPA shall cover the following categories of Personal Data of Data Subjects who purchase goods and/or services of the Merchants and pay for Merchant by using Pajily Service, provided that the Data Subjects whose Personal Data will be shared have provided their consent:

a. payment data, specificially, wallet address;

b. any Buyer’s data, including personally identifiable data, supplied by the Merchant to Pajily.

4.2. Any Personal Data and/or Sensitive Personal Data of the Data Subjects which is not listed under Section 3.1, but are required to be disclosed or transmitted to the Pajily for the latter to fulfill its obligations under the Agreement, Pajily shall provide a written notice to the Merchant indicating its request, and the Merchant shall only disclose such Personal Data and/or Sensitive Personal Data upon prior written consent of the Data Subjects.

5. Duties and Obligations of the Parties

5.1. The Merchant shall share with, or otherwise transfer or transmit to Pajily the data described in Section 4 of this DPA.

The data collected, processed and shared pursuant to this DPA shall be processed, and shared exclusively for the purpose of the performance of the Pajily Services contemplated under the Agreement unless otherwise provided by applicable laws, rules, regulations, or relevant issuances by the Government Authority or any separate agreement with the Data Subject.

5.2. Pajily shall:

a. Unless otherwise provided by law, not disclose, trade, sell, or transfer any Personal Data to any person or entity without the written instructions of the Merchant;

b. Not use or process the Personal Data, except in connection with the purposes as provided under this DPA, and in the Agreement;

c. As applicable, allow Data Subjects to exercise their rights as provided under the Data Privacy Laws.

5.3. Whenever applicable, in performing its obligations under this DPA, each Party shall, at all times, comply with the provisions of the Data Privacy Laws and Government Authority issuances. Each Party, its officers, employees, agents, and representatives, shall, among others:

a. Process Personal Data only to such extent as may be required and necessary for each Party to perform its obligations under this DPA and as may be required by the Data Privacy Laws. For this DPA, the processing by each Party of the Personal Data shall include:

(i) transfer and sharing of the Personal Data to each Party’s subsidiaries, affiliates and third parties to enable either Party to perform its obligations under this DPA.

(ii) analysis and storage, and sharing to subsidiaries, affiliates and third-party vendors, of the Personal Data, in conjunction with the other information (e.g., transaction or payment history, or information from third-parties), to allow each Party to improve its products and services, and create, implement, or otherwise improve the existing security features and components of its existing and future products and services;

(iii) analysis and storage, and sharing to subsidiaries, affiliates and third-party vendors, of the Personal Data, in conjunction with the other information (e.g., transaction and/or payment history) to allow each Party to generate or create financial and allied information about Pajily for their benefit, which shall be made available to either Party and upon their written request to the other Party.

In all instances under sub-paragraphs (i), (ii), and (iii) above, each Party shall execute with its affiliate, subsidiary or third parties, appropriate agreements and/or contracts, when applicable, setting forth at the minimum the extent of the processing and the obligations of the subsidiaries, affiliates and third parties over the personal data shared or disclosed for processing pursuant to this Agreement.

(iv) use of Personal Data of the Data Subject to allow either Party to provide them with consumer protection benefits and privileges, including service updates of either Party and its subsidiaries and affiliates; and

(v) such other processing of Personal Data allowed under Data Privacy Laws.

b. Ensure that Data Subjects will be able to exercise their right to rectification, modification, or blocking of their Personal Data under the Data Privacy Laws;

c. Ensure that its personnel, agents, and representatives who are involved in the processing of Personal Data operate and hold Personal Data under strict confidentiality. This obligation shall continue even after their transfer to another position or upon termination of their employment or contractual relations;

d. In case of data breach, promptly notify the other Party from the time of discovery, to enable the other Party to notify the Government Authority, or appropriate supervisory authority, and the affected Data Subject within the period prescribed under the Data Privacy Laws, when Sensitive Personal Data that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the Merchant, Pajily, or the Government Authority believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected Data Subject.

5.4. To the extent applicable, each Parties’ duties and obligations under the Agreement shall be observed during the subsistence of this DPA.

6. Representations and Warranties

6.1. Each Party represents and warrants that:

a. The Processing of the Personal Data under this DPA adheres to the principles of transparency, legitimate purpose, and proportionality.

b. It shall fully comply with the provisions of this DPA, the Agreement, the Data Privacy Laws and all other issuances of the Government Authority.

c. This DPA shall be made available for the review of the Government Authority in cases required under the Data Privacy Laws.

6.2. The Merchant represents and warrants that:

a. Prior to Processing Personal Data of the Data Subject, it shall secure the consent of the Data Subject with respect to the collection and further processing of the Personal Data and the sharing, storage, transfer, and transmission of the same in accordance with this DPA. It shall secure the Data Subject’s consent through written, electronic, or recorded means.

b. It has provided the following information to the Data Subjects prior to collection or sharing of the Personal Data:

(i) Identity of the third parties that will be given access to the Personal Data;

(ii) Purpose of the data Processing;

(iii) Categories of Personal Data concerned;

(iv) Intended recipients or categories of recipients of the Personal Data;

(v) Existence of the rights of the Data Subjects, including the right to access and to correct the Personal Data, and the right to object to data sharing or further processing;

(vi) If applicable, the automated processing of the Personal Data for profiling; and

(vii) Other information that would sufficiently notify the Data Subject of the nature and extent of data sharing and the manner of processing.

7. Security Measure

7.1. The Merchant, as the Data Controller, shall implement reasonable and appropriate physical, technical, and organizational measures for the protection of Personal Data. Security measures aim to maintain the availability, integrity, and confidentiality of Personal Data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination.

7.2. The Parties undertake to observe and implement the following reasonable and appropriate, physical, technical and organizational measures:

a. Personal Data stored by the Parties may be in digital/electronic format and paper- based/physical format.

b. All Personal Data collected, shared, and processed by the Parties shall be stored in secure facilities, whether virtual or physical. Papers of physical documents containing the Personal Data shall be stored in locked filing cabinets, access keys to which shall be entrusted to authorized personnel. Digital or electronic documents containing Personal Data shall be stored in computers, portable disks, and other devices, provided either the document or the device where it is stored is protected by password(s) or passcode(s).

c. Only authorized personnel may access the Personal Data shared by the Parties. Either Party shall ensure that any person acting its authority, and who has access to the Personal Data collected under this DPA, processes the Personal Data exclusively for the purpose(s) identified in this DPA.

d. Access of Personal Data by all authorized personnel shall be monitored by the data protection officer/s of the Party concerned, in accordance with each Party’s own data protection policies.

e. The Parties shall retain the Personal Data collected, shared and processed for the term provided in Section 8 of this DPA, and until five (5) years from the date of transaction, or as long as may be necessary to accomplish the purpose of the Personal DataProcessing (the “Retention Period”). After the Retention Period or when the Data Subject requests in writing that his/her Personal Data be destroyed, the Parties shall dispose of the Personal Data in their custody, in accordance with their respective data protection policies.

f. In the Processing of the Personal Data collected and shared under this DPA, the Parties commit to observe the most appropriate security measures, whether physical, technical, or organizational, according to the requirements of the Data Privacy Laws.

8. Personal Data Breach

8.1. To the extent applicable, in the event of a Personal Data Breach shall be handled in accordance with each Party’s own data protection policies, the Data Privacy Laws and prevailing Government Authority issuances.

The notification shall describe the nature of the breach, the Personal Data and/or Sensitive Personal Data possibly involved, the list of Data Subjects involved, the possible risks, harm, or damage to the Data Subjects, and the measures taken by Pajily to address the breach. The notification shall also state whether Pajily shall need to notify the Government Authority and the Data Subjects of the breach and shall attach a draft of the notification for the Merchant’s comment and/or approval.

8.2. In the event of a Personal Data Breach involving Personal Data while the same is being processed by or is in control of Pajily, Pajily shall notify the Merchant in writing within twenty four (24) hours upon knowledge of, or when there is reasonable belief by Pajily that a Personal Data Breach has occurred.

9. Term

This DPA shall take effect during the commencement of the Agreement and shall survive as long as the Agreement is in force. This DPA shall cease to have effect and be terminated in the event the Agreement is terminated or ceases to be in force, whichever is earlier.

10. Destruction and Disposal of the Share Data

Upon the termination of this DPA, or upon the Merchant’s request, Pajily shall promptly destroy, dispose, or surrender to the Merchant’s, as applicable, the Personal Data and any other property, information, documents containing the Personal Data and/or copies thereof in the Pajily’s possession, custody, or control.

11. Indemnity and Liability

Each Party shall indemnify, defend and/or settle, and hold harmless the other Party, its directors, officers, employees, agents, and representatives, from and against any and all actual, reasonable, and documented assessments, claims, demands or suits, liabilities, damages, and obligations (including, without limitation, reasonable attorneys’ fees) resulting from or arising out of any breach by the Party of its obligations, duties, representations, or warranties under this DPA; provided, however that the indemnity in this Section shall not apply to any loss, claim, damage, or liability caused by the negligence or willful misconduct of each Party.

12. Rights of the Data Subject

12.1. The Merchant shall ensure that the following rights of the Data Subjects are upheld:

a. Availability of the DPA

A copy of this DPA may be accessed by a Data Subject through email upon written request, provided that the Parties have a right to prevent the disclosure of any detail or information that could endanger the Security Measures set out in Section 6 of this DPA or expose to harm the integrity, availability, or confidentiality of Personal Data under its control or custody.

b. Access to Information

Upon the request of a Data Subject, the Merchant may release to the requesting Data Subject the following information with respect to his/her Personal Data:

(i) Contents of his/her Personal Data that were processed;

(ii) Sources from which his/her Personal Data were obtained;

(iii) Names and addresses of the recipients of his/her Personal Data;

(iv) Manner by which his/her Personal Data was processed;

(v) Reasons for the disclosure of his/her Personal Data to recipients, if any;

(vi) Date when his/her Personal Data was last accessed or modified.

c. Correction of Personal Data

The Merchant may provide to the Data Subject the means and methods whereby the Data Subject may order the blocking, removal, or destruction of his/her Personal Data.

e. Remedies

The Merchant may provide to the Data Subject the means and methods whereby the Data Subject may report any security breach or violation of his rights with respect to the Processing of his/her Personal Data, as well as the procedures whereby such reports are timely and adequately addressed.

12.2. Pajily shall reasonably assist to provide information, correct data, or delete data within their control if instructed by the Merchant pursuant to a request from a Data Subject. Pajily shall also refer any requests from Data Subjects relating to its rights under Section 12.1 above to the Merchant within twenty four (24) hours of receipt of such requests.

13. Contact

Pajily's data protection officers as identified herein (or their successors) shall be responsible for addressing any information request or any complaint filed by a Data Subject, and/or any investigation by the Government Authority:

Pajily Labs, LLC

Attention: Legal Team – Pajily Labs, LLC.

Address: Suite 305, Griffith Corporate Centre, Beachmont, Kingston, St. Vincent and the Grenadines

Email Address: legal@pajily.com

14. Amendments

This Agreement cannot be modified, amended, or changed except in writing and signed by the Parties.

15. Severability

In case any one or more of the provisions contained in this DPA shall be invalid, illegal, or unenforceable in any respect, the validity, legality, or enforceability of the remaining provisions herein and therein shall not in any way be affected or impaired hereby.

16. Assignment

Neither the rights nor the obligations of either party may be assigned or delegated in whole or in part without the prior written consent of the other party unless otherwise expressly permitted under the DPA. Any delegation without written permission shall be null and void and of no effect unless otherwise expressly permitted under the DPA.

17. Governing Law and Jurisdiction

This DPA shall be governed and interpreted in accordance with the laws of Singapore. Subject to Pajily’s right to seek injunctive or other equitable relief in any court of competent jurisdiction, any dispute, controversy or claim arising out of or relating to this DPA, including its formation, interpretation, breach or termination, including whether the claims asserted are arbitrable, will be referred to and finally determined by arbitration in accordance with the rules of the Singapore International Arbitration Centre (the “SIAC Rules”) in effect at the time of the commencement of the arbitration. Unless otherwise agreed by the Parties, the tribunal will consist of one (1) arbitrator, to be appointed in accordance with the SIAC Rules. The seat of the arbitration will be Singapore. The language to be used in the arbitral proceedings will be English. Judgment upon the award rendered by the arbitrators may be entered by any court having competent jurisdiction. In any action or proceeding to enforce rights under this DPA, the prevailing party will be entitled to recover costs and attorney’s fees. The Parties shall treat all matters related to the arbitration, including the award, as strictly confidential.

Last updated