DATA PROCESSING AGREEMENT

This data processing agreement ("DPA") is entered into between Merchant Management Solutions PTE. LTD, 251 Little Falls Dr, Wilmington, New Castle County, Delaware 19808 ("Processor" or "Momos") and the customer named in the Software as a Service Agreement on the provision of Momos’ services (hereinafter: "Controller" or "Customer"), each also referred to as a "Party" and collectively as the "Parties".

PREAMBLE

The Parties have concluded a Software as a Service Agreement regarding the Processor’s provision of his services that entail the Controller’s use of the Processor’s software and services ("Main Agreement"). In the course of rendering these services as per the Main Agreement ("Services"), it is necessary that the Processor processes personal data for which the Controller is responsible as per the applicable data protection laws ("Applicable Data Protection Laws"). In order to meet the requirements of Applicable Data Protection Laws, the Parties conclude the following DPA:

1. DEFINITIONS

For the purposes of this DPA, and unless otherwise indicated by the context, the terms used shall have the meanings given to them as per Applicable Data Protection Laws. Key terms of this DPA are defined below:

● “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

● ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

● ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

● ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

2. SCOPE / TERM

2.1 This DPA applies to the processing of all personal data (hereinafter also referred to as "data") which are processed by the Processor on behalf of the Controller. The scope, nature, purpose and further description of the processing are determined by the Main Agreement and are set out in Annex 1 (“Description of Data Processing”) to this DPA.

2.2 Unless otherwise stipulated in this DPA, the term and termination of this DPA shall be governed by the term and termination provisions of the Main Agreement. A termination of the Main Agreement automatically results in a termination of this DPA. An isolated termination of this DPA is excluded.

2.3 Unless otherwise specified in this DPA, all definitions provided in the Main Agreement shall apply to this DPA.

3. RESPONSIBILITY AND AUTHORITY TO ISSUE INSTRUCTIONS / PROTECTIVE MEASURES OF THE PROCESSOR

3.1 The Parties shall be responsible for compliance with the provisions of Applicable Data Protection Laws. The Controller may at any time instruct the Processor to release, correct, adapt, delete and restrict the data processed under this DPA.

3.2 The Processor shall process the data on behalf and in accordance with the instructions of the Controller as per Applicable Data Protection Laws. The Controller remains the controller in terms of Applicable Data Protection Laws.

3.3 In order to ensure the protection of the rights of the data subjects, the Processor shall provide appropriate support to the Controller, in particular, by ensuring appropriate technical and organizational measures (see Section 6). In the event a data subject contacts the Processor directly to act according to such data subject’s right, the Processor shall without undue delay forward that request to the Controller

3.4 In the event the Processor considers an instruction as a violation of Applicable Data Protection Laws the Processor shall inform the Controller without undue delay. The Processor shall be entitled to suspend the execution of the relevant instruction until such instruction is confirmed or amended by the Controller

3.5 The Processor may only process data in accordance with the Controller's instructions, unless the Processor is obliged to process data differently under the law of the Union or the Member State to which the Processor is subject (e.g. investigations by law enforcement or state security authorities); in such a case, the Processor must inform the Controller of these legal requirements prior to processing, unless the law in question prohibits such information for reasons of important public interest. The Controller's instructions are in principle conclusively regulated and documented in the provisions of this DPA. Individual instructions that deviate from the provisions of this DPA or impose additional requirements require the consent of the Processor and must be documented. Any additional costs incurred by the Processor as a result shall be borne by the Controller.

3.6 Changes to the object of processing shall be jointly agreed and documented. The Processor shall not use the data for any other purpose and shall, in particular, not be entitled to disclose such data to third parties. The Processor shall not be entitled to copy or duplicate any data without the knowledge of the Controller.

3.7 The Controller shall be responsible for his records of processing activities as per Applicable Data Protection Laws. At the request of the Controller, the Processor shall provide the Controller with information for such records of processing activities. The Processor shall keep records of all categories of processing activities carried out on behalf of the Controller in accordance with Applicable Data Protection Laws.

3.8 The Processor is obligated to inform the natural persons under his authority who have access to the data about the duty of confidentiality and ensures that they process the data only within the scope of the Controller's instructions.

4. CONTROLLER’S LEGAL OBLIGATIONS

4.1 The Controller is solely responsible for the permissibility of the processing of the data and for safeguarding the rights of data subjects in the relationship between the Parties. Should third parties assert claims against the Processor based on the processing of data in accordance with this DPA, the Controller shall indemnify the Processor from all such claims upon first request.

4.2 The Controller is responsible to provide the Processor with data in time for the rendering of Services according to the Main Agreement and he is responsible for the quality of the data. The Controller shall inform the Processor immediately and completely if during the examination of the Processor’s results he finds errors or irregularities with regard to Applicable Data Protection Laws or his instructions

4.3 On request, the Controller shall provide the Processor with the information required to record the processing activities as per Applicable Data Protection Laws, insofar as it is not available to the Processor himself.

4.4 If the Processor is required to provide information to a governmental body or person when processing data or to cooperate with these bodies in any other way, the Controller is obliged at first request to assist the Processor in providing such information and in fulfilling other cooperation obligations.

5. PROCESSOR’S LEGAL OBLIGATIONS

5.1 The Processor shall ensure that the persons authorized to process the data are bound by confidentiality or are subject to an appropriate legal obligation of secrecy and shall provide evidence thereof to the Controller upon his request.

5.2 The Parties shall support each other in proving and documenting their accountability with regard to the principles relating to data processing as per Applicable Data Protection Laws, including the implementation of the necessary technical and organizational measures. If required, the Processor shall provide the Controller with the relevant information.

5.3 To the extent required by Applicable Data Protection Laws, the Processor shall appoint a data protection officer who shall carry out his/her activities in accordance with Applicable Data Protection Laws. The contact details of the data protection officer shall be provided to the Controller for the purpose of direct contact.

5.4 The Processor shall inform the Controller without undue delay of any audits and measures taken by the supervisory authorities or if a supervisory authority requests, investigates or otherwise makes enquiries to the Processor.

6. TECHNICAL AND ORGANIZATIONAL MEASURES

6.1 The Parties agree on the specific technical and organizational security measures set out in Annex 3 (“Technical and organizational measures”) to this DPA. Annex 3 forms an integral part of this DPA.

6.2 Technical and organizational measures are subject to technical progress. In this respect, the Processor shall be permitted to implement alternative but adequate measures according to the provisions of Applicable Data Protection Laws and this DPA. Significant changes to such measures shall be documented.

6.3 At the request of the Controller, the Processor shall demonstrate compliance with the technical and organizational measures specified in Annex 3 to the Controller by providing suitable evidence in accordance with the requirements.

7. CONTROL RIGHTS

7.1 The Controller shall be entitled to regularly verify compliance with the provisions of this DPA – in particular with regard to the implementation and effectiveness of the technical and organizational measures pursuant to Annex 3. For this purpose, the Controller may request information from the Processor, review existing expert opinions, certifications, or the results of internal audits, or inspect the implemented technical and organizational measures during normal business hours.

7.2 The Controller shall inform the Processor in good time (generally two weeks in advance) of all circumstances associated with the performance of the audit. The Controller shall conduct audits only to the extent necessary (generally one audit per calendar year) and with due consideration for the Processor’s business operations. The Parties shall coordinate in advance regarding the timing and manner of the audit.

7.3 If the Controller commissions a third party to carry out the audit, the Controller shall obligate the third party in writing the same way as the Controller is obliged to the Processor according to this Section 7 of this DPA. In addition, the Controller shall obligate the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of the Processor, the Controller shall immediately submit to him the commitment agreements with the third party. The Controller may not commission any of the Processor’s direct competitors to carry out the audit.

7.4 The Controller shall document the results of any audit and share the report with the Processor. If errors or irregularities are identified during the audit, the Controller shall notify the Processor without undue delay. Where the audit reveals circumstances requiring adjustments to existing procedures in order to prevent recurrence, the Controller shall inform the Processor of the necessary procedural changes without undue delay.

8. NOTIFICATION OBLIGATIONS OF THE PROCESSOR

The Processor shall without undue delay inform the Controller in the event of serious disruption of his operations, suspected breaches and breaches of this DPA and of Applicable Data Protection Laws or other irregularities in the processing of the Controller’s data. This applies, in particular, to the obligation to report data breaches to relevant authorities and affected data subjects as required by Applicable Data Protection Laws. The Processor shall provide appropriate support to the Controller in fulfilling his data breach notification duties as per Applicable Data Protection Laws. The Processor may only carry out notifications related to data breaches for the Controller after receiving prior instructions in accordance with Section 3 of this DPA.

9. ERASURE AND RETURN OF DATA

9.1 Upon termination of the Main Agreement or at the request of the Controller, the Processor shall, without undue delay, return to the Controller all documents, data, and data carriers provided to him, or – where no statutory retention obligations exist – fully and irrevocably delete them at the Controller’s request. This obligation also applies to all copies of the data, including backup copies.

9.2 The Processor may store documentation that serves as evidence of data processing in accordance with this DPA and applicable laws. For such retained data, the obligations set out in Section 9.1 shall apply accordingly after the expiry of any applicable retention periods.

9.3 Upon request, the Processor shall confirm the complete deletion of the data to the Controller in writing.

9.4 Any right of retention is excluded.

10. SUB-PROCESSORS

10.1 The current sub-processors engaged for the performance of this DPA and agreed between the Parties are specified in detail in Annex 2 (“List of Sub-Processors”).

10.2 If the Processor intends to subcontract further sub-processors for the processing of data, the Processor shall inform the Controller of the intended change or replacement of sub-processors. In individual cases, the Controller may object to such changes within 14 days after the respective notification. If this notification period expires without objection from the Controller, the proposed sub-processor shall be deemed approved. Should the Controller raise a justified objection to the new sub-processor within the notification period, the Parties shall cooperate in good faith to find an alternative solution. If no mutually acceptable alternative is confirmed by the Controller, the Processor shall have the right to terminate the Main Agreement and this DPA without notice, if the Services cannot be performed without the engagement of the new sub-processor.

10.3 For the purpose of this provision, sub-processing services are not considered to be services that the Processor purchases from third parties as ancillary services in support of the performance under this DPA, for example telecommunications services.

10.4 If sub-processors are engaged by the Processor, the Processor shall ensure that his contractual agreements with the sub-processor comply with the level of data protection equivalent to that agreed between the Controller and the Processor and that all contractual and legal requirements are complied with; this shall apply, in particular, with regard to the use of appropriate technical and organizational measures to ensure an adequate level of security of the data processing.

11. LIABILITY

11.1 The Processor’s liability under this DPA shall be governed by the disclaimers and limitations of the liability provided for in the Main Agreement. As far as third parties assert claims against the Processor which are caused by the Controller’s culpable breach of this DPA or one of his obligations as the controller in terms of Applicable Data Protection Laws, the Controller shall upon first request indemnify and hold the Processor harmless from these claims.

11.2 The Processor shall also be liable to the Controller for any breaches by engaged sub-processors.

11.3 The Controller undertakes to indemnify the Processor upon first request against all possible fines imposed on the Processor corresponding to the Controller’s part of responsibility for the infringement sanctioned by the fine.

12. FINAL PROVISIONS

12.1 In the event of any inconsistency, the provisions of this DPA shall prevail over those of the Main Agreement.

12.2 Should any provisions of this DPA be invalid or unenforceable, the validity of the remaining provisions shall not be affected.

ANNEX 1: DESCRIPTION OF DATA PROCESSING

Nature and purpose of processing	The Processor will process data in order to provide the Services in accordance with the Main Agreement and this DPA. The Processor shall only process data for the following purposes: (i) processing to perform its obligations under the Main Agreement; and (ii) processing to comply with any other reasonable instructions provided by Controller that are consistent with the terms of the Main Agreement.
Type of data processing	Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Categories of personal data	Customer contact information to send post-order surveys: Email Phone Number Customer details saved in Processor’s “Customer Data Platform” for segmentation and analytics: Customer Name Customer Email Customer Phone Number
Data subjects	End-customers of the Controller
Frequency and duration of data processing	The frequency of the processing activities is continuous. The Processor will process the data until the expiration or termination of the Main Agreement in accordance with its terms.
Criteria used to determine the period for which the personal data will be retained	The retention period criteria are described in Section 9 of this DPA.
Transfers to Sub-processors	The Processor will transfer data to sub-processors as permitted in Section 10 of this DPA.

ANNEX 2: LIST OF SUB-PROCESSORS

The Controller has authorized the use of the following sub-processors:

Provider	Name, Address	Purpose and Description of Data Processing	Location of data processing
Amazon Web Services	Amazon Web Services, Inc. 410 Terry Avenue North, Seattle, WA 98109-5210, USA	Cloud hosting provider	USA
Auth0	Auth0, LLC 100 First Street, Floor 6 San Francisco, CA 94105, San Francisco, CA 94107, USA	Identity and Authentication Provider	USA
Mixpanel	Mixpanel Inc., One Front Street, 28th Floor, San Francisco, CA 94111, USA	Product Analytics for Application	USA
Github	GitHub Inc, 88 Colin P Kelly Jr. Street, San Francisco, California, 94107, USA	Version Control Management	USA
Databricks	Databricks Inc., San Francisco, 160 Spear St 15th Floor, USA	Data Lake Analytics Platform Provider	USA
Datadog	Datadog, Inc., 620 8th Avenue, Floor 45, New York, NY 10018, USA	Application Log Management	USA
OpenAI	OpenAI, Inc. 3180 18th Street, San Francisco, California, USA	Foundational Model Provider	USA
Twilio	Twilio Inc., 101 Spear Street, Fifth Floor, San Francisco, USA	SMS Sender Service	USA
Sendgrid	SendGrid, Inc., 801 California Street, Suite 500, Denver, CO 80202, USA	Email Sender Service	USA
Google Cloud Platform	Google LLC, 1600 Amphitheatre Pkwy Mountain View, CA 94043, USA	Push Notification Cloud Messaging Provider and Github Runner Compute Provider	USA
Drata	Drata Inc., 4660 La Jolla Village Drive, San Diego, California, USA	Compliance Management Platform	USA

ANNEX 3: TECHNICAL AND ORGANIZATIONAL MEASURES

Description of the technical and organizational measures implemented by the Processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

● Non-public data stored is encrypted both at rest and in transit using industry-standard encryption algorithms such as AES (Advanced Encryption Standard) with a minimum key

● Encryption keys are protected against loss, change or destruction by applying appropriate access control mechanisms to prevent unauthorized use.

● Encryption and/or access keys are rotated periodically according to industry accepted best practices

● Encryption keys for data at rest are stored securely and independently from the encrypted data.

● Multi-factor authentication (MFA) is enforced for accessing encryption key management systems.

● Laptops and other hardware equipment which store sensitive information have full disk encryption enabled.

● Momos changes encryption keys as soon as reasonably practicable if the key becomes compromised or is discovered by an unauthorized person or party

● Data is handled and protected according to its classification requirements and following approved encryption standards, if applicable.

● Whenever possible, Momos stores data of the same classification in a given data repository and avoids mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, are applied according to the highest classification of data in a given repository.

● Production Systems disable services that are not required to achieve the business purpose or function of the system.

● Production Systems has security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.

● Customer data is logically separated at the database/datastore level using a unique identifier. Separation is enforced based on this unique identifier to prevent one customer from accessing another customer’s data.

● Confidentiality or non-disclosure agreements (NDA’s) are in place prior to sharing non-public company information to external parties.

● Data will only be transferred where strictly necessary and only to parties who are authorized to have access to the data.

● Confidential and sensitive data is not allowed to be sent over electronic end-user messaging channels such as email or chat unless encryption is enabled.

● Messages are protected from unauthorized access, modification, or denial of service commensurate with the classification scheme adopted by Momos.

● Momos production data is replicated across data centers for redundancy and disaster recovery.

● Confidential data is stored in a manner that supports user access logs and automated monitoring for potential suspicious activity.

● In the event of a system failure or suspicious activity, notifications are enabled for key personnel to take appropriate corrective action.