Data Processing Agreement

Last updated: December 2024

This Data Processing Agreement ("DPA") forms part of the agreement between Ezify ("Processor," "we," or "us") and the customer ("Controller" or "you") for the provision of Ezify's services. This DPA applies when we process personal data on your behalf.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Protection Laws" means all applicable laws relating to data protection, including GDPR, CCPA, and other relevant regulations.

2. Scope and Roles

When you use our Services to process Personal Data, you act as the Controller (determining the purposes and means of processing), and we act as the Processor (processing data on your behalf according to your instructions).

The types of Personal Data processed and categories of Data Subjects are determined by your use of the Services and may include:

  • End-user identifiers (device IDs, user IDs, IP addresses)
  • Behavioral data (events, interactions, transactions)
  • Attribution data (ad interactions, campaign data)

3. Processing Instructions

We will process Personal Data only:

  • According to your documented instructions
  • As necessary to provide the Services
  • As required by applicable law (we will inform you unless prohibited)

If we believe an instruction violates Data Protection Laws, we will promptly notify you.

4. Security Measures

We implement appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access, multi-factor authentication, least privilege principle
  • Infrastructure Security: Firewalls, intrusion detection, regular security assessments
  • Employee Training: Regular data protection and security training
  • Incident Response: Documented procedures for security incident handling
  • Business Continuity: Regular backups and disaster recovery procedures

5. Sub-processors

You authorize us to engage Sub-processors to assist in providing the Services. We maintain a list of current Sub-processors, which includes:

  • Cloud infrastructure providers (hosting and storage)
  • Analytics and monitoring services
  • Customer support tools

Before engaging a new Sub-processor, we will:

  • Notify you with reasonable advance notice
  • Ensure the Sub-processor is bound by data protection obligations no less protective than this DPA
  • Remain liable for the Sub-processor's compliance

You may object to a new Sub-processor within 14 days of notification. If we cannot accommodate your objection, you may terminate the affected Services.

6. Data Subject Rights

We will assist you in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

  • Access to their Personal Data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Objection to processing

If we receive a request directly from a Data Subject, we will redirect them to you unless legally required to respond directly.

7. Data Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you without undue delay (and within 48 hours where feasible)
  • Provide information about the nature of the breach, categories of data affected, and approximate number of Data Subjects
  • Describe likely consequences and measures taken or proposed to address the breach
  • Cooperate with your investigation and any required notifications to authorities or Data Subjects

8. International Data Transfers

When Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): EU-approved contractual terms for data transfers
  • Adequacy Decisions: Transfers to countries with adequate data protection as determined by the European Commission
  • Supplementary Measures: Additional technical and organizational safeguards where required

9. Audits and Compliance

Upon reasonable request (no more than once per year), we will provide information necessary to demonstrate compliance with this DPA. This may include:

  • Completion of security questionnaires
  • Provision of audit reports (SOC 2, ISO 27001, or equivalent)
  • Documentation of security measures

On-site audits may be conducted with reasonable advance notice, during business hours, and subject to confidentiality obligations.

10. Data Retention and Deletion

We will retain Personal Data only for as long as necessary to provide the Services or as required by law. Upon termination of Services:

  • You may request export of your data within 30 days
  • We will delete Personal Data within 90 days unless retention is required by law
  • We will provide certification of deletion upon request

11. Confidentiality

We ensure that personnel authorized to process Personal Data are bound by confidentiality obligations and receive appropriate training on data protection requirements.

12. Liability

Each party's liability under this DPA is subject to the limitations set forth in the main Services agreement. We are liable for damages caused by processing that violates this DPA or Data Protection Laws.

13. Term and Termination

This DPA remains in effect for the duration of the Services agreement. Obligations relating to data deletion, confidentiality, and cooperation survive termination.

14. Contact

For questions about this DPA or to exercise your rights, please contact: