Data Processing Addendum (DPA)

AGREED TERMS

1. 1. Definitions and Interpretation
   1. Definitions:
      1. Controller, Processor, Data Subject, Personal Data, Personal Data Breach, and Processing: These terms have the meanings ascribed to them in the applicable data protection laws of the United States, including but not limited to the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), and other relevant federal and state regulations governing data protection and privacy.
      2. Data Protection Legislation: Refers to all laws, regulations, and statutes governing data protection and privacy in the United States, including but not limited to the CCPA, the Health Insurance Portability and Accountability Act (HIPAA), the Children's Online Privacy Protection Act (COPPA), and other relevant federal and state regulations.
      3. CCPA: The California Consumer Privacy Act, which regulates the collection, use, and protection of personal information of California residents.
      4. Special Categories of Personal Data: Refers to sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health information, or information related to an individual's sexual orientation or gender identity.
   2. Interpretation:
      1. Any reference to be written includes electronic communication such as email, consistent with the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) and other applicable laws.
      2. In the event of any conflict or ambiguity between the provisions of this DPA and the Terms of Service or Privacy Policy of Dafinchi, the provisions of this DPA shall prevail.
2. 2. Personal Data Types and Processing Purposes
   1. Agreement and Acknowledgment:
      1. Controller and Processor Relationship:We acknowledge that Dafinchi acts as the Processor and you, the user, act as the Controller of the Customer Data as defined under the applicable data protection laws of the United States.
      2. Retention of Control:You retain control over the Customer Data and are responsible for ensuring its compliance with the relevant data protection laws, including providing written processing instructions to Dafinchi.
      3. Purpose of Processing:The primary purpose of processing Customer Data is to facilitate the provision of Dafinchi's financial insights platform and associated services to you, the user, in accordance with the Terms of Service and this Data Processing Addendum (DPA).
      4. Duration of Processing:Dafinchi shall process Customer Data only for the duration of your use of the Dafinchi platform and services, unless otherwise specified in the Terms of Service, Privacy Policy, or required by applicable professional or legal obligations.
      5. Nature and Purpose of Processing:
         1. Providing Financial Insights: Dafinchi processes Customer Data to deliver its financial insights platform and associated services to users.
         2. Performance of Obligations:Dafinchi may process Customer Data to fulfill its obligations under the Terms of Service or other agreements with users, including resolving technical issues or providing support.
         3. Compliance and Legal Requirements: Dafinchi may process Customer Data to comply with applicable laws and regulations, including responding to legal requests or court orders.
         4. Data Anonymization: Dafinchi may render Customer Data fully anonymous in accordance with recognized standards under data protection laws.
         5. Third-Party Integration: Dafinchi may share Customer Data with third-party service providers as instructed by users or as necessary for the integration of third-party services with the Dafinchi platform.
      6. Data Subjects and Categories:Dafinchi may share Customer Data with third-party service providers as instructed by users or as necessary for the integration of third-party services with the Dafinchi platform.
   2. Special Categories of Personal Data: You agree not to use the Dafinchi platform to process Special Categories of Personal Data unless expressly permitted by Dafinchi and subject to additional agreements as may be required.
3. 3. Our obligations
   1. Processing of Customer Data:
      1. Dafinchi will process Customer Data solely for the purposes outlined in this Data Processing Addendum (DPA), including providing financial insights services to users. Processing will be carried out in accordance with your written instructions and the terms specified in the DPA and the applicable data protection laws of the United States.
      2. Dafinchi will promptly notify you if it believes that any instructions provided by you for processing Customer Data may infringe upon data protection legislation, allowing for timely resolution and compliance.
   2. Confidentiality and Disclosure: Dafinchi will maintain the confidentiality of Customer Data and will not disclose it to third parties unless explicitly authorized by you or required by applicable law, court order, or regulatory authority. In cases where disclosure is necessary, Dafinchi will inform you unless legally prohibited.
   3. Assistance with Compliance: Dafinchi will provide reasonable assistance, at no additional cost, to help you meet your compliance obligations under the Data Protection Legislation. This may include facilitating Data Subject rights requests, conducting data protection impact assessments, and cooperating with regulatory authorities as required.
   4. Confidentiality Obligations: All employees and advisors of Dafinchi involved in the processing of Customer Data will be bound by strict confidentiality obligations, whether statutory or contractual, to ensure the protection of Customer Data.
   5. Technical and Organizational Measures: Dafinchi will implement appropriate technical and organizational measures to safeguard Customer Data against accidental, unauthorized, or unlawful processing, access, copying, modification, reproduction, display, distribution, loss, destruction, alteration, disclosure, or damage.
4. 4. Personal data breach
   1. Notification of Breach: Dafinchi will promptly notify you in writing if it becomes aware of a Personal Data Breach, without undue delay. This notification will include:
      1. A detailed description of the nature of the breach, specifying the categories of Customer Data affected and an approximate number of affected Data Subjects and Customer Data records.
      2. Assessment of the likely consequences of the breach.
      3. Description of measures taken or proposed to address the breach, including steps to mitigate its adverse effects.
   2. Confidentiality of Breach Information: Dafinchi will not disclose any information regarding a Personal Data Breach to any third party without obtaining your prior written consent, except where such disclosure is required by applicable law.
5. 5. Cross-border Transfers of Personal Data
   1. Transfer Restrictions: Your personal information may be processed, stored, and transferred to foreign countries that may have different privacy laws compared to those in the US. These laws may not provide the same level of comprehensive protection as US law. Consequently, governmental, judicial, law enforcement, or regulatory authorities in these foreign countries may have access to your personal information under their respective legal frameworks. If you have any concerns or require further information regarding our policies concerning service providers located outside of the US, you are encouraged to contact us. Dafinchi and any sub processors will not transfer or process Customer Data outside the United States without obtaining your explicit consent.
   2. Sub processors Authorization: You authorize Dafinchi to transfer Customer Data to any sub processors listed in Section 6 of this agreement. (if any)
6. 6. Subprocessors (if any)
   1. Authorized Subprocessors:Dafinchi is authorized to transfer Customer Data to the following subprocessors:

      Name	Location	Appropriate safeguards
      [Subprocessor Name]	[Location of Subprocessor]	[Details of Safeguards]

   2. Objection Process:
      1. You will be provided with an opportunity to object to the appointment of each new subprocessor within seven days of being notified.
      2. If you object to a new subprocessor, you must provide written reasons for your objection within the specified timeframe.
      3. Failure to object within seven days will be considered acceptance of the new subprocessor.
      4. If you object to a new subprocessor and it is deemed necessary for the provision of certain elements of Dafinchi's services, you may terminate the Agreement and this DPA by providing written notice. However, outstanding amounts under the Agreement must be settled before termination.
      5. Dafinchi remains fully liable for the performance of any subprocessor in connection with this DPA.
7. 7. Complaints, Data Subject Requests and Third-Party Rights
   1. Technical and Organizational Measures:
      1. Dafinchi will implement appropriate technical and organizational measures to provide necessary information and assistance to enable compliance with the rights of Data Subjects under Data Protection Legislation.
      2. This includes subject access rights, rights to rectify, port, and erase personal data, as well as the right to object to the processing of personal data.
   2. Notification of Complaints and Data Subject Requests:
      1. Dafinchi will notify you without undue delay in writing upon receipt of a complaint, notice, or communication related to the processing of Customer Data or compliance with Data Protection Legislation.
      2. Similarly, Dafinchi will promptly notify you if a Data Subject requests access to their Customer Data or exercises any other rights under Data Protection Legislation.
   3. Cooperation and Assistance: Dafinchi will cooperate with you and provide assistance in responding to any complaints, notices, communications, or Data Subject requests received.
8. 8. Data Return and Destruction
   1. Data Return:
      1. Upon your written request, Dafinchi will provide you or a third-party nominated by you, with a copy of or access to all or part of the Customer Data held by Dafinchi under this Data Processing Addendum (DPA).
      2. This provision ensures that you have the ability to access and retrieve your Customer Data as needed.
   2. Data Destruction on Termination or Expiry:
      1. In the event of termination or expiry of the agreement between you and Dafinchi, Dafinchi will securely delete, destroy, or return, as directed by you in writing, all or any part of the Customer Data related to the agreement.
      2. Dafinchi will retain only one copy of the Customer Data for legal purposes, in accordance with its retention policies.
9. 9. Records and Audits
   1. Maintenance of Records:
      1. Dafinchi will maintain detailed, accurate, and up-to-date written records concerning the processing of Customer Data. These records will include information such as access logs, control mechanisms, security measures, subcontractors involved, processing purposes, categories of processing, and descriptions of technical and organizational security measures implemented.
      2. This ensures transparency and accountability in the processing of Customer Data, allowing for effective monitoring and oversight.
   2. Compliance Checks:
      1. You will have the opportunity to periodically verify Dafinchi' compliance with this Data Processing Addendum (DPA) and applicable Data Protection Legislation.
      2. These compliance checks may be conducted either by you directly or by an auditor appointed by you.
      3. The checks will involve Dafinchi responding to questions posed by you about its compliance with Data Protection Legislation. These checks will be limited to once a year.
      4. Please note that due to Dafinchi's duty of confidentiality towards other users, neither you nor your auditor will have access to Dafinchi's IT systems or infrastructure.