This Data Processing Agreement (DPA) is an integral part of the contractual relationship between CrossClassify and our clients (the "Controller"). It governs the processing of personal data by CrossClassify (the "Processor") on behalf of our clients in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. 1.

   Definitions

   • •

     Controller: The entity (client) that determines the purposes and means of processing personal data.

   • •

     Processor: CrossClassify, which processes personal data on behalf of the Controller.

   • •

     Data Subject: An individual whose personal data is being processed.

   • •

     Personal Data: Any information relating to an identified or identifiable natural person.

   • •

     Processing: Any operation performed on personal data, including collection, storage, use, and transfer.

2. 2.

   Subject Matter and Duration of Processing

   • •

     Subject Matter: CrossClassify provides fraud prevention services that involve the processing of personal data on behalf of the Controller.

   • •

     Duration: This DPA remains in effect for the duration of the service contract between CrossClassify and the Controller unless otherwise terminated as specified in the agreement.

3. 3.

   Nature and Purpose of Processing

   • •

     Fraud detection and prevention

   • •

     Data analysis to improve security measures

   • •

     Enhancing the performance of the fraud detection platform

4. 4.

   Categories of Data

   • •

     Identification data (e.g., name, email address, phone number)

   • •

     Account data (e.g., usernames, passwords)

   • •

     Transaction data (e.g., payment details, transaction history)

   • •

     Behavioral data (e.g., IP address, device information, usage patterns)

   • •

     Location data (e.g., geolocation information, where applicable)

5. 5.

   Data Subject Rights

   • •

     The right to access their personal data.

   • •

     The right to rectify or erase data.

   • •

     The right to restrict or object to processing.

   • •

     The right to data portability.

6. 6.

   Subprocessors

   CrossClassify may engage third-party subprocessors to assist in providing services. We ensure that all subprocessors are bound by similar data protection obligations as outlined in this DPA. A list of subprocessors is available upon request.

   The Controller will be informed of any changes to the list of subprocessors, and the Controller has the right to object to such changes.

7. 7.

   Confidentiality and Security Measures

   • •

     Encryption of personal data during transmission and at rest

   • •

     Access controls ensuring that only authorized personnel have access to personal data

   • •

     Regular audits and assessments to ensure compliance with security protocols

   • •

     All employees and personnel involved in data processing are subject to strict confidentiality obligations.

8. 8.

   Data Breach Notification

   • •

     Notify the Controller without undue delay after becoming aware of the breach

   • •

     Provide details of the nature of the breach, the affected data, and any steps taken to mitigate the breach

   • •

     Cooperate with the Controller in addressing the breach, including assisting with notifications to regulatory authorities or data subjects as required by law

9. 9.

   Data Transfers

   If personal data is transferred outside the European Economic Area (EEA), CrossClassify ensures that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or other legally recognized mechanisms.

10. 10.

    Data Retention and Deletion

    Upon termination of the service agreement, CrossClassify will retain personal data only for as long as necessary for the agreed-upon purposes or as required by law.

    At the Controller's request, return or delete all personal data processed on behalf of the Controller, unless retention is required by applicable law.

11. 11.

    Liability and Indemnification

    Both the Controller and the Processor shall be liable for breaches of data protection regulations in accordance with applicable laws. The Controller agrees to indemnify CrossClassify against any claims arising from the Controller’s failure to comply with applicable data protection regulations.

12. 12.

    Amendments

    This DPA may be modified or amended with the mutual agreement of both parties. Any updates or amendments to the DPA will be communicated in writing.

13. 13.

    Governing Law and Jurisdiction

    This DPA is governed by the laws of the jurisdiction specified in the main service agreement between CrossClassify and the Controller. Any disputes arising from this agreement will be resolved in accordance with the dispute resolution procedures outlined in the main service agreement.