Effective Date 03/13/2025

Data Processing Addendum (Controller to Processor)

This Data Processing Addendum (“DPA”) is issued pursuant to the Software and Billing Terms and Conditions (the “Agreement”) entered into between Pay2Day, Inc. (dba Authvia) (“Company”) and you as the “Customer”. By entering into the Agreement this DPA is in effect. Each party enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its respective Affiliates (defined below), as applicable. This DPA is intended to govern the Processing of Personal Data by Company, and on behalf of Customer, in connection with Company’s provision of the Services to Customer pursuant to the Agreement. This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement.

1. Definitions. In this DPA, the following terms shall have the meaning set out below:

1.1 “Affiliate” means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.

1.2 “Authorized Sub-Processor” means a third-party who has a need to know or otherwise access Customer’s Personal Information to enable Company to perform its obligations under this DPA or the Agreement, and who is either (1) listed as an Authorized Sub-Processor as of the DPA Effective Date or (2) subsequently authorized under Section 4.2 of this DPA.

1.3 “Company Account Data” means Personal Information that relates to Company’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.

1.4 “Company Usage Data” means Service usage data collected and processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

1.5 “Data Protection Laws” means any applicable privacy laws and regulations in the following jurisdictions relating to the use or processing of Personal Information: (i) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA“); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR“) and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the Swiss Federal Act on Data Protection; (iv) the UK Data Protection Act 2018; and (v) all other data protection and privacy laws and regulations applicable to a party’s processing of Personal Information under the Agreement in the United States, Canada, the European Union (EU) or European Economic Area (EEA); in each case, as updated, amended or replaced from time to time.

1.6 “Data Subject Request(s)” means a request by a Data Subject to exercise the Data Subject’s right of: access, correction, deletion, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making.

1.7 “Security Breach” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed by Company and/or its Authorized Sub-Processors in connection with the provision of the Services. Security Breach shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

1.8 “Services” shall have the meaning set forth in the Agreement.

The terms “Controller”, “Data Subject”, “Personal Information”, “Processor”, “Processing”, and “Supervisory Authority” shall have the meanings ascribed to them in the applicable Data Protection Laws.

2. Role of the Parties; Scope Processing of Personal Information

2.1 The parties acknowledge and agree that with regard to the Processing of Personal Information, Customer may act either as a Controller or Processor and, except as expressly set forth in this DPA or the Agreement, Company is a Processor. Company may, in its performance of the Services, Process Personal Information, and provide instructions for the Processing of Personal Information, in compliance with Data Protection Laws. Customer shall ensure that the Processing of Personal Information in accordance with Customer’s written instructions will not cause Company to be in violation of any Data Protection Law. Furthermore, where the CCPA applies to Company’s Processing of Personal Information, the parties acknowledge and agree that Customer is a “Business”, as that term is defined within the CCPA and its implementing regulations, and that Company is Customer’s “Service Provider”, as that term is defined within the CCPA and its implementing regulations.

2.2 Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Information provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Information, and (iii) the instructions it provides to Company regarding the Processing of such Personal Information. Customer shall not provide or make available to Company any Personal Information in violation of applicable Data Protection Laws, the Agreement or otherwise inappropriate for the nature of the Services and shall indemnify Company from all claims and losses in connection therewith.

2.3 Company shall not Process Personal Information (i) for purposes other than those set forth in the Agreement and/or Exhibit A, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, or (iii) in violation of Data Protection Laws. Customer hereby instructs Company to Process Personal Information in accordance with the foregoing and as necessary (i) to provide Company Services to Customer (including, without limitation, to improve and update Company Services and to carry out Processing initiated by Customer users in their use of the Services), (ii) to process in compliance with other reasonable instructions provided by Customer (e.g., via e-mail) and (iii) to perform Company’s obligations and exercise Company’s rights under the Agreement.

2.4 The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Information collected and categories of Data Subjects, are described in Exhibit A to this DPA, as required by Article 28(3) of the GDPR.

2.5 Company certifies that it understands the restrictions set forth in this DPA and will comply with them. Specifically, Company shall not: (a) Sell or Share the Personal Information; (b) Retain, use, or disclose the Personal Information for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by applicable Data Protection Laws; (c) Retain, use, or disclose the Personal Information outside of the direct business relationship between Company and Customer; or (d) Combine the Personal Information with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with individuals, except as otherwise permitted under applicable Data Protection Laws.

2.6 In addition to the terms set forth hereunder, where the CCPA applies to the Processing of Personal Information by Company and its Sub-processors pursuant to the Agreement, the terms set forth in Exhibit B attached hereto shall apply to such Processing.

2.7 Following completion of the Services, at Customer’s choice, Company shall return or delete Customer’s Personal Information, unless further storage of such Personal Information is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Information from any further Processing (except to the extent necessary for its continued hosting or Processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Information remaining in its possession, custody, or control.

3. Personnel; Confidentiality.

Company shall take all reasonable steps to ensure that any person it authorizes to Process Customer Personal Information is subject to confidentiality undertakings or professional or statutory obligations of confidentiality, substantially similar to Company’s confidentiality obligations in the Agreement. Customer agrees that Company may disclose Personal Information to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or the provision of Services to Customer.

4. Authorized Sub-Processors

4.1 Customer acknowledges and agrees that Company may (1) engage its Affiliates as well as the Authorized Sub-Processors on the List (defined below) to access and Process Personal Information in connection with the Services, and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Information. By way of this DPA, Customer provides general written authorization to Company to engage Sub-Processors as necessary to perform the Services. A list of Company’s current Authorized Sub-Processors (the “List“) is available to Customer by emailing support@authvia.com. Such List may be updated by Company from time to time.

4.2 Notwithstanding Section 4.2, Customer may reasonably object to the appointment of a new Sub-Processor, by notifying Company in writing within five (5) days of becoming aware, of any objections (on reasonable grounds) to the proposed appointment. In this event, Company will use commercially reasonable efforts to make available a commercially reasonable change in the provision of the Company Services which avoids the use of that proposed Sub-Processor; and where (i) such a change cannot be made within ninety (90) days from Company’s receipt of Customer’s notice, and/or (ii) no commercially reasonable change is available, and/or (iii) Customer declines to bear the cost of the proposed change, notwithstanding anything in the Agreement, Company and/or Customer may discontinue the use of the affected Service by providing written notice to the other party. Discontinuation by Customer shall not relieve Customer of any fees owed to Company under the Agreement. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Company from offering the Services to Customer.

4.3 With respect to each Sub-Processor, Company will, before the Sub-Processor first Processes Customer Personal Information (or, as soon as reasonably practicable, where relevant), carry out adequate due diligence to ensure that the Sub-Processor is capable of providing the level of protection for Customer Personal Information required by this DPA.

4.4 Company will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Company under this DPA with respect to the protection of Personal Information. In case an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with Company, Company will remain liable to Customer for the performance of the Authorized Sub-Processor’s obligations under such agreement.

5. Security

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall in relation to the Customer Personal Information implement and maintain appropriate technical and organizational measures that are designed to preserve and protect the security, integrity and confidentiality of Personal Information and to ensure a level of security appropriate to the risk of Processing Personal Information. Exhibit C sets forth additional information about Company’s technical and organizational security measures. Company may update its internal technical and organization measures from time to time, but Company will not materially decrease the overall security of the Processing.

5.2 In the event of a Security Breach, Company shall, without undue delay after becoming aware, inform Customer of the Security Breach and take such steps as Company in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Company’s reasonable control).

5.3 In the event of a Security Breach, Company shall, taking into account the nature of the Processing and the information available to Company, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under applicable Data Protection Laws with respect to notifying the relevant supervisory authorities and affected Data Subjects.

5.4 The obligations described in Sections 5.2 and 5.3 shall not apply in the event that a Security Breach results from the actions or omissions of Customer or any of its users or Affiliates. Company’s obligation to report or respond to a Security Incident hereunder will not be construed as an acknowledgement by Company of any fault or liability with respect to the Security Incident.

6. Data Subjects Requests

6.1 Customer is solely responsible for ensuring that Data Subject Requests for deletion, restriction or cessation of Processing, or withdrawal of consent to Processing of any Personal Information are communicated to Company, and, if applicable, for ensuring that a record of consent to Processing is maintained with respect to each Data Subject. Customer shall maintain, throughout the term of the Agreement, (i) a privacy notice, accessible to Data Subjects, that complies with Data Protection Laws and that informs Data Subjects, in clear and intelligible language, that they may exercise their rights with respect to any Processing taking place pursuant to the Agreement by contacting Customer and not by contacting Company directly; and (ii) a functioning mechanism for receiving and processing Data Subject requests.

6.2 If, despite Customer’s compliance with the preceding Section 6.1, Company receives a Data Subject Request, Company shall, to the extent permitted by law, notify Customer upon receipt of a verifiable Data Subject Request. If Company receives a Data Subject Request in relation to the Processing of Customer’s Personal Information, Company will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services.

6.3 Company shall, at the request of the Customer, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer, as may be reasonably necessary and technically possible in the circumstances, in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Company’s assistance and (ii) Company is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.

7. Data Protection Impact Assessments; Audits

7.1 Company shall, taking into account the nature of the Processing and the information available to Company, provide Customer with commercially reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the applicable Data Protection Laws to conduct a risk assessment or data protection impact assessment and prior consultations with Supervisory Authorities, in each case solely in relation to Processing of Customer Personal Information, to the extent Customer does not otherwise have access to the relevant information. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.

7.2 Company shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA and retain such records for a period of three (3) years after the termination of the Agreement. Customer shall, with reasonable prior written notice to Company, have the right, at its own cost, to review, audit and copy such records at Company’s offices during regular business hours. All Company records reviewed and copied pursuant to this Section 7.2 shall be treated as Company’s Confidential Information and subject to the confidentiality obligations under the Agreement.

7.3 Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall make available for Customer’s review copies of certifications or reports demonstrating Company’s compliance with prevailing data security standards applicable to the Processing of Customer’s Personal Information.

7.4 Company shall promptly, after becoming aware, notify Customer if an instruction, in the Company’s opinion, infringes the Data Protection Laws.

8. Company’s Role as a Business.

The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent data controller/business, not a joint controller/business with Customer. Company will Process Company Account Data and Company Usage Data as a controller/business (i) to manage the relationship with Customer; (ii) to carry out Company’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the Processing and retention of Personal Information to which Company is subject; and (vi) as otherwise permitted under Data Protection Laws and in accordance with this DPA and the Agreement. Company may also Process Company Usage Data as a controller/business to provide, optimize, and maintain the Services, to the extent permitted by Data Protection Laws.

9. Data Transfer

9.1 Customer agrees that Company may, subject to Section 9.2, Process (or permit the Processing by Sub-Processors of) Customer Personal Information in the United States and any other Third Country. “Third Country” means a country or territory outside the EU/EEA that is not an Adequate Country.  “Adequate Country” means a country or territory outside the EU/EEA that is recognized for the purposes of the Data Protection Laws (including by virtue of a decision of the European Commission, the UK authorities or the Swiss authorities, as applicable) as providing an adequate level of protection for Personal Information.

9.2 Transfers of EEA Personal Information. The parties acknowledge and agree that to the extent Customer transfers Customer Personal Information to Company, it shall be effecting a Transfer to the United States. “Transfer” means a transfer of Customer Personal Data to a Third Country that falls within the scope of Chapter V of the GDPR (including, where applicable, any ‘onwards transfers’ from that Third Country). In respect of such Transfer, the parties agree to comply with the terms of the Processor EU 2021 Standard Contractual Clauses (“SCCs”) (Module Two), the terms of which are hereby incorporated into this DPA with the same force and effect as though fully set forth herein. For purposes of the Processor SCCs, the “Data Exporter” shall be Customer and the “Data Importer” shall be Company, and the information required by Annex I of the Processor SCCs has been included in Exhibit A, attached hereto. The parties will comply with the additional warranties, obligations, and terms set out in the Processor SCCs. For purposes of Annex II of the Processor SCCs, the technical and organizational measures implemented by the data importer are those set forth in Section 5 (Security) of this DPA. Pursuant to clause 9 of the Processor SCCs, Customer agrees that Company may engage new Sub-Processors in accordance with Section 4 of this DPA. Notwithstanding anything to the contrary, the governing law of the Processor SCCs shall be the law of the country in which the data exporter is established. The parties agree that the certification of deletion described in Clause 12(1) of the Processor SCCs shall be provided by Company only upon Customer’s written request and that the Illustrative Indemnification Clause (Optional) is expressly not included in the Processor SCCs. Each party’s signature to this DPA shall be considered a signature to the Processor SCCs. If required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the Processor SCCs as a separate document.

9.3 Transfers of UK Personal Data. Where a Transfer of UK Personal Information terminates in an Adequate Country, no other transfer mechanism shall be necessary. In all other cases, Transfers of UK Personal Information shall be conducted pursuant to the Processor SCCs, as they have been adapted for use by the relevant authorities within the United Kingdom, including the UK Information Commissioner’s Office (“UKICO“). Where applicable, this DPA incorporates the Processor SCCs by reference, and the Parties are deemed to have accepted and executed the Processor SCCs in their entirety, including the associated annexes.

9.4 Transfers of SWISS Personal Data.  Where a Transfer of Swiss Personal Information terminates in an Adequate Country, no other transfer mechanism shall be necessary. In all other cases, Transfers of Swiss Personal Data shall be conducted pursuant to the Processor SCCs, as they have been adapted for use by the Swiss Federal Data Protection and Information Commissioner (“FDPIC“). Where applicable, this DPA incorporates the Processor SCCs by reference, and the Parties are deemed to have accepted and executed the Processor SCCs in their entirety, including the associated annexes.

10. Miscellaneous

In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the terms of this DPA; (2) the Agreement; and (3) the Company’s privacy policy. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement. This DPA will be governed by the laws of the country or territory stipulated in the Agreement. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (2) construed in a manner as if the invalid or unenforceable part had never been contained therein.

CONTACT AUTHVIA

If you have any requests concerning your personal information or any questions with regards to our privacy policy, please contact us at support@authvia.com or via mail to Privacy Policy c/o AuthVia, 1730 East Holly Avenue, Suite 765, El Segundo, CA 90245.