top of page
DATA AGREEMENT.png

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is an integral part of the agreement executed between the parties (“Agreement”) for the purpose of using the Services, as defined under the Agreement. Capitalized terms used herein but not defined herein shall have the meanings ascribed to them in the Agreement.

This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data (including, without limitations, by sharing Personal Data with the other party) during the course of the Agreement and thereafter.

Frame 16.png

1.    DEFINITIONS

1.1.    Adequate Country” is a country that received or is part of an adequacy decision from the European Commission.

1.2.    Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.

1.3.    CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq. as may be amended as well as all regulations promulgated thereunder from time to time.

1.4.    The terms “Controller,” "Processor,” “Data Subject,” “Processing,” (and "Process") “Personal Data Breach,” and "Special Categories of Personal Data" shall all have the same meanings as ascribed to them in the EU Data Protection Law. The terms “Business,” “Business Purpose,” “Consumer,” “Service Provider,” “Sale,” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to a “Consumer,” as such term is defined in the CCPA and as defined in the CCPA’ regulatory modification, the California Privacy Rights Act ("CPRA").

1.5.    Data Protection Laws" means any and all applicable privacy and data protection laws and regulations (including, where applicable, the EU Data Protection Law, the CCPA and the CPRA) as may be amended or superseded from time to time.

 

1.6.    EEA” means the European Economic Area.

1.7.    "EU Data Protection Law" means the (i) EU General Data Protection Regulation (Regulation 2016/679 ) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) any legislation replacing or updating any of the foregoing; and (vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.

1.8.    Personal Data” or “Personal Information” means any information which can be related, describes, or is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual or Data Subject.

1.9.    Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will be considered a Security Incident.

 

1.10.   Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, which may be found here: Standard Contractual Clauses.

 

1.11.   Swiss Data Protection Laws” or “FADP” shall mean (i) Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”); (ii) The Ordinance on the Federal Act on Data Protection ("FODP"); (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.

1.12.   Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner.

 

1.13.   Shared Data” shall mean the Personal Data shared between the parties for the purpose of conducting the Factoring Services.

 

1.14.   UK GDPR” means the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

 

1.15.   UK SCC” means where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK, as adopted, amended or updated by the UK Information Commissioner Office (“ICO”), Parliament or Secretary of State.

2.    ROLES AND OBLIGATIONS

2.1.    The parties agree and acknowledge that both FlexFactor and the Merchant are acting as an independent Controller with respect to the Processing of the Shared Data. It is hereby clarified that in no event will the parties Process the Personal Data or Personal Information as joint Controllers. Each party shall be individually and separately responsible for complying with the obligations that apply to it, in accordance with the Data Protection Laws.

2.2.    The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, each party may Process the Shared Data, for the purpose of providing or receiving the Services.

2.3.    It is hereby agreed that in the event the Shared Data shall include Special Categories of Data or Sensitive Data, each party shall implement specific restrictions and safeguards applicable to Processing of such data.

   

2.4.    Each party shall maintain a publicly-accessible privacy policy that is available via a prominent link that satisfies transparency disclosure requirements of Data Protection Law, specifically in compliance with Article 13 and Article 14 of the GDPR. Each party shall ensure it has the lawful basis (as required under Data Protection Law) to Process the Personal Data.

   

2.5.    For the purpose of the CCPA (and to the extent applicable), both the Merchant and FlexFactor are Businesses. Each party shall be individually and separately responsible for complying with the obligations under the CCPA.

3.    RIGHTS OF THE DATA SUBJECTS AND PARTIES COOPERATION OBLIGATIONS

3.1.    It is agreed that where either party receives a request from a Data Subject in respect to Shared Data Processed by the other party, the party receiving such request will direct the Data Subject to the other party, as applicable, in order to enable the other party to respond directly to the Data Subject’s request, if applicable.


3.2.    Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request or Supervisory Authorities, to the extent permitted under Data Protection Law.


3.3.    Each party shall ensure, and assist to the other party if needed, that the Personal Data Processed is accurate and up to date, by informing the other party without delay if it becomes aware that the Personal Data that it is Processing is inaccurate or has become outdated. 

4.    SECURITY MEASURES AND SECURITY INCIDENT

4.1.    Each party shall implement industry-standard technical and organizational measures to protect the Shared Data and its security, confidentiality and integrity, and make reasonable efforts to prevent Security Incident.


4.2.    In the event of any actual or suspect Security Incident associated with the other party’s Shared Data Processed.

Specifically with the Shared Data Processed for the purpose of operating the Services, the Merchant or FlexFactor (as applicable) shall notify the other party without delay, and not later than 48 hours, of any Security Incident and keep the other party informed with any updates or additional information it required to comply with its obligations as an independent Controller.


4.3.    Each party shall take actions required by Data Protection Laws and industry standards to prevent further Security Incidents.


4.4.    The parties shall cooperate in good faith to agree and take applicable actions as may be necessary to mitigate or remedy the effects of the Security Incident and minimize any effects of and investigate any Security Incident and to identify its cause.   

5.    DATA TRANSFER

5.1.    Where the GDPR, UK GDPR or the Swiss FADP are applicable , if the Processing of Personal Data by either party (or by a such party’s Sub-Processor) includes transfer of Personal Data (either directly or through an onward transfer) to a third party country outside the EEA, the UK and Switzerland that is not an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the applicable Data Protection Law (the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as applicable)) for the lawful transfer of Personal Data under is in place.


5.2.    As between the parties, if a party relies on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then:


          5.2.1.    Transfer of Personal Data from the EEA is subject to the terms set forth in ANNEX I, ANNEX II and ANNEX III
         

          5.2.2.    Transfer of Personal Data from the UK is subject to the terms set forth in ANNEX IV shall apply; and 
         

          5.2.3.    Transfer of Personal Data from Switzerland is subject to the terms set forth in ANNEX V shall apply. 

6.    TERMINATION

6.1    This DSA shall be effective as of the effective date of the Agreement and shall automatically be terminated upon the termination of the Agreement. 

ANNEX I


DETAILS OF PERSONAL DATA
(CONTROLLER TO CONTROLLER)

A. LIST OF PARTIES

Data Exporter(s): 

Name: FlexFactor Operations Inc.

Address: 838 Walker Road, Suite 21-2, Dover, Kent, Delaware, 19904

Contact person’s name, position and contact details: DPO@flexfactor.io

Activities relevant to the data transferred under these Clauses: Factoring Services under the Agreement 

Role (controller/processor): Controller 

 

Data importer(s): 

Name: Merchant 

Address: as detailed in the Merchant Agreement. 

Contact person’s name, position and contact details: as provided by Merchant through the Merchant Agreement.  

Activities relevant to the data transferred under these Clauses: Factoring Services under the Agreement.  

Role (controller/processor): Controller

 


B.    DESCRIPTION OF PROCESSING AND TRANSFER


1.    Categories of data subjects whose Controller Personal Data is transferred and processed: 
Merchant’s Customers (as defined in the Agreement) 


2.    Categories of personal data transferred or processed: 

  • Merchant Customers: 

       a.    Contact information, including: full name, email address, billing address, phone number. 
       b.    Date and place of birth, if applicable. 
       c.    Payment and repayment transaction information (including card number, expiry date, error or confirmation codes, credit card holder). 
       d.    Credit score and credit bureau information.
       e.    If applicable banking information. 
       f.    Transactions and history. 


3.    Sensitive data transferred or processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved (e.g. strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures):  
N.A.


4.    The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
One-off


5.    Nature of the processing and transferring:
To provide the Factoring Services and process the Transaction.  


6.    Purpose(s) of the data transfer and purpose of processing and further Processing: 
Providing the Factoring Service to the Merchant and processing the payment for the Customer. 


7.    The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: 
As needed to provide the Factoring Service, or as a controller, as each party determines required for other purposes and means, or as required by law. 


C.    COMPETENT SUPERVISORY AUTHORITY FOR THE PURPOSE OF ARTICLE 13 OF THE STANDARD CONTRACTUAL CLAUSES
Identify the competent supervisory authority/ies: based on the Merchant’s establishment in the EEA. 

 

ANNEX II


TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

This ANNEX summarizes the technical, organizational and physical security measures implemented by the parties:

Data Importer undertakes to implement, maintain, and continuously control and update, appropriate technical and organizational security measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. This includes:

1.    Preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used (physical access control); in particular, by taking the following measures:

  • Controlled access for critical or sensitive areas

  • Video monitoring in critical areas

  • Incident logs

  • Implementation of single entry access control systems,

  • Automated systems of access control,

  • Permanent door and windows locking mechanisms,

  • Key management

  • Permanently manned reception

  • Code locks on doors

  • Monitoring facilities (e.g. alarm device, video surveillance)

  • Logging of visitors

  • Compulsory wearing of ID cards

  • Security awareness training

2.    Preventing data processing systems from being used without authorization (logical access control); in particular, by taking the following measures:

  • Network devices such as intrusion detection systems, routers and firewalls

  • Secure log-in with unique user-ID, password and a second factor for authentication (OTP, MFA, 2FA).

  • Policy mandates locking of unattended workstations. Screensaver password is implemented such that if user forgets to lock the workstation, automatic locking is ensured.

  • Logging and analysis of system usage

  • Role-based access for critical systems containing personal data

  • Process for routine system updates for known vulnerabilities

  • Encryption of laptop hard drives

  • Monitoring for security vulnerabilities on critical systems

  • Deployment and updating of antivirus software

  • individual allocation of user rights, authentication by password and username, use of smartcards for log in, minimum requirements for passwords, password management, password request after inactivity, password protection for BIOS, blocking of external ports (such as USB ports), encryption of data, virus protection and use of firewalls, intrusion detection systems.

3.    Ensuring that persons entitled to use a data processing system can gain access only to the data to which they have a right of access, and that, in the course of processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorization (access control to data); in particular, by taking the following measures:

  • Network devices such as intrusion detection systems, routers and firewalls

  • Secure log-in with unique user-ID, password and a second factor for authentication (OTP, MFA, 2FA).

  • Logging and analysis of system usage

  • Role based access for critical systems containing personal data

  • Encryption of laptop hard drives

  • Deployment and updating of antivirus software

  • Compliance with Payment Card Industry Data Security Standard

  • Definition and management of role based authorization concept, access to personal data only on a need-to-know basis, general access rights only for a limited number of admins, access logging and controls, encryption of data, intrusion detection systems, secured storage of data carriers, secure data lines, distribution boxes and sockets.

4.    Ensuring that personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage and that it is possible to verify and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged (data transfer control); in particular, by taking the following measures:

  • Encryption of communication, tunneling (VPN = Virtual Private Network), firewall, secure transport containers in case of physical transport, encryption of laptops

5.    Ensuring that it is possible retrospectively to examine and establish whether and by whom personal data have been inserted into data processing systems, modified or removed (entry control); in particular, by taking the following measures:

  • Logging and analysis of system usage

  • Role based access for critical systems containing personal data

  • Logging and reporting systems, individual allocation of user rights to enter, modify or remove based on role based authorization concept.

6.     Ensuring that personal data processed on the basis of a commissioned processing of personal data are processed solely in accordance with the directions of the data exporter (job control); in particular, by taking the following measures:

  • Mandatory security and privacy awareness training for all employees

  • Periodic audits are conducted

  • Implementation of processes that ensure that personal data is only processed as instructed by the data exporter, covering any sub-processors, including diligently selecting appropriate personnel and service providers and monitoring of contract performance, entering into appropriate data processing agreements with sub-processors, which include appropriate technical and organizational security measures.

7.    Ensuring that personal data are protected against accidental destruction or loss (availability control); in particular, by taking the following measures:

  • Backup procedures and recovery systems, redundant servers in separate location, mirroring of hard disks, anti-virus/firewall systems, malware protection, disaster recovery and emergency plan.

ANNEX III


EU INTERNATIONAL TRANSFERS AND SCC

1.    The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Personal Data from the EEA to other countries that are not deemed as Adequate Countries.
 

2.    Module One (Controller to Controller) of the Standard Contractual Clauses shall apply 
 

3.    The Parties agree that following shall apply:
       

        a)    Clause 7 of the Standard Contractual Clauses shall not be applicable.
        b)    In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
        c)    In Clause 18(b) the parties choose the courts of the Ireland, as their choice of forum and jurisdiction.

 

4.    ANNEX I of the DPA shall apply as Annex I.A, Annex I.B and Annex I.C of the Standard Contractual Clauses. 
 

5.    Transfers to the US: Measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in ANNEX II, as well as: 
 

Each party agrees and hereby represents it maintains, and will continue to maintain, the following additional safeguards in connection with any Personal Data transferred under this DSA: 
 

        a)    Each party maintains industry standard measures to protect the Personal Data from interception. This includes maintaining encryption of Personal Data in transit and at rest.
        b)    Each party will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under section 702 of the United States Foreign Intelligence Surveillance Court (“
FISA”).   
        c)    If either party becomes aware of any law enforcement agency or other governmental authority (“
Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, that party shall: inform the other party of such requests or demands and use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under that party's control. 


Each party will inform the other party, upon written request (and not more than once a year), of the types of binding legal demands for Personal Data each party has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.

ANNEX IV


UK INTERNATIONAL TRANSFERS AND SCC

1.    The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this ANNEX IV, are hereby incorporated by reference and shall apply to transfer of Personal Data from the UK to other countries that are not deemed as Adequate Countries.


2.    Terms used in this ANNEX IV that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.


3.    This ANNEX IV shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws. 


4.    Amendments to the UK Standard Contractual Clauses: 


       4.1.        Part 1: Tables


       4.1.1.     Table 1 Parties: shall be completed as set forth ANNEX I above. 


       4.1.2.     Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within ANNEX III above.


       4.1.3.    Table 3 Appendix Information: 
              Annex 1A: List of Parties: shall be completed as set forth in
ANNEX I above. 
              Annex 1B: Description of Transfer: shall be completed as set forth in
ANNEX I above.
              Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in
ANNEX I
I above.


       4.1.4.    Table 4 Ending this Addendum when the Approved Addendum Changes: shall be completed as “Importer” & "Exporter". 

ANNEX V

 

SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY

The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:


1.    The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.


2.    The clauses in the DSA protect the Personal Data of legal entities until the entry into force of the Revised Swiss FDPA.


3.    All references in this DSA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.


4.    Any obligation under the EU Standard Contractual Clauses shall refer to a respective obligation under the Swiss SCCs and Swiss Data Protection Laws and Regulations, as applicable.


5.    The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.

bottom of page