Data Processing Agreement

1 Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PeaceWeb B.V., operating as IP Market ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data by the Processor on behalf of the Controller.

This DPA is designed to meet the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

Definitions

• •"Personal Data" means any information relating to an identified or identifiable natural person
• •"Processing" means any operation performed on personal data
• •"Sub-processor" means any third party engaged by the Processor to process personal data
• •"Data Subject" means the individual to whom personal data relates

2 Scope of Processing

2.1 Subject Matter

The Processor processes personal data on behalf of the Controller to provide the IP Market platform services, including account management, billing, customer support, and technical infrastructure services.

2.2 Categories of Data Subjects

• •Customer employees and authorized users
• •Technical and administrative contacts
• •End-users of Customer's services (if applicable)

2.3 Types of Personal Data

• •Contact information (name, email, phone, address)
• •Account credentials and authentication data
• •Billing and payment information
• •Technical data (IP addresses, logs, device information)
• •KYC/verification documents (where applicable)

2.4 Duration

Processing will continue for the duration of the service agreement and for such additional period as necessary to comply with legal obligations.

3 Processor Obligations

The Processor shall:

• •Process personal data only on documented instructions from the Controller
• •Ensure persons authorized to process data are under confidentiality obligations
• •Implement appropriate technical and organizational security measures
• •Engage sub-processors only with prior authorization and under written contract
• •Assist the Controller with data subject rights requests
• •Assist with security, breach notification, and impact assessment obligations
• •Delete or return personal data upon termination of services
• •Make available information necessary to demonstrate compliance

4 Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• •Encryption of personal data in transit (TLS 1.3) and at rest
• •Access controls and authentication mechanisms
• •Regular security testing and vulnerability assessments
• •Incident detection and response procedures
• •Business continuity and disaster recovery measures
• •Employee security training and awareness

5 Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor will maintain a list of current sub-processors and notify the Controller of any intended changes, providing an opportunity to object.

The Processor ensures that sub-processors are bound by data protection obligations no less protective than those in this DPA.

Current sub-processors are listed at our website and include cloud infrastructure providers, payment processors, and customer support tools.

6 International Transfers

Personal data is primarily processed within the European Economic Area (EEA). When transfers outside the EEA are necessary, the Processor ensures appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms.

7 Data Subject Rights

The Processor will assist the Controller in responding to data subject requests, including requests for access to personal data, rectification of inaccurate data, erasure (right to be forgotten), restriction of processing, data portability, and objection to processing.

If the Processor receives a request directly from a data subject, it will promptly notify the Controller unless legally prohibited from doing so.

8 Data Breach Notification

The Processor will notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach. Notification will include the nature of the breach, categories and approximate numbers of affected data subjects, contact point for further information, likely consequences, and measures taken or proposed to address the breach.

9 Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.

Audits require at least 30 days advance notice, must be conducted during normal business hours, and are subject to confidentiality obligations. The Controller is responsible for audit costs unless the audit reveals material non-compliance.

10 Termination

Upon termination of the service agreement, the Processor will, at the Controller's choice, return all personal data or delete all personal data (unless retention is required by law). Certification of deletion will be provided upon request.

11 Contact