This Data Processing Agreement (the “DPA”) forms an integral part of all agreements between the Customer and POPHAW LLC, doing business as “TradeGo AI”, a Delaware limited liability company with offices at 1007 N Orange St., Suite 937, 4th Floor, Wilmington, DE 19801, United States (“Processor”, “TradeGo AI”, “we”, or “us”), and the customer identified in the applicable agreement (“Customer” or “Controller”).
This DPA supplements and forms part of the Master Subscription Agreement, Terms of Service, or any other services agreement entered into between the Parties (collectively, the “Agreement”) and sets forth the Parties’ agreement regarding the Processing of Personal Data.
In the provision of the Services under the Agreement, Processor may Process Personal Data on behalf of Customer. The Parties agree to comply with the terms and conditions set out in this DPA.
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the subject matter herein.
This DPA becomes effective on the date the Agreement becomes effective (“Effective Date”) and supersedes any prior data processing agreements between the Parties.
1. Definitions
Capitalized terms not otherwise defined herein shall have the meanings set forth in the Agreement.
(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.
(b) “Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data, including without limitation:
-
Regulation (EU) 2016/679 (“GDPR”);
-
UK GDPR and the UK Data Protection Act 2018;
-
Swiss Federal Act on Data Protection;
-
California Consumer Privacy Act and California Privacy Rights Act (“California Privacy Law”);
-
any other applicable privacy or data protection law.
(c) “Authorized Affiliate” means any Affiliate of Customer permitted to use the Services under the Agreement.
(d) “Controller” means the Customer.
(e) “Controller Data” means Personal Data Processed by Processor on behalf of Customer.
(f) “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Data.
(g) “Instructions” means the documented instructions provided by Customer to Processor, including through Customer’s use of the Services.
(h) “Personal Data” means any information relating to an identified or identifiable natural person.
(i) “Processing” means any operation performed on Personal Data as defined under Applicable Data Protection Law.
(j) “Processor” means POPHAW LLC (d/b/a TradeGo AI).
(k) “Services” means the products and services provided under the Agreement.
(l) “Sub-processor” means any third party engaged by Processor to Process Controller Data.
2. Purpose of Processing
2.1 Processor shall Process Controller Data solely for the purpose of providing the Services in accordance with the Agreement and Customer’s Instructions.
2.2 The scope, nature, purpose, and duration of Processing are further described in Schedule 1 (Details of Processing).
3. Roles and Responsibilities
3.1 Roles of the Parties
-
Under GDPR, UK GDPR, and Swiss law, Customer acts as the Controller and Processor acts as the Processor.
-
Under California Privacy Law, Processor acts as a Service Provider.
3.2 Customer Instructions
Customer represents and warrants that it has obtained all necessary rights, consents, and lawful bases to Process Personal Data and to instruct Processor to Process such data.
3.3 Purpose Limitation
Processor shall Process Controller Data only in accordance with Customer’s Instructions and for Permitted Purposes.
3.4 Data Subject Requests
Customer is responsible for responding to Data Subject requests. Processor shall provide commercially reasonable assistance where required by law.
4. Processor Obligations
4.1 Confidentiality
Processor shall ensure that personnel authorized to Process Controller Data are bound by confidentiality obligations.
4.2 Disclosure
Processor shall not disclose Controller Data except as required by law or permitted under this DPA.
4.3 Retention and Deletion
Upon termination of the Agreement, Processor shall delete or return Controller Data within thirty (30) days unless retention is required by law.
4.4 Security Measures
Processor shall implement appropriate technical and organizational measures as described in Schedule 2.
5. Data Breach
5.1 Processor shall notify Customer without undue delay and no later than 72 hours after becoming aware of a Data Breach.
5.2 Processor shall reasonably assist Customer with breach notifications where required.
6. Audits
Customer may audit Processor’s compliance once per year using an independent auditor, subject to reasonable notice and confidentiality obligations.
7. Sub-processors
7.1 Customer authorizes Processor to engage Sub-processors.
7.2 A current list of Sub-processors is available upon request or published on Processor’s website.
7.3 Processor remains liable for the acts and omissions of Sub-processors.
8. International Data Transfers
Processor shall ensure appropriate safeguards for Restricted Transfers, including Standard Contractual Clauses or other lawful mechanisms.
9. Limitation of Liability
Each Party’s total liability under this DPA shall be subject to the limitations set forth in the Agreement.
10. Miscellaneous
10.1 This DPA shall be governed by the governing law specified in the Agreement.
10.2 This DPA may be updated upon notice, with continued use of the Services constituting acceptance.
Schedule 1 – Details of Processing
Categories of Data Subjects:
End users, customers, and other individuals whose Personal Data is submitted by Customer.
Types of Personal Data:
Contact information, account data, usage data, and other data submitted through the Services.
Purpose:
Provision of the Services.
Duration:
Term of the Agreement plus deletion period.
Schedule 2 – Technical and Organizational Measures
Processor maintains appropriate safeguards, including but not limited to:
-
Encryption in transit and at rest
-
Access controls and authentication
-
Logging and monitoring
-
Incident response procedures
-
Data minimization practices
-
Secure infrastructure and backups