Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Ledger Link, Inc. ("Processor") and the Customer ("Controller") and governs the processing of personal data in connection with the Services.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Data Subject" means the individual to whom Personal Data relates.
• "Subprocessor" means any third party engaged by Processor to process Personal Data.
• "Data Protection Laws" means GDPR, CCPA, and other applicable privacy regulations.
• "Services" means the Ledger Link inventory management platform.

2. Scope and Roles

2.1 Roles

The Customer is the Controller of Personal Data. Ledger Link is the Processor, processing Personal Data on behalf of the Controller according to documented instructions.

2.2 Subject Matter

This DPA applies to the processing of Personal Data as described in Annex 1.

3. Processing Instructions

3.1 Documented Instructions

Processor shall only process Personal Data:

• According to Controller's documented instructions
• As necessary to provide the Services
• As required by applicable law (with prior notice to Controller where permitted)

3.2 Additional Instructions

Controller may provide additional processing instructions in writing. If Processor believes an instruction infringes Data Protection Laws, it shall promptly notify Controller.

4. Security Measures

4.1 Technical and Organizational Measures

Processor implements appropriate security measures including:

• Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3)
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Incident response and disaster recovery procedures
• Employee training and confidentiality obligations
• Physical security of data centers

Detailed security measures are described in Annex 2.

4.2 Confidentiality

Processor ensures that personnel authorized to process Personal Data are subject to confidentiality obligations and have received appropriate training.

5. Subprocessors

5.1 Authorization

Controller authorizes Processor to engage Subprocessors listed at ledgerlink.com/subprocessors.

5.2 Notification

Processor shall notify Controller at least 30 days before engaging new Subprocessors. Controller may object within 14 days on reasonable grounds.

5.3 Subprocessor Agreements

Processor shall ensure Subprocessors are bound by data protection obligations substantially similar to those in this DPA.

6. Data Subject Rights

6.1 Assistance

Processor shall assist Controller in responding to Data Subject requests including:

• Access requests
• Rectification requests
• Erasure requests ("right to be forgotten")
• Data portability requests
• Restriction requests
• Objection requests

6.2 Response Time

Processor shall respond to Controller's requests for assistance within 10 business days, or sooner if required by law.

7. Data Breach Notification

7.1 Notification

Processor shall notify Controller without undue delay (and within 48 hours) upon becoming aware of a Personal Data breach.

7.2 Information Provided

Notification shall include:

• Nature of the breach and categories of data affected
• Approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

7.3 Cooperation

Processor shall cooperate with Controller in investigating, mitigating, and remediating the breach, and in making any required notifications.

8. Data Transfers

8.1 Transfer Mechanisms

For transfers of Personal Data outside the EEA, Processor relies on:

• Standard Contractual Clauses (EU Commission approved)
• Binding Corporate Rules where applicable
• Adequacy decisions where available

8.2 Supplementary Measures

Processor implements supplementary technical and organizational measures to ensure an adequate level of protection following the Schrems II decision.

9. Audit Rights

9.1 Audit

Controller may audit Processor's compliance with this DPA upon reasonable notice. Audits shall be conducted during normal business hours with minimal disruption.

9.2 Certifications

Processor makes available relevant certifications, audit reports (SOC 2 Type II), and other documentation to demonstrate compliance.

10. Term and Termination

10.1 Term

This DPA remains in effect for the duration of the Services agreement and until all Personal Data has been deleted or returned.

10.2 Data Return/Deletion

Upon termination, Processor shall:

• Return all Personal Data to Controller in a standard format upon request
• Delete all Personal Data within 30 days unless retention is required by law
• Certify deletion in writing upon Controller's request

11. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service, except that limitations shall not apply to breaches of Data Protection Laws caused by a party's gross negligence or willful misconduct.

Annex 1: Processing Details

Annex 2: Security Measures

Technical Measures

• Encryption at rest: AES-256
• Encryption in transit: TLS 1.3
• Multi-factor authentication available
• Role-based access control (RBAC)
• Automated vulnerability scanning
• Web Application Firewall (WAF)
• DDoS protection
• Database encryption and backups
• Secure software development lifecycle (SDLC)

Organizational Measures

• Information security policies and procedures
• Employee background checks
• Security awareness training
• Incident response plan
• Business continuity plan
• Vendor risk management program
• Regular security assessments

Physical Security

• SOC 2 Type II certified data centers
• 24/7 physical security monitoring
• Biometric access controls
• Environmental controls (fire, flood, temperature)

Contact Information

This DPA is incorporated by reference into the Ledger Link Terms of Service. By using the Services, Customer agrees to this DPA.