FOR CUSTOMER CARE CALL +1-833-656-0781 OR EMAIL sales@declinedefense.com
Decline Defense Logo

Data Processing Agreement

Decline Defense Data Processing Agreement

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is an integral part of the agreement executed between the parties (“Agreement”) for the purpose of using the Services, as defined under the Agreement. Capitalized terms used herein but not defined herein shall have the meanings ascribed to them in the Agreement.

This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data (including, without limitations, by sharing Personal Data with the other party) during the course of the Agreement and thereafter.

1. Definitions

1.2. “Affiliates” means any entity which is controlled by, controls, or is in common control with one of the parties.

1.3. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq. as may be amended as well as all regulations promulgated thereunder from time to time.

1.4. The terms “Controller,” "Processor,” “Data Subject,” “Processing,” (and "Process") “Personal Data Breach,” and "Special Categories of Personal Data" shall all have the same meanings as ascribed to them in the EU Data Protection Law. The terms “Business,” “Business Purpose,” “Consumer,” “Service Provider,” “Sale,” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to a “Consumer,” as such term is defined in the CCPA and as defined in the CCPA’s regulatory modification, the California Privacy Rights Act ("CPRA").

1.5. “Data Protection Laws" means any and all applicable privacy and data protection laws and regulations (including, where applicable, the EU Data Protection Law, the CCPA, and the CPRA) as may be amended or superseded from time to time.

1.6. “EEA” means the European Economic Area.

1.7. "EU Data Protection Law" means:

(i) EU General Data Protection Regulation (Regulation 2016/679 ) (“GDPR”);

(ii) Regulation 2018/1725;

(iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law);

(iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii);

(v) any legislation replacing or updating any of the foregoing; and

(vi) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.

1.8. “Personal Data” or “Personal Information” means any information which can be related to, describes, or is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual or Data Subject.

1.9. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will be considered a Security Incident.

1.10. “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021.

1.11. “Swiss Data Protection Laws” or “FADP” shall mean (i) Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”); (ii) The Ordinance on the Federal Act on Data Protection ("FODP"); (iii) any national data protection laws made under, pursuant to, replacing or succeeding and any legislation replacing or updating any of the foregoing.

1.12. “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved, or recognized by the Swiss Federal Data Protection and Information Commissioner.

1.13. “Shared Data” shall mean the Personal Data shared between the parties for the purpose of conducting the Services.

1.14. “UK GDPR” means the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

1.15. “UK SCC” means where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK, as adopted, amended, or updated by the UK Information Commissioner Office (“ICO”), Parliament, or Secretary of State.

2. Roles and Obligations

2.1. The parties agree and acknowledge that both Decline Defense and the Merchant are acting as independent Controllers with respect to the Processing of the Shared Data. It is hereby clarified that in no event will the parties Process the Personal Data or Personal Information as joint Controllers. Each party shall be individually and separately responsible for complying with the obligations that apply to it, in accordance with the Data Protection Laws.

2.2. The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, each party may Process the Shared Data, for the purpose of providing or receiving the Services.

2.3. It is hereby agreed that in the event the Shared Data shall include Special Categories of Data or Sensitive Data, each party shall implement specific restrictions and safeguards applicable to Processing such data.

2.4. Each party shall maintain a publicly-accessible privacy policy that is available via a prominent link that satisfies transparency disclosure requirements of Data Protection Law, specifically in compliance with Article 13 and Article 14 of the GDPR. Each party shall ensure it has the lawful basis (as required under Data Protection Law) to Process the Personal Data.

2.5. For the purpose of the CCPA (and to the extent applicable), both the Merchant and Decline Defense are Businesses. Each party shall be individually and separately responsible for complying with the obligations under the CCPA.

3. Rights of the Data Subjects and Parties Cooperation Obligations

3.1. It is agreed that where either party receives a request from a Data Subject in respect to Shared Data Processed by the other party, the party receiving such request will direct the Data Subject to the other party, as applicable, in order to enable the other party to respond directly to the Data Subject’s request, if applicable.

3.2. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request or Supervisory Authorities, to the extent permitted under Data Protection Law.

3.3. Each party shall ensure, and assist the other party if needed, that the Personal Data Processed is accurate and up to date, by informing the other party without delay if it becomes aware that the Personal Data that it is Processing is inaccurate or has become outdated.

4. Security Measures and Security Incident

4.1. Each party shall implement industry-standard technical and organizational measures to protect the Shared Data and its security, confidentiality, and integrity, and make reasonable efforts to prevent Security Incidents.

4.2. In the event of any actual or suspected Security Incident associated with the other party’s Shared Data Processed, specifically with the Shared Data Processed for the purpose of operating the Services, the Merchant or Decline Defense (as applicable) shall notify the other party without delay, and not later than 48 hours, of any Security Incident and keep the other party informed with any updates or additional information it requires to comply with its obligations as an independent Controller.

4.3. Each party shall take actions required by Data Protection Laws and industry standards to prevent further Security Incidents.

4.4. The parties shall cooperate in good faith to agree and take applicable actions as may be necessary to mitigate or remedy the effects of the Security Incident and minimize any effects of and investigate any Security Incident and to identify its cause.

5. Data Transfer

5.1. Where the GDPR, UK GDPR, or the Swiss FADP are applicable, if the Processing of Personal Data by either party (or by such party’s Sub-Processor) includes the transfer of Personal Data (either directly or through an onward transfer) to a third-party country outside the EEA, the UK, and Switzerland that is not an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the applicable Data Protection Law (the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as applicable)) for the lawful transfer of Personal Data is in place.

5.2. As between the parties, if a party relies on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then:

5.2.1. Transfer of Personal Data from the EEA is subject to the terms set forth in ANNEX I, ANNEX II, and ANNEX III.

5.2.2. Transfer of Personal Data from the UK is subject to the terms set forth in ANNEX IV.

5.2.3. Transfer of Personal Data from Switzerland is subject to the terms set forth in ANNEX V.

6. Termination

6.1. This DPA shall be effective as of the effective date of the Agreement and shall automatically be terminated upon the termination of the Agreement.

Annex I

Details of Personal Data (Controller to Controller)

A. List of Parties

  • Data Exporter(s):

    • Name: EPITASIS MEDIA INC., DBA Decline Defense
    • Address: 703 S 240 W, AMERICAN FORK, UT 84003
    • Contact person’s name, position and contact details: DPO, info@Decline Defense.co
    • Activities relevant to the data transferred under these Clauses: Services under the Agreement
    • Role (controller/processor): Controller

  • Data importer(s):

    • Name: Merchant
    • Address: As detailed in the Merchant Agreement.
    • Contact person’s name, position and contact details: As provided by the Merchant through the Merchant Agreement.
    • Activities relevant to the data transferred under these Clauses: Services under the Agreement.
    • Role (controller/processor): Controller

B. Description of Processing and Transfer

  • Categories of data subjects whose Controller Personal Data is transferred and processed: Merchant’s Customers (as defined in the Agreement)

  • Categories of personal data transferred or processed:

    • Merchant Customers:
      • Contact information, including: full name, email address, billing address, phone number.
      • Date and place of birth, if applicable.
      • Payment and repayment transaction information (including card number, expiry date, error or confirmation codes, credit card holder).
      • Credit score and credit bureau information.
      • If applicable, banking information.
      • Transactions and history.

  • Sensitive data transferred or processed (if applicable) and applied restrictions or safeguards: N.A.

  • The frequency of the transfer: One-off

  • Nature of the processing and transferring: To provide the Services and process the Transaction.

  • Purpose(s) of the data transfer and purpose of processing and further Processing: Providing the Service to the Merchant and processing the payment for the Customer.

  • The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: As needed to provide the Service, or as a controller, as each party determines required for other purposes and means, or as required by law.

C. Competent Supervisory Authority for the Purpose of Article 13 of the Standard Contractual Clauses

  • Identify the competent supervisory authority/ies: based on the Merchant’s establishment in the EEA.

... (The rest of the Annexes and technical details continue in the same format as provided)