FOR CUSTOMER CARE CALL +1-833-656-0781 OR EMAIL sales@declinedefense.com

US Data Processing

Decline Defense US Data Processing Agreement

U.S. Data Processing Agreement (U.S. DPA)

This U.S. Data Processing Agreement (“U.S. DPA”) is governed by and hereby attached to the Merchant Terms and Conditions (“Agreement”) executed by and between Merchant and EPITASIS MEDIA INC., doing business as Decline Defense (“Decline Defense”). This U.S. DPA supplements the Agreement, inclusive of all exhibits, addenda, statements of work, work orders, and similar documents entered into by the parties pursuant to such Agreement with regard to the Processing of Personal Data (as such terms are defined below) in the United States. Capitalized terms used but not defined in this U.S. DPA shall have the meanings assigned to them in the Agreement or under U.S. Data Protection Laws. In the event of a conflict between this U.S. DPA and the Agreement, this U.S. DPA shall prevail as to the subject matter of conflict.

1. Definitions

1.1. The terms “Business,” “Business Purpose,” “Consumer,” “Controller,” “Personal Data,” “Personal Information,” “Processing” or “Processor,” “Service Provider,” “Sale,” “Sell” and “Share,” shall all have the same meanings as ascribed to them under the U.S. Data Protection Laws. “Personal Data” shall include “Personal Information” under this U.S. DPA, and a “Controller” shall include a “Business” and a “Processor” shall include and refer to a “Service Provider” under this U.S. DPA.

1.2. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. §§ 1798.100 et. seq., and its implementing regulations, as may be amended from time to time, including by the California Privacy Rights Act ("CPRA”).

1.3. “CPA” means the Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190), including any implementing regulations and amendments.

1.4. “CTDPA” means the Connecticut Data Privacy and Online Monitoring Act, S.B. 6 (Connecticut 2022), including any implementing regulations and amendments thereto.

1.5. “Customer Data” means the Personal Data related to the Customer Data (as defined in the Agreement) shared and processed by the parties under the Agreement.

1.6. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.7. "US Data Protection Laws" means any U.S. federal and state privacy laws effective as of the Effective Date of this U.S. DPA, and any implementing regulations and amendments thereto, including without limitation, the CCPA, the CPA, the CTDPA, the VCDPA, and the UCPA.

1.8. “UCPA” means the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.

1.9. “VCDPA” means the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), including any implementing regulations and amendments thereto.

2. Roles​; Compliance with Laws

2.1. With respect to the Processing of Customer Data, the parties agree and acknowledge that Merchant is the Business or a Controller, and Decline Defense is the Service Provider or Processor. Each party shall be individually and separately responsible for complying with the obligations that apply to it, in accordance with the U.S. Data Protection Laws.

2.2. The subject matter, duration, nature and purpose of the Processing, types of Personal Data Processed, and categories of Data Subjects are as described in Annex I.

3. Representations and Warranties

3.1. Decline Defense shall process the Customer Data only on behalf of and under the instructions of the Merchant, for the limited Business Purpose outlined under Annex I, in accordance with U.S. Data Protection Laws and shall not: (i) Sell Customer Data or otherwise make Customer Data available to any third party for monetary or other valuable consideration; (ii) Share Customer Data with any third party for cross-context behavioral advertising; (iii) retain, use, or disclose the Customer Data for any purpose other than for a Business Purpose or as specified in the Agreement; (iv) combine the Customer Data with other Personal Data that it receives from, or on behalf of, another merchant, or collects independently. Without limiting the foregoing, Decline Defense will notify Merchant if it determines that it can no longer meet its obligations under applicable Data Protection Laws. Decline Defense hereby certifies that it understands the restrictions in the applicable Data Protection Laws and will comply with them.

4. Consumer Requests

4.1. Decline Defense shall provide assistance and procure that its Sub-Processor (as defined below) will provide assistance, as Merchant may reasonably request, where and to the extent applicable, in connection with any obligation by Merchant to respond to Consumer’s requests for exercising their rights under the U.S. Data Protection Laws. Including without limitation, by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Merchant’s respective obligation.

5. Sub-Processors

5.1. The Merchant acknowledges that Decline Defense may transfer Customer Data to and otherwise interact with third-party sub-processors or sub-contractors (“Sub-Processor”). The Merchant hereby authorizes Decline Defense to engage and appoint such Sub-Processors already engaged by Decline Defense to Process Customer Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf, and to engage an additional or replace an existing Sub-Processor to Process Customer Data, subject to the provision of a thirty (30) days prior notice of its intention to do so to the Merchant. In case the Merchant has not objected to the adding or replacing of a Sub-Processor within such notice period, such Sub-Processor shall be deemed approved by the Merchant. In the event the Merchant objects to the adding or replacing of a Sub-Processor, within such notice period, Decline Defense may, under Decline Defense’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.

6. Data Protection Assessments

6.1. Upon Merchant’s reasonable request, Decline Defense will make available such information in Decline Defense’s possession as reasonably necessary for Merchant to conduct and document data protection assessments in accordance with Data Protection Laws. The Merchant will have the right to: (i) take reasonable and appropriate steps to help ensure that Decline Defense uses Customer Data in a manner consistent with Decline Defense’s obligations under this U.S. DPA and as required by U.S. Data Protection Laws; and (ii) upon reasonable prior written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of such Customer Data under and as required by applicable U.S. Data Protection Laws.

7. Audit

7.1. Decline Defense shall maintain accurate written records of any and all the Processing activities of any Customer Data carried out under this U.S. DPA and shall make such records available to the Merchant upon written request. Such records provided shall be considered Decline Defense’s Confidential Information and shall be subject to confidentiality obligations.

7.2. Alternatively, in the event the records and documentation provided subject to Section 7.1 above are not sufficient for the purpose of demonstrating compliance, Decline Defense shall make available, solely upon prior reasonable written notice and no more than once per calendar year, to a reputable auditor nominated by the Merchant or by Decline Defense, information necessary to reasonably demonstrate compliance with this U.S. DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). Decline Defense may object to an auditor appointed by the Merchant in the event Decline Defense reasonably believes the auditor is not suitably qualified or is a competitor of Decline Defense. The Merchant shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Decline Defense’s premises, equipment, personnel, and business while its personnel are on those premises in the course of such Audit.

7.3. ​Nothing in this U.S. DPA will require Decline Defense to either disclose to the Merchant or its third-party auditor, or to allow the Merchant or its third-party auditor to access: (i) any data of any other Decline Defense’s merchant; (ii) Decline Defense’s internal accounting or financial information; (iii) any trade secret of Decline Defense or its affiliates; (iv) any information that, in Decline Defense’s reasonable opinion, could compromise the security of any Decline Defense’s systems or cause any breach of its obligations under applicable law or its security or privacy obligations to any third party; or (v) any information that the Merchant or its third-party auditor seeks to access for any reason other than the good faith fulfillment of the Merchant’s obligations under the U.S. Data Protection Laws.

8. Certification

8.1. Decline Defense certifies that it understands the rules, requirements, and definitions of the CCPA and agrees to refrain from Selling or Sharing Personal Information. Decline Defense acknowledges and confirms that it does not receive any monetary goods, payments, or discounts in exchange for processing the Personal Information for a Business Purpose or as specified in the Agreement.

9. Data Security

9.1. Decline Defense shall implement and maintain reasonable security procedures, practices, and controls, as may be appropriate based on the nature of the information, designed to protect Customer Data from unauthorized access, disclosure, or destruction. Decline Defense will provide the notifications and assistance to the Merchant as required by the data breach provisions under the U.S. Data Protection Laws.

10. Term and Termination

10.1. This U.S. DPA shall be effective as of the Effective Date (as defined in the Agreement) and shall remain in force until the Agreement terminates or as long as Decline Defense Processes Customer Data.

10.2. Decline Defense shall be entitled to terminate this U.S. DPA or cease the Processing of Customer Data in the event that Processing of Customer Data under the Merchant’s instructions or this U.S. DPA infringes applicable legal requirements, provided the Merchant did not cure such infringement within ten (10) days from receiving applicable notice from Decline Defense. Alternatively, Decline Defense may, in its sole discretion, suspend the Processing of the Customer Data until such infringement is cured without terminating the U.S. DPA.

10.3. Following the termination of this U.S. DPA, Decline Defense shall, at the choice of the Merchant, delete all Customer Data Processed on behalf of the Merchant and certify to the Merchant that it has done so, or return all Customer Data to the Merchant and delete existing copies, unless applicable law or regulatory requirements require that Decline Defense continue to store Customer Data. Until the Customer Data is deleted or returned, the parties shall continue to ensure compliance with this U.S. DPA. The Merchant’s choice shall be provided in writing to Decline Defense, following the effect of termination.

Annex I

Details of Personal Data (Controller to Controller)

  • Type of Customer: Merchant’s Customers (as defined in the Agreement).

  • Type of Personal Data:

    • Contact information, including: full name, email address, billing address, phone number.
    • Date and place of birth, if applicable.
    • Payment and repayment transaction information (including card number, expiry date, error or confirmation codes, credit card holder).
    • Credit score and credit bureau information.
    • If applicable, banking information.
    • Transactions and history.
  • Nature and Purpose of Processing: Providing the Services as defined in the Agreement, including by transmitting, accessing, hosting, disclosing, and sharing.

  • Duration of Processing: For as long as is necessary to provide the Service by Decline Defense; provided there is no legal obligation to retain the Customer Data past termination or unless otherwise requested by the Merchant.