This Data Processing Agreement ("DPA") is entered into between you ("Controller") and SaveCash Technology, Inc. ("Processor" or "SaveCash") and governs how SaveCash processes personal data on your behalf. This DPA forms part of and supplements the SaveCash Services Agreement or other agreement between you and SaveCash governing your use of our Services (collectively, the "Principal Agreement").

This DPA applies whenever SaveCash acts as a processor or sub-processor of personal data in connection with the Services. Capitalized terms not defined in this DPA shall have the meanings set forth in the Principal Agreement.

1. Definitions

For purposes of this DPA, the following terms shall have the meanings set forth below:

• "Controller" means the entity that determines the purposes and means of the processing of personal data.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "EU Data Protection Law" means the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and any applicable national implementing legislation.
• "Personal Data" means any information relating to a Data Subject that is processed by SaveCash on your behalf in connection with the Services.
• "Processing" means any operation performed on Personal Data, such as collection, recording, storage, adaptation, disclosure, erasure, or destruction.
• "Processor" means the entity that processes Personal Data on behalf of the Controller.
• "Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.
• "Sub-processor" means any third party engaged by SaveCash to process Personal Data on your behalf.

2. Scope and Applicability

This DPA applies to all Processing of Personal Data by SaveCash in connection with the Services. The subject matter, duration, nature and purpose of Processing, types of Personal Data, and categories of Data Subjects are described in Annex A to this DPA (or, if not specified in Annex A, as set forth in the Principal Agreement).

This DPA is supplemental to and shall not replace any existing obligations between the parties. In the event of any conflict between this DPA and the Principal Agreement regarding data protection, this DPA shall prevail to the extent of such conflict.

3. Processing of Personal Data

SaveCash agrees to Process Personal Data only on your documented instructions, which include the Principal Agreement and any authorized use of the Services. You instruct SaveCash to Process Personal Data to:

• Provide, maintain, and improve the Services as described in the Principal Agreement
• Process payment transactions and related financial services
• Comply with applicable laws, regulations, and card network rules
• Detect and prevent fraud, abuse, and security threats
• Respond to your requests and provide customer support
• Generate reports, analytics, and insights as enabled by the Services
• Perform any other functions reasonably necessary to provide the Services

SaveCash will not Process Personal Data for any purpose other than those specified in this section without your prior written consent, except where required by applicable law. If SaveCash is required by law to Process Personal Data for a different purpose, SaveCash will inform you of this legal requirement before Processing, unless such disclosure is prohibited by applicable law.

4. Data Subject Rights

SaveCash will assist you in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Law, including:

4.1 Rights Under GDPR

• Right of Access: Data Subjects may request copies of their Personal Data
• Right to Rectification: Data Subjects may request correction of inaccurate Personal Data
• Right to Erasure: Data Subjects may request deletion of their Personal Data in certain circumstances
• Right to Restrict Processing: Data Subjects may request that Processing be limited
• Right to Data Portability: Data Subjects may receive their Personal Data in a structured, machine-readable format
• Right to Object: Data Subjects may object to certain types of Processing
• Rights Related to Automated Decision-Making: Data Subjects may request human review of automated decisions

4.2 Assistance Obligations

Upon your written request, SaveCash will provide reasonable assistance to enable you to respond to Data Subject requests, including:

• Accessing and retrieving Personal Data from our systems
• Correcting or deleting Personal Data as instructed
• Providing Personal Data in a portable format
• Restricting Processing upon your request
• Responding to inquiries about our security measures

SaveCash may charge reasonable fees for excessive or repetitive requests, in accordance with applicable law. SaveCash may also refuse to act on instructions that, in SaveCash's reasonable opinion, infringe applicable Data Protection Law.

5. Security Measures

SaveCash implements and maintains comprehensive technical and organizational security measures designed to protect Personal Data against Security Incidents. These measures include:

5.1 Technical Safeguards

• Encryption of Personal Data both in transit and at rest using industry-standard encryption algorithms (AES-256, TLS 1.3)
• Access controls requiring authentication and authorization for all systems and databases containing Personal Data
• Multi-factor authentication for all personnel with access to Personal Data
• Regular security assessments, penetration testing, and vulnerability scans
• Network segmentation and firewall protections
• Intrusion detection and prevention systems
• Secure backup and disaster recovery procedures
• Regular patching and updates of all systems and software
• Secure software development lifecycle (SDLC) practices
• Code reviews and security testing of all software changes

5.2 Organizational Safeguards

• Confidentiality agreements with all personnel who have access to Personal Data
• Regular security awareness and training programs for all employees
• Role-based access controls limiting access to Personal Data on a need-to-know basis
• Background checks for personnel with access to Personal Data
• Incident response and business continuity plans
• Regular audits and assessments of security measures
• Information security policies and procedures
• Physical security controls at all data center facilities

5.3 Compliance Certifications

SaveCash is committed to obtaining and maintaining the following certifications and attestations, which you may rely upon as evidence of our security measures:

• Level 1 PCI DSS certification (highest level of payment card security certification)
• ISO/IEC 27001 certification for information security management systems
• ISO/IEC 27018 certification for protection of personally identifiable information in public clouds
• SOC 2 Type II attestations for security, availability, confidentiality, and processing integrity
• Regular third-party security audits and assessments

6. Security Incidents

If SaveCash becomes aware of a Security Incident affecting Personal Data Processed on your behalf, SaveCash will:

• Notify you without undue delay, and in any event within 72 hours of becoming aware of the Security Incident
• Provide you with sufficient information to allow you to meet any obligations to notify Data Subjects or supervisory authorities
• Investigate the Security Incident and provide you with updates as they become available
• Take appropriate remedial measures to mitigate the effects of the Security Incident
• Cooperate with you and any supervisory authorities in investigating and addressing the Security Incident

SaveCash's notification obligation does not apply to Security Incidents that are caused by you or your systems, or that do not present a real risk of harm to Data Subjects. SaveCash's determination of whether a Security Incident presents a real risk of harm is final and binding.

7. Sub-processors

You acknowledge and agree that SaveCash may engage Sub-processors to Process Personal Data in connection with the Services. SaveCash will maintain a list of current Sub-processors, which will be available upon request at privacy.savecash@gmail.com. SaveCash will:

• Enter into written agreements with all Sub-processors containing data protection obligations substantially similar to those in this DPA
• Remain fully liable for the acts and omissions of Sub-processors
• Notify you of any intended changes to Sub-processors with reasonable prior notice
• Allow you to object to proposed Sub-processor changes on reasonable grounds within 30 days of notification
• Assess the security and privacy practices of Sub-processors on a regular basis

7.1 Sub-processor Categories

SaveCash may engage Sub-processors in the following categories:

• Cloud Infrastructure: Hosting and storage services (AWS, Google Cloud Platform, Azure)
• Payment Processing: Card networks, acquiring banks, and payment processors
• Communication Services: Email delivery, SMS messaging, customer support platforms
• Analytics and Monitoring: Performance monitoring, error tracking, analytics services
• Security Services: Fraud detection, identity verification, threat intelligence
• Compliance Services: KYC/AML screening, regulatory reporting, audit services

8. Data Retention and Deletion

SaveCash will retain Personal Data only for as long as necessary to provide the Services or as required by applicable law. Unless otherwise required by law or legal process, SaveCash will delete Personal Data:

• Upon termination of the Services and after any applicable retention period
• Upon your written request to delete specific Personal Data
• In accordance with your data retention policies communicated to SaveCash
• As required by applicable law or legal process

8.1 Retention Requirements

Certain Personal Data may need to be retained longer due to legal, regulatory, or compliance obligations, including:

• Transaction records required by financial regulations (typically 7 years)
• Tax and accounting records required by tax authorities
• Fraud prevention and AML compliance records
• Legal hold requirements for pending litigation or investigations
• Backup and disaster recovery archives

8.2 Secure Deletion

When deleting Personal Data, SaveCash will use secure deletion methods that render the data irrecoverable, including:

• Overwriting storage media with random data multiple times
• Degaussing and physical destruction of storage media when appropriate
• Verification that deletion has been successful
• Deletion from all backup and archival systems

9. Audit Rights

SaveCash shall make available to you, upon reasonable written request, information necessary to demonstrate compliance with this DPA. This may include:

• Copies of relevant security policies and procedures
• Summary reports of security assessments and audits
• Certification and attestation reports (SOC 2, ISO 27001, etc.)
• Sub-processor lists and due diligence documentation
• Incident response reports (subject to confidentiality restrictions)

9.1 On-Site Audits

If the information provided is not sufficient to demonstrate compliance, you may request to conduct an on-site audit of SaveCash's facilities and systems. Such audits are subject to the following conditions:

• Audits must be conducted during normal business hours
• You must provide at least 60 days' advance written notice
• Audits must be conducted by qualified third-party auditors acceptable to SaveCash
• Audits must not unreasonably interfere with SaveCash's business operations
• Auditors must sign SaveCash's standard confidentiality agreement
• You bear all costs of such audits
• Audits are limited to once per calendar year unless required by law or regulation

10. International Data Transfers

To provide the Services, SaveCash may transfer Personal Data across international borders. SaveCash ensures such transfers are conducted in compliance with applicable Data Protection Law through appropriate safeguards, including:

10.1 Transfer Mechanisms

• Standard Contractual Clauses (SCCs): European Commission approved contracts for data transfers from the EEA to third countries
• Adequacy Decisions: Transfers to countries determined by regulators to provide adequate data protection
• Binding Corporate Rules (BCRs): Internal codes of conduct approved by supervisory authorities
• Derogations: Where appropriate, reliance on GDPR Article 49 derogations for specific situations

10.2 Supplementary Measures

SaveCash implements supplementary technical and organizational measures to ensure transferred Personal Data receives an essentially equivalent level of protection as required by GDPR, including:

• Encryption of Personal Data in transit and at rest
• Access controls and pseudonymization where appropriate
• Regular risk assessments of transfer destinations
• Transparency reports about government access requests
• Challenges to government access requests where legally permissible

Details of SaveCash's international data transfer practices are set forth in our Data Transfers Addendum, which is incorporated into this DPA by reference.

11. Compliance Cooperation

SaveCash will reasonably cooperate with you in responding to inquiries from supervisory authorities and regulators regarding the Processing of Personal Data under this DPA. This includes:

• Providing information about our data protection practices
• Submitting to inspections and audits by supervisory authorities
• Participating in investigations and enforcement proceedings
• Proving evidence of compliance with applicable Data Protection Law
• Coordinating responses to supervisory authority inquiries

SaveCash will inform you promptly if it receives any inquiry, inspection, or complaint from a supervisory authority regarding the Processing of Personal Data under this DPA, unless prohibited from doing so by applicable law.

12. Data Protection Impact Assessments

Where required by applicable Data Protection Law, SaveCash will reasonably cooperate with you in conducting Data Protection Impact Assessments ("DPIAs"). SaveCash will:

• Provide information about our Processing activities relevant to the DPIA
• Provide information about our security measures and safeguards
• Participate in discussions regarding potential risks and mitigations
• Implement agreed-upon mitigating measures where feasible

13. Liability and Indemnification

Each party will indemnify the other against third-party claims to the extent caused by that party's breach of this DPA. SaveCash's total liability for all claims arising under this DPA shall not exceed the limitation of liability set forth in the Principal Agreement.

Neither party shall be liable for any indirect, special, incidental, or consequential damages arising under or in connection with this DPA, except to the extent required by mandatory applicable law.

14. Term and Termination

This DPA takes effect upon the effective date of the Principal Agreement and continues in effect until the termination of the Principal Agreement or until all Personal Data has been deleted from SaveCash's systems, whichever is later.

Upon termination of this DPA, SaveCash will return or delete all Personal Data in accordance with Section 8, except where applicable law or retention obligations require continued storage.

15. General Provisions

This DPA is subject to the governing law and dispute resolution provisions set forth in the Principal Agreement. Any modification to this DPA must be in writing and signed by both parties. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will continue in full force and effect.

This DPA does not create any third-party rights. The parties to the Principal Agreement are the sole beneficiaries of this DPA.

16. Contact Information

For questions about this DPA, please contact us at: