This Data Processing Addendum ("DPA" or "Addendum") is incorporated by reference into the Terms of Service or any other applicable agreement ("Agreement") between the parties concerning the use of applications ("Apps") and other services (collectively, the "Services"). This Addendum is entered into by and between FINLOOP SOLUTIONS LLC, a USA-based provider of the Services, and the customer ("Customer") who is party to the Agreement.

For clarity, FINLOOP SOLUTIONS and the Customer are each referred to as a "Party" and collectively as the "Parties." In the event of a conflict between this DPA and any other agreement between the Parties, this DPA shall take precedence and govern the handling of Personal Information, but only with respect to the subject matter covered by this Addendum.

Definitions

For the purposes of this Addendum:

• "Data Privacy Laws": Refers to all applicable laws, regulations, and self-regulatory requirements in any jurisdiction related to privacy, data protection, data security, breach notification, or the Processing of Personal Information. This includes, but is not limited to, the California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.100 et seq., the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, the United Kingdom Data Protection Act (2018) (UK GDPR), and the Swiss Federal Act on Data Protection (Swiss FADP). For clarity, if FINLOOP SOLUTIONS’s Processing activities involving Personal Information do not fall within the scope of a specific Data Privacy Law, such law shall not apply for the purposes of this Addendum.

• "Consumer": Refers to an identified or identifiable natural person to whom Personal Information relates.

• "Personal Information": Includes “personal data,” “personal information,” “personally identifiable information,” and similar terms as defined under applicable Data Privacy Laws. This may include, but is not limited to, names, email addresses, IP addresses, and other unique identifiers.

• "Process" and "Processing": Refer to any operation or set of operations performed on Personal Information, whether or not by automated means. This includes, but is not limited to, collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

• "Security Breach": Refers to any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure, or access to Personal Information.

• "Standard Contractual Clauses": Refers to one or both of the following, depending on the applicable legal context:

  • For Personal Information subject to UK Data Protection Law, this refers to the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers under UK GDPR.

  • For Personal Information subject to GDPR or the Swiss FADP, this refers to the 2021 Standard Contractual Clauses issued under the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to GDPR.

Scope and Purposes of Processing

FINLOOP SOLUTIONS will Process Personal Information solely for the following purposes:

• To fulfill its obligations to the Customer under the Agreement, including this Addendum.

• Pursuant to the Customer’s instructions.

• In compliance with applicable Data Privacy Laws.

FINLOOP SOLUTIONS ensures that all Processing activities are strictly limited to what is necessary to deliver its Services, including but not limited to:

• Providing tailored user support.

• Facilitating essential functionality.

• Enhancing overall user experience.

• Complying with legal and regulatory obligations.

• Improving operational efficiency.

If FINLOOP SOLUTIONS reasonably believes that any instruction from the Customer violates applicable data protection regulations, it must promptly inform the Customer in its capacity as the Controller.

CCPA Acknowledgment

The Parties acknowledge and agree that FINLOOP SOLUTIONS acts as a service provider for the purposes of the California Consumer Privacy Act (CCPA). FINLOOP SOLUTIONS certifies that it understands and complies with the rules, restrictions, requirements, and definitions set forth in the CCPA.

To ensure compliance, FINLOOP SOLUTIONS implements:

• Robust internal policies aligned with CCPA requirements.

• Regular audits to assess and maintain compliance.

• Employee training programs specifically addressing CCPA obligations.

• Ongoing regulatory monitoring to stay aligned with CCPA standards.

Furthermore, FINLOOP SOLUTIONS agrees to refrain from any action that would qualify the transfer of Personal Information to or from FINLOOP SOLUTIONS as a sale of Personal Information under the CCPA.

Personal Information Processing Requirements

FINLOOP SOLUTIONS will ensure compliance with the following obligations:

1. Confidentiality Obligations

• Ensure that all personnel authorized to Process Personal Information are committed to maintaining confidentiality or are bound by an appropriate statutory obligation of confidentiality.

2. Assistance with Consumer Requests

• Assist the Customer in fulfilling their obligations to respond to verifiable requests from Consumers (or their lawful representatives) exercising their rights under applicable Data Privacy Laws.

• This includes, but is not limited to, rights to:

  • Access Personal Information.

  • Correct inaccuracies.

  • Delete Personal Information.

  • Restrict the Processing of Personal Information.

3. Notification of Complaints or Requests

• Promptly notify the Customer of:

  • Any third-party or Consumer complaints regarding the Processing of Personal Information.

  • Any government or Consumer requests for access to or information about FINLOOP SOLUTIONS’s Processing of Personal Information on the Customer’s behalf, unless prohibited by applicable Data Privacy Laws.

4. Cooperation and Assistance

• Provide the Customer with reasonable cooperation and assistance in addressing complaints or requests to ensure compliance with applicable legal and regulatory requirements.

• This includes, but is not limited to:

  • Maintaining records of Processing activities.

  • Conducting Data Protection Impact Assessments (DPIAs), where required.

Data Security

FINLOOP SOLUTIONS will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Information, as detailed in Exhibit A. For specific safeguards employed by FINLOOP SOLUTIONS, please refer directly to Exhibit A.

These security measures are designed to protect against unauthorized access, disclosure, alteration, or destruction of Personal Information.

Security Breach

In the event of a Security Breach involving Personal Information, FINLOOP SOLUTIONS will:

1. Notification

• Notify the Customer without undue delay after discovering the Security Breach.

2. Mitigation Steps

• Take all necessary and reasonable steps to mitigate the effects of the Security Breach.

• Reduce risks to Consumers whose Personal Information has been affected.

3. Information Provided

To the extent known, FINLOOP SOLUTIONS will provide the Customer with:

• The nature of the Security Breach, including, if possible, how it occurred.

• The categories and approximate number of Consumers affected.

• The categories and approximate number of Personal Information records involved.

• The likely consequences of the Security Breach.

• The measures taken or proposed by FINLOOP SOLUTIONS to address the breach, including steps to mitigate potential adverse effects.

Subcontractors

The Customer acknowledges and agrees that FINLOOP SOLUTIONS may use affiliates and other subcontractors ("Subprocessors") to Process Personal Information in accordance with this Addendum and applicable Data Privacy Laws.

Where FINLOOP SOLUTIONS subcontracts any of its rights or obligations related to Personal Information, including to affiliates, it will take reasonable steps to select and retain Subprocessors that are capable of maintaining privacy and security measures consistent with applicable Data Privacy Laws.

Use of Subprocessors

FINLOOP SOLUTIONS engages third-party service providers (Subprocessors) to assist in delivering its Services, including:

• Hosting and cloud storage

• Email communications

• Analytics

• Customer support

These Subprocessors process Personal Information on behalf of FINLOOP SOLUTIONS in compliance with applicable data protection regulations.

Subprocessor List and Customer Rights

• An up-to-date list of Subprocessors, including their categories and purposes, is available upon request.

• Customers may obtain the most recent list by contacting FINLOOP SOLUTIONS via the Customer Support Portal or by submitting a written request to privacy@finloop-solutions.com.

Objections to Subprocessors

If the Customer objects to the use of a new Subprocessor on reasonable data protection grounds, FINLOOP SOLUTIONS will:

1. Avoid transferring Personal Information to the new Subprocessor.

2. Use reasonable efforts to provide a commercially feasible alternative for the affected Services.

3. If no satisfactory alternative is available, allow the Customer to terminate the Agreement for convenience by providing written notice at the end of the thirty (30)-day notice period. In such cases, FINLOOP SOLUTIONS will provide a pro-rata refund of any prepaid amounts for the affected Services.

Data Transfers

The Customer authorizes FINLOOP SOLUTIONS to transfer Personal Information internationally only if such transfers comply with Applicable Data Privacy Laws governing cross-border data transfers. This includes, but is not limited to, ensuring compliance with GDPR and UK GDPR requirements for adequate protection through measures such as Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms.

Right to Audit

• The Customer has the right to audit FINLOOP SOLUTIONS to verify compliance with this Agreement and applicable data protection laws.

• Audits may include inspections of systems, policies, procedures, and records related to the Processing of Personal Information under this Agreement.

Audit Process

• The Customer may appoint an independent third-party auditor, provided that the auditor is bound by confidentiality obligations no less stringent than those in this Agreement.

• FINLOOP SOLUTIONS shall provide the necessary information, documentation, and reasonable access to systems and facilities required to verify compliance.

• Audits must comply with FINLOOP SOLUTIONS’s confidentiality obligations and security policies.

• Each Party shall bear its own costs associated with the audit unless the audit reveals material non-compliance, in which case FINLOOP SOLUTIONS shall bear the reasonable costs of the audit.

Data Retention and Deletion

Upon termination or expiration of the Services related to Processing, FINLOOP SOLUTIONS shall, at the Customer’s choice, either:

a) Delete all Personal Information processed on behalf of the Customer, or
b) Return all Personal Information to the Customer in a structured, commonly used, and machine-readable format.

Obligations After Data Deletion

• FINLOOP SOLUTIONS shall delete all existing copies of Personal Information, unless applicable laws require retention due to legal or regulatory obligations.

• If retention is required under Union law, Member State law, or due to FINLOOP SOLUTIONS’s legal status as a Data Controller, the company shall ensure the continued protection of the retained data in accordance with this Agreement and applicable data protection laws.

• Upon request, FINLOOP SOLUTIONS shall provide the Customer with written confirmation of the deletion of Personal Information and any existing copies, unless legal obligations prevent such confirmation.

Annexes & Exhibits

The following sections provide a detailed overview of the technical safeguards, contractual commitments, and specific descriptions of processing activities to ensure clarity and compliance across all documented measures.

Annex I: List of Parties

Data Exporter

• The Customer engaging FINLOOP SOLUTIONS for Services under this DPA.

• Contact details: As outlined in the Agreement.

Data Importer

• FINLOOP SOLUTIONS LLC, a USA-based provider of Services.

• Contact Details:

  • Address: 3524 Silverside Road, Suite 35B, Wilmington, Delaware 19810, United States

  • Email: privacy@finloop-solutions.com

Annex II: Technical & Organizational Measures

FINLOOP SOLUTIONS implements the following measures to safeguard Personal Information:

• Encryption Protocols: All data transfers, whether internal or to subprocessors, are secured through industry-standard encryption, such as AES-256.

• Access Control Policies: Strict access controls are enforced, requiring multi-factor authentication (MFA) for employees and contractors accessing sensitive data. Role-based access ensures only authorized personnel can perform specific tasks.

• Regular Audits: FINLOOP SOLUTIONS conducts periodic security audits to proactively identify and mitigate risks.

• Employee Training: All employees and contractors undergo regular training on data protection, privacy obligations, and secure handling of Personal Information.

• Incident Response Plans: A predefined incident response plan is in place to swiftly manage potential breaches, including timely notification to affected parties and authorities.

• Secure Storage: Data is stored on secure servers with redundancy systems to prevent loss. Physical access is tightly controlled.

Exhibit A: Data Security Measures

FINLOOP SOLUTIONS implements the following security measures to safeguard Personal Information:

• Encryption Protocols: Uses AES-256 encryption for data transfer and storage to prevent unauthorized access.

• Access Control Policies: Enforces multi-factor authentication (MFA) and role-based access control (RBAC) to limit access to Personal Information.

• Regular Security Audits: Conducts periodic compliance audits, addressing vulnerabilities to strengthen security.

• Employee and Contractor Training: Provides ongoing training on privacy obligations and secure data handling.

• Physical Security Measures: Secures data centers and offices with biometric access controls, surveillance systems, and environmental safeguards.

• Incident Response Plans: Maintains a detailed incident response protocol covering containment, investigation, and notification.

• Secure Data Storage: Implements encrypted, redundant storage solutions with regular backups to ensure data integrity.

• Subcontractor Security: Works only with subprocessors who demonstrate strong security practices and comply with FINLOOP SOLUTIONS’s security standards.

• Disaster Recovery & Resilience: Maintains failover mechanisms, periodic recovery tests, and documented continuity strategies.

• Threat Intelligence & Monitoring: Uses real-time monitoring tools and threat intelligence services to detect potential security threats.

• Vendor Risk Management: Regularly assesses third-party vendors for compliance with data protection requirements.

• Policy Updates: Reviews and updates security policies to reflect regulatory changes and emerging threats.

Effective Date