DATA PROCESSING AGREEMENT
In accordance with worldwide Regulation on personal data privacy and security, this Data
Processing Agreement ("Agreement") enters into force if and when the Services entail
processing of the User’s Personal Data and will form part of the Terms & Conditions for access
and use of DyzSocial Services. The terms used in this Agreement shall have the meanings set
forth in this Agreement. Capitalized terms not otherwise defined herein shall have the meaning
given to them in the Terms & Conditions. Except as modified below, the terms of the Terms &
Conditions shall remain in full force and effect.
1. Definitions
1.1 In this Agreement, the following terms shall have the meanings set out below and cognate
terms shall be construed accordingly:
"Applicable Laws" means any national and international applicable law on privacy and
security with respect to all the Personal Data, in respect of which the Controller is subject to
any other Data Protection Laws;
"User" means any identified or identifiable natural person, who creates and account on the
DyzSocial platform and whose personal data are collected and processed;
"Controller" means DyzSocial, (or a sub-processor), on a case-by-case basis, which
determines the purpose and means of processing the Personal Data;
"Processor" means DyzSocial (or a sub-processor), on a case-by-case basis, which processes
Personal Data on behalf of the Controller;
"Personal Data" means any Personal Data Processed by a Processor on behalf of the
Controller pursuant to or in connection with the Terms & Conditions;
"Services" means the DyzSocial Services that will be supplied pursuant to the specifications
in the applicable Terms & Conditions and any subsequent specific Agreements;
"Sub-processor" means any third-party user or service provider, appointed by or on behalf of
the Processor to Process Personal Data on behalf of the Controller in connection with the Terms
& Conditions.
2. Preamble
2.1. The DyzSocial Services shall be subject to the Terms & Conditions available at
https://dyzsocial.com/. The User agrees to the use of data in accordance with DyzSocial’s
Privacy Policy.
2.2. DyzSocial will collect data from the User through the DyzSocial platform, and through
third-party KYC service providers. All data (including all text, sound, video, or image files) the
that DyzSocial collects from the User is considered “Platform Data.” DyzSocial may use the
User Platform Data for the purpose of providing, improving and adding new features to the
DyzSocial Services.
2.3. The Processor agrees that they will comply with all laws, rules, regulations, decrees,
statutes, or other enactments, orders, mandates or resolutions relating to data security, data
protection and/or privacy, and any implementing, derivative or related legislation, rule,
regulation, and regulatory guidance (“Data Protection Laws”), including providing legally
adequate privacy notices to Students. The User will ensure that Students consent to transfer and
use of data and information to DyzSocial in connection with User’s services and DyzSocial
Services, including but not limited to User names, passwords, other information relating to an
identified or identifiable natural person, and any other data or information that constitutes
personal data or personal information under any applicable Data Protection Law (“Personal
Data”).
2.4. Platform Data may be transferred to, and stored and processed in Canada, in the United
States, in the European Union, in India or any other country in which DyzSocial, its Affiliates
or its subcontractors operate. The User appoints DyzSocial to perform any such transfer of
Platform Data to any such country and to store and process personal data in order to provide
the DyzSocial Services.
2.5. California Consumer Privacy Act (the “CCPA” USA). DyzSocial will control and process
Platform Data including Personal Data within the scope of the CCPA on the User’s behalf and
not retain, use, or disclose that data for any purpose other than for the purposes set out in these
Terms and as permitted under the CCPA, including under any “sale” exemption. In no event
will DyzSocial sell any such Platform Data. These CCPA terms do not limit or reduce any data
protection commitments DyzSocial makes to the User in these Terms or any other agreement
between the User and DyzSocial.
2.6. Personal Data Protection Bill (the “PDPB” India). DyzSocial will control and process
Platform Data including Personal Data from its Data Principals, as defined by the DyzSocial
Privacy Policy within the scope of the PDPB on the User’s behalf as Data Fiduciary, and not
retain, use, or disclose that data for any purpose other than for the purposes expressly assumed
by both parties and as permitted under the PDPB. DyzSocial will never sell any such Platform
Data processed from its Data Principals. These PDPB terms will not limit or reduce,
nonetheless, any data protection commitments DyzSocial makes strictly to the User in the
Terms & Conditions or any other agreement between the User and DyzSocial.
3. The Background and Object of the Agreement
3.1. The User accepted the applicable Terms & Conditions when the User first accessed and/or
first used the DyzSocial Services. This Agreement comes into force if and when the User chose
to initiate the use of the DyzSocial Services. The Agreement is an appendix to the applicable
Terms & Conditions, it and does not imply any changes to the commercial terms between the
parties.
3.2. The object of this Agreement is to set out the rights and obligations pursuant to the
Applicable Laws on the Processing of Personal Data. This Agreement shall ensure that the
Personal Data regarding the Data Subjects and the Data Principals, as the case may be, are not
used in a non-compliant manner or compromised to un-authorized parties.
3.3. This Agreement governs the Processor’s handling of Personal Data on behalf of the
Controller, and it shall ensure that the Personal Data only are processed in compliance with
Applicable Laws and according to the Controller’s documented instructions.
3.4. In the case that the Controller processes special categories of Personal Data, this must
specifically be agreed upon with the Processor in advance of such Processing.
4. The Purpose of the Agreement
4.1. The Processor may process any Personal Data as a part of the collaboration, as set out in
the applicable Terms & Conditions.
4.2. In accordance with the Terms & Conditions, the DyzSocial Services are provided as a
decentralized, blockchain-based Software as a Service, and the Controller may choose to enter
and store Personal Data in the Services. The Controller has defined the purposes and has
ensured that the processing of the Personal Data is lawful before the Personal Data is entered
and stored in the Services.
4.3. The Personal Data that will be processed by the Processor, will be the information that the
Controller enters and stores on the systems that the Processor operates.
4.4. DyzSocial will not typically access the Personal Data, but the User specifically gives the
right to DyzSocial to access the User account and operate on its data, strictly whenever is
necessary, and for maintenance purposes. The Personal Data is only to be stored in the
Processor's operating environment and then it goes through the automatic processes in the
Services that are specified in the Terms & Conditions and other potential subsequent
Agreements. Where Personal Data are stored in the operating environment that is part of the
Processor’s Services, the Processor shall only monitor and provide support on the Services and
not process the Personal Data in any way other than what is stipulated in the Terms &
Conditions. If the Controller wants the Processor to carry out any other form of processing of
the Personal Data, the Controller must make the request by a written change order to the
Processor. Further/other processing of the Personal Data as a result of such a change order may
lead to increased costs for the Processor and must thus be covered by the Controller.
4.5. Where the Controller stores the Personal Data in their own operating environment, the
Processor will typically not be able to access the Personal Data unless the Controller provides
such access. The Processor shall only monitor and provide support on the Services and not
process the Personal Data in any way other than what is stipulated in the Terms & Conditions.
If the Controller wants the Processor to carry out any other form of processing of the Personal
Data, the Controller must make the request by a written change order to the Processor and then
provide access to the Personal Data. Further/other processing of the Personal Data as a result
of such a change order may lead to increased costs for the Processor and must thus be covered
by the Controller.
5. Specific Terms
5.1. The terms of this Section (the “Specific Terms”) apply to the extent the User account
includes information related to an identified or identifiable natural person that is subject to the
European Union General Data Protection Regulation (the “GDPR”), the US California
Consumer Privacy Act (the “CCPA”), or to the Indian Personal Data Protection Bill (the
“PDPB”). Lower case terms used, but not defined in these Terms, such as “personal data,”
“personal data breach,” “processing,” “controller,” “processor,” “subprocessor” and “data
subject,will have the same meaning as set forth in the Applicable Laws. These Specific Terms
do not apply where DyzSocial is a controller of the personal data of its customers.
5.2. Compliance with the Applicable Laws and Processing of Personal Data. Third-party and
DyzSocial agree to comply with all applicable provisions of the Applicable Laws. Third-party
agree they are the controller of personal data and DyzSocial is the processor of such personal
data, except when third-party acts as a controller or processor of personal data, in which case
DyzSocial is a processor or sub-processor. DyzSocial will process personal data only on the
User documented instructions. Third-party agrees that these Terms, any other written Service
Agreement with DyzSocial, and the use and configuration of features in the DyzSocial Services
are third-party’s complete and final documented instructions to DyzSocial for the processing of
personal data. In any instance where the data protection laws apply and third-party is a
processor, third-party warrants to DyzSocial that third-party’s instructions, including
appointment of DyzSocial as a processor or sub-processor, have been authorized by the relevant
controller.
5.3. Processing Details. Third-party and DyzSocial acknowledge and agree that:
a) the nature and purpose of the processing is to provide the DyzSocial Services pursuant to
these documented instructions;
b) the subject matter of the processing is limited to personal data within the scope of the GDPR,
CCPA and PDPB;
c) the duration of the processing shall be for the duration of third-party’s right to use the
DyzSocial Services and until all personal data are deleted, or returned in accordance with the
User’s instructions;
d) the types of personal data processed by the DyzSocial Services include those expressly
identified in GDPR, CCPA and PDPB;
e) the categories of data subjects (data principals) are Privately Contracted Armed Security
Personnel (PCASP) and their next of kin, employees, collaborators, and contractors;
f) DyzSocial will process and transfer the personal data only on these documented instructions,
unless required to do so by the Applicable Laws to which DyzSocial is subject; in such a case,
DyzSocial shall inform third-party of that legal requirement before processing (unless that law
prohibits such information on important grounds of public interest); and
g) DyzSocial and third-party will ensure that their personnel engaged in the processing of
personal data (i) will comply with subsection (f) herein and (ii) have committed to maintain the
confidentiality of any personal data, even after their engagement ends.
5.3. Data Subject Rights; Assistance with Requests. DyzSocial will make the personal data of
data subjects and data principals, as the case may be, available to the User and provide the User
the ability to fulfill data subject requests under the Applicable Laws, both in a manner consistent
with the functionality of the DyzSocial Services and DyzSocial’s role as a processor. DyzSocial
shall comply with third-party’s reasonable requests to assist with third-party’s response to such
a data subject request. If DyzSocial receives a request from third-party’s data subject or data
principal to exercise one or more of its rights under the Applicable Laws in connection with the
services for which DyzSocial is a data processor or sub-processor, DyzSocial will redirect the
data subject or data principal to make its request directly to third-party. Third-party will be
responsible for responding to any such request, including, where necessary, by using the
functionality of the DyzSocial Services.
5.4. Records of Processing Activities and Reasonable Assistance. DyzSocial shall maintain all
records required by the Applicable Laws and, to the extent applicable to the processing of
personal data on third-party’s behalf, make them available to third-party upon request.
DyzSocial will provide third-party reasonable assistance in compliance with the obligations
instituted by the Applicable Laws, taking into account the nature of the processing and the
information available to DyzSocial.
5.5. Data Security. Third-party and DyzSocial will implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk, including inter alia,
as appropriate:
a) the pseudonymization and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of
processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the
event of a physical or technical incident; and
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and
organizational measures for ensuring the security of the processing.
DyzSocial’s security measures are being set forth in the DyzSocial Privacy Policy. The Privacy
Policy is available at www.dyzsocial.com, along with descriptions of the security controls in
place for the DyzSocial Services and other information the User may reasonably request
regarding DyzSocial security practices and policies. Third-party is responsible for making an
independent determination as to whether the technical and organizational measures for the
DyzSocial Services meets third-party’s requirements. Third-party acknowledges and agrees
that (taking into account the state of the art, the costs of implementation, and the nature, scope,
context and purposes of the processing personal data as well as the risks to individuals) the
security practices and policies implemented and maintained by DyzSocial provide a level of
security appropriate to the risk with respect to the User’s personal data. Third-party is
responsible for implementing and maintaining privacy protections and security measures for
components that third-party provides or control.
5.6. Notice and Controls on use of sub-processors. DyzSocial may hire third parties to provide
certain limited or ancillary services on its behalf. DyzSocial will provide third-party a list of
sub-processors upon request. Third-party consents to the engagement of these third parties and
DyzSocial Affiliates as sub-processors of personal data if such consent is required under law.
DyzSocial will inform the User of new sub-processors it engages. Third-party may object to
new sub-processors by providing written notice to DyzSocial that includes an explanation of
the grounds for objection.
DyzSocial is responsible for its sub-processor’s compliance with DyzSocial’s obligations under
the Applicable Laws. When engaging any sub-processor, DyzSocial will ensure via a written
contract that the sub-processor may access and use personal data only to deliver the services
DyzSocial has retained them to provide and is prohibited from using personal data for any other
purpose. DyzSocial will ensure that sub-processors are bound by written agreements that
require them to provide at least the level of data protection required of DyzSocial by this Data
Processing Agreement.
Consequently, third-party is responsible for its sub-processor’s compliance with DyzSocial’s
obligations under the Applicable Laws.
5.7. Personal Data Breach. DyzSocial shall notify third-party without undue delay after
becoming aware of a personal data breach. Such notification will include that information a
processor must provide to a controller under any applicable law to the extent such information
is reasonably available to DyzSocial.
DyzSocial shall make reasonable efforts to assist third-party in fulfilling its obligation to notify
the relevant supervisory authority and data subjects or data principals of a personal data breach.
5.8. Audit. DyzSocial will conduct in its sole discretion audits of its compliance with the
applicable data protection laws. Each audit will be performed by qualified, independent, third
party and/or internal security auditors at DyzSocial’s selection and expense. Each audit will
result in the generation of an audit report (“DyzSocial Audit Report”), which DyzSocial will
make available to third-party upon request. The DyzSocial Audit Report will be DyzSocial’s
Proprietary Information and will clearly disclose any material findings by the auditor.
DyzSocial will promptly remediate any reasonable issues raised in any DyzSocial Audit Report
to the satisfaction of the auditor.
5.9. Transfer of personal data. All transfers of personal data to a third country or an international
organization will be subject to appropriate safeguards as described in the Applicable Laws, and
such transfers and safeguards will be documented. DyzSocial agrees to notify third-party in the
event that it makes a determination that it can no longer meet its obligation to provide the same
level of protection as required.
5.10. Supplementation and Term. DyzSocial may modify or supplement this document, (a) if
required to do so by a supervisory authority or other government or regulatory entity, (b) if
necessary, to comply with applicable law, or (c) to adhere to an approved code of conduct or
certification mechanism approved or certified. Without prejudice to the Applicable Laws,
DyzSocial may from time to time provide additional information and detail about how it will
execute these Terms in its service-specific technical, privacy, or policy documentation. These
Terms become effective upon the later of (a) the start of enforcement of the or (b) The User’s
use of the DyzSocial Services.
6. Controller’s Obligations
6.1. The Controller shall provide the Processor with written instructions on the processing of
the Personal Data on behalf of the Controller, hereunder transferring the Personal Data to any
country or territory as reasonably necessary for the provision of the Services and consistent
with the Terms & Conditions and in accordance with Applicable Laws.
6.2. The Controller shall ensure that the processing of the Personal Data is lawful.
6.3. The Controller shall authorize the Processor to provide each sub-processor with the same
written instructions that the Processor has been provided with.
6.4. The Controller has provided the data subjects or the data principals with the necessary
information according to Applicable Laws; and it is the responsibility of the Controller to
collect any consents from the data subjects for the processing of Personal Data taking place in
accordance with the Terms & Conditions.
7. The Processor’s obligations
7.1. The Processor shall only process the Personal Data on behalf of the Controller and on
written instructions from the Controller, and for the sole purpose and to the extent necessary to
provide the Services, in accordance with the terms in this Agreement and Applicable Laws.
7.2. The Processor shall not process the Personal Data other than on the Controller’s
documented instructions unless Processing is required by Applicable Laws to which the
Processor is subject, in which case the Processor shall to the extent permitted by Applicable
Laws inform the Controller of that legal requirement before the relevant Processing of that
Personal Data.
7.3. The Processor does not have the right of use of the Personal Data, and may therefore not
process them for their own purposes under any circumstances.
7.4. The Processor has carried out the technical and organizational security measures in order
to protect the Personal Data from loss, misuse or un-authorized alternation or dissemination,
unauthorized access, or against other illegal processing. These measures represent a level of
security appropriate to the risks represented by the processing, taking into account the costs of
the implementation.
7.5. The Controller has, unless otherwise agreed or pursuant to Applicable Laws, the right to
access the Personal Data being processed and the systems used for this purpose. The Processor
shall provide necessary assistance for such access to be given.
7.6. The Processor is subject to confidentiality regarding the documentation and the Personal
Data for which it gains access to under this Agreement. This provision also applies after the
termination of this Agreement.
7.7. The Processor may freely choose where it geographically stores the Personal Data. The
Controller may at any time require information on where the Personal Data is stored.
8. Processor’s Personnel
8.1. The Processor shall take reasonable steps to ensure the reliability of any employee, agent
or contractor of the Processor who is given access to the Personal Data.
8.2. The Processor shall ensure in each case that access is strictly limited to those individuals
who need to know/have access to the relevant Personal Data, as strictly necessary for the
purposes of the Terms & Conditions, and to comply with Applicable Laws in the context of
that individual's duties to the Processor.
8.3. The Processor shall ensure that all such individuals are subject to confidentiality
undertakings or professional or statutory obligations of confidentiality. The obligations of
confidentiality will survive the termination of the personnel engagement.
9. Security
9.1. Taking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of Processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, the Processor shall in relation to the Personal Data
implement appropriate technical and organizational measures to ensure a level of security
appropriate to that risk.
9.2. In assessing the appropriate level of security, the Processor shall take account of the risks
that are presented by Processing, in particular from a Personal Data Breach.
9.3. The Controller confirms that the Processor has provided sufficient guarantees that they will
implement appropriate technical and organizational measures that ensure that the processing
meets the requirements of Applicable Laws, hereunder the protection of the data subjects’
rights.
9.4. The Controller confirms to have assessed any security measures specifically stated in the
Terms & Conditions and thus accepted by the Controller, and the Controller is responsible (as
between the parties and to data subjects and supervisory authorities) if those measures in
themselves do not meet the Applicable Laws.
10. Sub-processing
10.1. The Controller authorizes the Processor to appoint sub-processors in accordance with this
section and any restrictions in the Terms & Conditions.
10.2. The Processor may continue to use those sub-processors already engaged by the Processor
as of the date this Agreement enters into force, subject to the Processor in each case as soon as
practicable meeting the obligations set out in section 10.4.
10.3. The Processor shall give the Controller prior written notice of the appointment of any new
sub-processor, including full details of the Processing to be undertaken by the sub-processor.
If, within 2 weeks of receipt of that notice, the Controller notifies the Processor in writing of
any objections (on reasonable grounds) to the proposed appointment, the Processor shall not
appoint (or disclose any Personal Data to) that proposed sub-processor until reasonable steps
have been taken to address the objections raised by the Controller, and the Controller has been
provided with a reasonable written explanation of the steps taken.
10.4. The Processor is responsible for the Sub-processor’s performance in regards of the
processing of Personal Data.
10.5. With respect to each sub-processor, the Processor shall:
before the sub-processor’s first processing of the Personal Data (or, where relevant),
ensure that the sub-processor does not process Personal Data covered by this Agreement
in any way that is not necessary for the performance of the Services, and that the
Personal Data is not given to anyone else without this being specified in this Agreement
or is permitted by the Controller in a prior written notice;
ensure that the arrangement between the Processor and the sub-processor, is governed
by a written contract including terms which offer at least the same level of protection
for the Personal Data as those set out in this Agreement and meet the requirements of
Applicable Laws; and
provide to the Controller for review such copies of the Processors' agreements with sub-
processors (which may be redacted to remove confidential commercial information not
relevant to the requirements of this Agreement) as the Controller may request from time
to time.
11. Deletion or return of the Personal Data
11.1. Subject to sections 11.2. and 11.3. the Processor shall as soon as possible and within 4
weeks of the date of cessation of any Services involving the Processing of the Personal Data
(the "Cessation Date"), delete and procure the deletion of all copies of those Personal Data.
11.2. Subject to section 8.3., the Controller may in its absolute discretion by written notice to
the Processor within 1 week of the Cessation Date require the Processor to (a) return a complete
copy of all of the Personal Data to the Controller; and (b) delete and procure the deletion of all
other copies of the Personal Data Processed by the Processor. The Processor shall comply with
any such written request within 5 weeks of the Cessation Date.
11.3. The Processor may retain and store the Personal Data to the extent required by Applicable
Laws and only to the extent and for such period as required by Applicable Laws. Such cases
always entail the provision that the Processor ensures the confidentiality of all such Personal
Data and ensures that such Personal Data are only Processed as necessary for the purpose(s)
specified in the Applicable Laws requiring its storage and for no other purpose.
12. Governing law and jurisdiction
12.1. This Agreement shall be subject to and interpreted in accordance with laws of the country
where DyzSocial has its headquarters, and any applicable international laws.
13. Order of precedence
13.1. Nothing in this Agreement reduces the Processor’s obligations under the applicable Terms
& Conditions in relation to the protection of Personal Data or permits the Processor to Process
(or permit the Processing of) Personal Data in a manner which is prohibited by the Terms &
Conditions.
14.2. In the event of inconsistencies between the provisions of this Agreement and any other
agreements between the parties, including the Terms & Conditions (except where explicitly
agreed otherwise in writing) the provisions of this Agreement shall prevail.
14. Changes in Data Protection Laws, etc.
14.1. The parties shall revise this Data Processing Agreement in the event of relevant changes
to the Applicable Laws.
15. Severance
15.1. Should any provision of this Agreement be invalid or unenforceable, then the remainder
of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall
be either (i) amended as necessary to ensure its validity and enforceability, while preserving
the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner
as if the invalid or unenforceable part had never been contained therein.
16. Liability and liability limitations
16.1. Each party is responsible for that party’s processing of Personal Data being in accordance
with the Applicable Laws.