DATA PROCESSING AGREEMENT

In accordance with worldwide Regulation on personal data privacy and security, this Data

Processing Agreement ("Agreement") enters into force if and when the Services entail

processing of the User’s Personal Data and will form part of the Terms & Conditions for access

and use of DyzSocial Services. The terms used in this Agreement shall have the meanings set

forth in this Agreement. Capitalized terms not otherwise defined herein shall have the meaning

given to them in the Terms & Conditions. Except as modified below, the terms of the Terms &

Conditions shall remain in full force and effect.

1. Definitions

1.1 In this Agreement, the following terms shall have the meanings set out below and cognate

terms shall be construed accordingly:

"Applicable Laws" means any national and international applicable law on privacy and

security with respect to all the Personal Data, in respect of which the Controller is subject to

any other Data Protection Laws;

"User" means any identified or identifiable natural person, who creates and account on the

DyzSocial platform and whose personal data are collected and processed;

"Controller" means DyzSocial, (or a sub-processor), on a case-by-case basis, which

determines the purpose and means of processing the Personal Data;

"Processor" means DyzSocial (or a sub-processor), on a case-by-case basis, which processes

Personal Data on behalf of the Controller;

"Personal Data" means any Personal Data Processed by a Processor on behalf of the

Controller pursuant to or in connection with the Terms & Conditions;

"Services" means the DyzSocial Services that will be supplied pursuant to the specifications

in the applicable Terms & Conditions and any subsequent specific Agreements;

"Sub-processor" means any third-party user or service provider, appointed by or on behalf of

the Processor to Process Personal Data on behalf of the Controller in connection with the Terms

& Conditions.

2. Preamble

2.1. The DyzSocial Services shall be subject to the Terms & Conditions available at

https://dyzsocial.com/. The User agrees to the use of data in accordance with DyzSocial’s

2.2. DyzSocial will collect data from the User through the DyzSocial platform, and through

third-party KYC service providers. All data (including all text, sound, video, or image files) the

that DyzSocial collects from the User is considered “Platform Data.” DyzSocial may use the

User Platform Data for the purpose of providing, improving and adding new features to the

DyzSocial Services.

2.3. The Processor agrees that they will comply with all laws, rules, regulations, decrees,

statutes, or other enactments, orders, mandates or resolutions relating to data security, data

protection and/or privacy, and any implementing, derivative or related legislation, rule,

regulation, and regulatory guidance (“Data Protection Laws”), including providing legally

adequate privacy notices to Students. The User will ensure that Students consent to transfer and

use of data and information to DyzSocial in connection with User’s services and DyzSocial

Services, including but not limited to User names, passwords, other information relating to an

identified or identifiable natural person, and any other data or information that constitutes

personal data or personal information under any applicable Data Protection Law (“Personal

Data”).

2.4. Platform Data may be transferred to, and stored and processed in Canada, in the United

States, in the European Union, in India or any other country in which DyzSocial, its Affiliates

or its subcontractors operate. The User appoints DyzSocial to perform any such transfer of

Platform Data to any such country and to store and process personal data in order to provide

the DyzSocial Services.

2.5. California Consumer Privacy Act (the “CCPA” USA). DyzSocial will control and process

Platform Data including Personal Data within the scope of the CCPA on the User’s behalf and

not retain, use, or disclose that data for any purpose other than for the purposes set out in these

Terms and as permitted under the CCPA, including under any “sale” exemption. In no event

will DyzSocial sell any such Platform Data. These CCPA terms do not limit or reduce any data

protection commitments DyzSocial makes to the User in these Terms or any other agreement

between the User and DyzSocial.

2.6. Personal Data Protection Bill (the “PDPB” India). DyzSocial will control and process

Platform Data including Personal Data from its Data Principals, as defined by the DyzSocial

retain, use, or disclose that data for any purpose other than for the purposes expressly assumed

by both parties and as permitted under the PDPB. DyzSocial will never sell any such Platform

Data processed from its Data Principals. These PDPB terms will not limit or reduce,

nonetheless, any data protection commitments DyzSocial makes strictly to the User in the

Terms & Conditions or any other agreement between the User and DyzSocial.

3. The Background and Object of the Agreement

3.1. The User accepted the applicable Terms & Conditions when the User first accessed and/or

first used the DyzSocial Services. This Agreement comes into force if and when the User chose

to initiate the use of the DyzSocial Services. The Agreement is an appendix to the applicable

Terms & Conditions, it and does not imply any changes to the commercial terms between the

parties.

3.2. The object of this Agreement is to set out the rights and obligations pursuant to the

Applicable Laws on the Processing of Personal Data. This Agreement shall ensure that the

Personal Data regarding the Data Subjects and the Data Principals, as the case may be, are not

used in a non-compliant manner or compromised to un-authorized parties.

3.3. This Agreement governs the Processor’s handling of Personal Data on behalf of the

Controller, and it shall ensure that the Personal Data only are processed in compliance with

Applicable Laws and according to the Controller’s documented instructions.

3.4. In the case that the Controller processes special categories of Personal Data, this must

specifically be agreed upon with the Processor in advance of such Processing.

4. The Purpose of the Agreement

4.1. The Processor may process any Personal Data as a part of the collaboration, as set out in

the applicable Terms & Conditions.

4.2. In accordance with the Terms & Conditions, the DyzSocial Services are provided as a

decentralized, blockchain-based Software as a Service, and the Controller may choose to enter

and store Personal Data in the Services. The Controller has defined the purposes and has

ensured that the processing of the Personal Data is lawful before the Personal Data is entered

and stored in the Services.

4.3. The Personal Data that will be processed by the Processor, will be the information that the

Controller enters and stores on the systems that the Processor operates.

4.4. DyzSocial will not typically access the Personal Data, but the User specifically gives the

right to DyzSocial to access the User account and operate on its data, strictly whenever is

necessary, and for maintenance purposes. The Personal Data is only to be stored in the

Processor's operating environment and then it goes through the automatic processes in the

Services that are specified in the Terms & Conditions and other potential subsequent

Agreements. Where Personal Data are stored in the operating environment that is part of the

Processor’s Services, the Processor shall only monitor and provide support on the Services and

not process the Personal Data in any way other than what is stipulated in the Terms &

Conditions. If the Controller wants the Processor to carry out any other form of processing of

the Personal Data, the Controller must make the request by a written change order to the

Processor. Further/other processing of the Personal Data as a result of such a change order may

lead to increased costs for the Processor and must thus be covered by the Controller.

4.5. Where the Controller stores the Personal Data in their own operating environment, the

Processor will typically not be able to access the Personal Data unless the Controller provides

such access. The Processor shall only monitor and provide support on the Services and not

process the Personal Data in any way other than what is stipulated in the Terms & Conditions.

If the Controller wants the Processor to carry out any other form of processing of the Personal

Data, the Controller must make the request by a written change order to the Processor and then

provide access to the Personal Data. Further/other processing of the Personal Data as a result

of such a change order may lead to increased costs for the Processor and must thus be covered

by the Controller.

5. Specific Terms

5.1. The terms of this Section (the “Specific Terms”) apply to the extent the User account

includes information related to an identified or identifiable natural person that is subject to the

European Union General Data Protection Regulation (the “GDPR”), the US California

Consumer Privacy Act (the “CCPA”), or to the Indian Personal Data Protection Bill (the

“PDPB”). Lower case terms used, but not defined in these Terms, such as “personal data,”

“personal data breach,” “processing,” “controller,” “processor,” “subprocessor” and “data

subject,” will have the same meaning as set forth in the Applicable Laws. These Specific Terms

do not apply where DyzSocial is a controller of the personal data of its customers.

5.2. Compliance with the Applicable Laws and Processing of Personal Data. Third-party and

DyzSocial agree to comply with all applicable provisions of the Applicable Laws. Third-party

agree they are the controller of personal data and DyzSocial is the processor of such personal

data, except when third-party acts as a controller or processor of personal data, in which case

DyzSocial is a processor or sub-processor. DyzSocial will process personal data only on the

User documented instructions. Third-party agrees that these Terms, any other written Service

Agreement with DyzSocial, and the use and configuration of features in the DyzSocial Services

are third-party’s complete and final documented instructions to DyzSocial for the processing of

personal data. In any instance where the data protection laws apply and third-party is a

processor, third-party warrants to DyzSocial that third-party’s instructions, including

appointment of DyzSocial as a processor or sub-processor, have been authorized by the relevant

controller.

5.3. Processing Details. Third-party and DyzSocial acknowledge and agree that:

a) the nature and purpose of the processing is to provide the DyzSocial Services pursuant to

these documented instructions;

b) the subject matter of the processing is limited to personal data within the scope of the GDPR,

CCPA and PDPB;

c) the duration of the processing shall be for the duration of third-party’s right to use the

DyzSocial Services and until all personal data are deleted, or returned in accordance with the

User’s instructions;

d) the types of personal data processed by the DyzSocial Services include those expressly

identified in GDPR, CCPA and PDPB;

e) the categories of data subjects (data principals) are Privately Contracted Armed Security

Personnel (PCASP) and their next of kin, employees, collaborators, and contractors;

f) DyzSocial will process and transfer the personal data only on these documented instructions,

unless required to do so by the Applicable Laws to which DyzSocial is subject; in such a case,

DyzSocial shall inform third-party of that legal requirement before processing (unless that law

prohibits such information on important grounds of public interest); and

g) DyzSocial and third-party will ensure that their personnel engaged in the processing of

personal data (i) will comply with subsection (f) herein and (ii) have committed to maintain the

confidentiality of any personal data, even after their engagement ends.

5.3. Data Subject Rights; Assistance with Requests. DyzSocial will make the personal data of

data subjects and data principals, as the case may be, available to the User and provide the User

the ability to fulfill data subject requests under the Applicable Laws, both in a manner consistent

with the functionality of the DyzSocial Services and DyzSocial’s role as a processor. DyzSocial

shall comply with third-party’s reasonable requests to assist with third-party’s response to such

a data subject request. If DyzSocial receives a request from third-party’s data subject or data

principal to exercise one or more of its rights under the Applicable Laws in connection with the

services for which DyzSocial is a data processor or sub-processor, DyzSocial will redirect the

data subject or data principal to make its request directly to third-party. Third-party will be

responsible for responding to any such request, including, where necessary, by using the

functionality of the DyzSocial Services.

5.4. Records of Processing Activities and Reasonable Assistance. DyzSocial shall maintain all

records required by the Applicable Laws and, to the extent applicable to the processing of

personal data on third-party’s behalf, make them available to third-party upon request.

DyzSocial will provide third-party reasonable assistance in compliance with the obligations

instituted by the Applicable Laws, taking into account the nature of the processing and the

information available to DyzSocial.

5.5. Data Security. Third-party and DyzSocial will implement appropriate technical and

organizational measures to ensure a level of security appropriate to the risk, including inter alia,

as appropriate:

a) the pseudonymization and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of

processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the

event of a physical or technical incident; and

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and

organizational measures for ensuring the security of the processing.

DyzSocial’s security measures are being set forth in the DyzSocial Privacy Policy. The Privacy

Policy is available at www.dyzsocial.com, along with descriptions of the security controls in

place for the DyzSocial Services and other information the User may reasonably request

regarding DyzSocial security practices and policies. Third-party is responsible for making an

independent determination as to whether the technical and organizational measures for the

DyzSocial Services meets third-party’s requirements. Third-party acknowledges and agrees

that (taking into account the state of the art, the costs of implementation, and the nature, scope,

context and purposes of the processing personal data as well as the risks to individuals) the

security practices and policies implemented and maintained by DyzSocial provide a level of

security appropriate to the risk with respect to the User’s personal data. Third-party is

responsible for implementing and maintaining privacy protections and security measures for

components that third-party provides or control.

5.6. Notice and Controls on use of sub-processors. DyzSocial may hire third parties to provide

certain limited or ancillary services on its behalf. DyzSocial will provide third-party a list of

sub-processors upon request. Third-party consents to the engagement of these third parties and

DyzSocial Affiliates as sub-processors of personal data if such consent is required under law.

DyzSocial will inform the User of new sub-processors it engages. Third-party may object to

new sub-processors by providing written notice to DyzSocial that includes an explanation of

the grounds for objection.

DyzSocial is responsible for its sub-processor’s compliance with DyzSocial’s obligations under

the Applicable Laws. When engaging any sub-processor, DyzSocial will ensure via a written

contract that the sub-processor may access and use personal data only to deliver the services

DyzSocial has retained them to provide and is prohibited from using personal data for any other

purpose. DyzSocial will ensure that sub-processors are bound by written agreements that

require them to provide at least the level of data protection required of DyzSocial by this Data

Processing Agreement.

Consequently, third-party is responsible for its sub-processor’s compliance with DyzSocial’s

obligations under the Applicable Laws.

5.7. Personal Data Breach. DyzSocial shall notify third-party without undue delay after

becoming aware of a personal data breach. Such notification will include that information a

processor must provide to a controller under any applicable law to the extent such information

is reasonably available to DyzSocial.

DyzSocial shall make reasonable efforts to assist third-party in fulfilling its obligation to notify

the relevant supervisory authority and data subjects or data principals of a personal data breach.

5.8. Audit. DyzSocial will conduct in its sole discretion audits of its compliance with the

applicable data protection laws. Each audit will be performed by qualified, independent, third

party and/or internal security auditors at DyzSocial’s selection and expense. Each audit will

result in the generation of an audit report (“DyzSocial Audit Report”), which DyzSocial will

make available to third-party upon request. The DyzSocial Audit Report will be DyzSocial’s

Proprietary Information and will clearly disclose any material findings by the auditor.

DyzSocial will promptly remediate any reasonable issues raised in any DyzSocial Audit Report

to the satisfaction of the auditor.

5.9. Transfer of personal data. All transfers of personal data to a third country or an international

organization will be subject to appropriate safeguards as described in the Applicable Laws, and

such transfers and safeguards will be documented. DyzSocial agrees to notify third-party in the

event that it makes a determination that it can no longer meet its obligation to provide the same

level of protection as required.

5.10. Supplementation and Term. DyzSocial may modify or supplement this document, (a) if

required to do so by a supervisory authority or other government or regulatory entity, (b) if

necessary, to comply with applicable law, or (c) to adhere to an approved code of conduct or

certification mechanism approved or certified. Without prejudice to the Applicable Laws,

DyzSocial may from time to time provide additional information and detail about how it will

execute these Terms in its service-specific technical, privacy, or policy documentation. These

Terms become effective upon the later of (a) the start of enforcement of the or (b) The User’s

use of the DyzSocial Services.

6. Controller’s Obligations

6.1. The Controller shall provide the Processor with written instructions on the processing of

the Personal Data on behalf of the Controller, hereunder transferring the Personal Data to any

country or territory as reasonably necessary for the provision of the Services and consistent

with the Terms & Conditions and in accordance with Applicable Laws.

6.2. The Controller shall ensure that the processing of the Personal Data is lawful.

6.3. The Controller shall authorize the Processor to provide each sub-processor with the same

written instructions that the Processor has been provided with.

6.4. The Controller has provided the data subjects or the data principals with the necessary

information according to Applicable Laws; and it is the responsibility of the Controller to

collect any consents from the data subjects for the processing of Personal Data taking place in

accordance with the Terms & Conditions.

7. The Processor’s obligations

7.1. The Processor shall only process the Personal Data on behalf of the Controller and on

written instructions from the Controller, and for the sole purpose and to the extent necessary to

provide the Services, in accordance with the terms in this Agreement and Applicable Laws.

7.2. The Processor shall not process the Personal Data other than on the Controller’s

documented instructions unless Processing is required by Applicable Laws to which the

Processor is subject, in which case the Processor shall to the extent permitted by Applicable

Laws inform the Controller of that legal requirement before the relevant Processing of that

Personal Data.

7.3. The Processor does not have the right of use of the Personal Data, and may therefore not

process them for their own purposes under any circumstances.

7.4. The Processor has carried out the technical and organizational security measures in order

to protect the Personal Data from loss, misuse or un-authorized alternation or dissemination,

unauthorized access, or against other illegal processing. These measures represent a level of

security appropriate to the risks represented by the processing, taking into account the costs of

the implementation.

7.5. The Controller has, unless otherwise agreed or pursuant to Applicable Laws, the right to

access the Personal Data being processed and the systems used for this purpose. The Processor

shall provide necessary assistance for such access to be given.

7.6. The Processor is subject to confidentiality regarding the documentation and the Personal

Data for which it gains access to under this Agreement. This provision also applies after the

termination of this Agreement.

7.7. The Processor may freely choose where it geographically stores the Personal Data. The

Controller may at any time require information on where the Personal Data is stored.

8. Processor’s Personnel

8.1. The Processor shall take reasonable steps to ensure the reliability of any employee, agent

or contractor of the Processor who is given access to the Personal Data.

8.2. The Processor shall ensure in each case that access is strictly limited to those individuals

who need to know/have access to the relevant Personal Data, as strictly necessary for the

purposes of the Terms & Conditions, and to comply with Applicable Laws in the context of

that individual's duties to the Processor.

8.3. The Processor shall ensure that all such individuals are subject to confidentiality

undertakings or professional or statutory obligations of confidentiality. The obligations of

confidentiality will survive the termination of the personnel engagement.

9. Security

9.1. Taking into account the state of the art, the costs of implementation and the nature, scope,

context and purposes of Processing as well as the risk of varying likelihood and severity for the

rights and freedoms of natural persons, the Processor shall in relation to the Personal Data

implement appropriate technical and organizational measures to ensure a level of security

appropriate to that risk.

9.2. In assessing the appropriate level of security, the Processor shall take account of the risks

that are presented by Processing, in particular from a Personal Data Breach.

9.3. The Controller confirms that the Processor has provided sufficient guarantees that they will

implement appropriate technical and organizational measures that ensure that the processing

meets the requirements of Applicable Laws, hereunder the protection of the data subjects’

rights.

9.4. The Controller confirms to have assessed any security measures specifically stated in the

Terms & Conditions and thus accepted by the Controller, and the Controller is responsible (as

between the parties and to data subjects and supervisory authorities) if those measures in

themselves do not meet the Applicable Laws.

10. Sub-processing

10.1. The Controller authorizes the Processor to appoint sub-processors in accordance with this

section and any restrictions in the Terms & Conditions.

10.2. The Processor may continue to use those sub-processors already engaged by the Processor

as of the date this Agreement enters into force, subject to the Processor in each case as soon as

practicable meeting the obligations set out in section 10.4.

10.3. The Processor shall give the Controller prior written notice of the appointment of any new

sub-processor, including full details of the Processing to be undertaken by the sub-processor.

If, within 2 weeks of receipt of that notice, the Controller notifies the Processor in writing of

any objections (on reasonable grounds) to the proposed appointment, the Processor shall not

appoint (or disclose any Personal Data to) that proposed sub-processor until reasonable steps

have been taken to address the objections raised by the Controller, and the Controller has been

provided with a reasonable written explanation of the steps taken.

10.4. The Processor is responsible for the Sub-processor’s performance in regards of the

processing of Personal Data.

10.5. With respect to each sub-processor, the Processor shall:

● before the sub-processor’s first processing of the Personal Data (or, where relevant),

ensure that the sub-processor does not process Personal Data covered by this Agreement

in any way that is not necessary for the performance of the Services, and that the

Personal Data is not given to anyone else without this being specified in this Agreement

or is permitted by the Controller in a prior written notice;

● ensure that the arrangement between the Processor and the sub-processor, is governed

by a written contract including terms which offer at least the same level of protection

for the Personal Data as those set out in this Agreement and meet the requirements of

Applicable Laws; and

● provide to the Controller for review such copies of the Processors' agreements with sub-

processors (which may be redacted to remove confidential commercial information not

relevant to the requirements of this Agreement) as the Controller may request from time

to time.

11. Deletion or return of the Personal Data

11.1. Subject to sections 11.2. and 11.3. the Processor shall as soon as possible and within 4

weeks of the date of cessation of any Services involving the Processing of the Personal Data

(the "Cessation Date"), delete and procure the deletion of all copies of those Personal Data.

11.2. Subject to section 8.3., the Controller may in its absolute discretion by written notice to

the Processor within 1 week of the Cessation Date require the Processor to (a) return a complete

copy of all of the Personal Data to the Controller; and (b) delete and procure the deletion of all

other copies of the Personal Data Processed by the Processor. The Processor shall comply with

any such written request within 5 weeks of the Cessation Date.

11.3. The Processor may retain and store the Personal Data to the extent required by Applicable

Laws and only to the extent and for such period as required by Applicable Laws. Such cases

always entail the provision that the Processor ensures the confidentiality of all such Personal

Data and ensures that such Personal Data are only Processed as necessary for the purpose(s)

specified in the Applicable Laws requiring its storage and for no other purpose.

12. Governing law and jurisdiction

12.1. This Agreement shall be subject to and interpreted in accordance with laws of the country

where DyzSocial has its headquarters, and any applicable international laws.

13. Order of precedence

13.1. Nothing in this Agreement reduces the Processor’s obligations under the applicable Terms

& Conditions in relation to the protection of Personal Data or permits the Processor to Process

(or permit the Processing of) Personal Data in a manner which is prohibited by the Terms &

Conditions.

14.2. In the event of inconsistencies between the provisions of this Agreement and any other

agreements between the parties, including the Terms & Conditions (except where explicitly

agreed otherwise in writing) the provisions of this Agreement shall prevail.

14. Changes in Data Protection Laws, etc.

14.1. The parties shall revise this Data Processing Agreement in the event of relevant changes

to the Applicable Laws.

15. Severance

15.1. Should any provision of this Agreement be invalid or unenforceable, then the remainder

of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall

be either (i) amended as necessary to ensure its validity and enforceability, while preserving

the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner

as if the invalid or unenforceable part had never been contained therein.

16. Liability and liability limitations

16.1. Each party is responsible for that party’s processing of Personal Data being in accordance

with the Applicable Laws.