Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the service agreement between the merchant ("Controller") and Mighty Clover LLC ("Processor").

1. Definitions

1.1 "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the services.

1.2 "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

1.3 "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

1.4 "Sub-processor" means any third party appointed by Processor to process Personal Data on behalf of Controller.

2. Scope and Nature of Processing

2.1 Purpose: Personal Data is processed solely for the purpose of providing payment decline recovery services.

2.2 Categories of Data:

• Customer identification data (name, email address)
• Billing information (address, phone number)
• Transaction data (amount, currency, merchant reference)
• Payment tokens (no raw card data)
• Decline codes and authorization responses

2.3 Categories of Data Subjects: End customers of the Controller making payment attempts.

2.4 Retention Period: Personal Data is retained for the duration necessary to provide services, plus applicable legal retention periods.

3. Controller and Processor Obligations

3.1 Controller Obligations:

• Ensure lawful basis for all Personal Data shared with Processor
• Provide necessary privacy notices to Data Subjects
• Obtain required consents for data processing activities
• Promptly notify Processor of any data subject requests or complaints

3.2 Processor Obligations:

• Process Personal Data only on documented instructions from Controller
• Implement appropriate technical and organizational security measures
• Assist Controller with data subject rights requests
• Notify Controller of any personal data breaches without delay

4. Security Measures

4.1 Encryption: All Personal Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.

4.2 Access Controls: Access to Personal Data is restricted to authorized personnel on a need-to-know basis.

4.3 Monitoring: Comprehensive logging and monitoring of all data access and processing activities.

4.4 Incident Response: Documented procedures for detecting, investigating, and responding to security incidents.

5. Sub-processors

5.1 Authorized Sub-processors: Processor may engage Sub-processors to assist in providing services, subject to Controller approval.

5.2 Sub-processor Requirements: All Sub-processors must provide sufficient guarantees regarding data protection measures.

5.3 Liability: Processor remains fully liable for any Sub-processor's compliance with this DPA.

6. Data Subject Rights

6.1 Assistance: Processor will assist Controller in responding to Data Subject requests for access, rectification, erasure, portability, and objection.

6.2 Response Time: Processor will respond to Controller's requests for assistance within 30 days.

6.3 Direct Requests: Any direct requests from Data Subjects will be forwarded to Controller without delay.

7. Personal Data Breaches

7.1 Notification: Processor will notify Controller of any Personal Data breach affecting Controller's data within 72 hours of discovery.

7.2 Information Required: Notifications will include description of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed.

7.3 Assistance: Processor will provide reasonable assistance to Controller in fulfilling regulatory notification obligations.

8. International Data Transfers

8.1 Transfer Restrictions: Personal Data will not be transferred outside Florida without Controller's prior written consent.

8.2 Adequacy Decisions: Transfers may be made to jurisdictions with adequate data protection as determined by competent authorities.

8.3 Safeguards: Where transfers are necessary, appropriate safeguards such as standard contractual clauses will be implemented.

9. Audits and Compliance

9.1 Audit Rights: Controller may audit Processor's compliance with this DPA annually or following a Personal Data breach.

9.2 Compliance Certificates: Processor will provide relevant compliance certificates (SOC 2, ISO 27001) upon request.

9.3 Remediation: Any non-compliance issues identified will be remediated within 30 days.

10. Data Return and Deletion

10.1 Return: Upon Controller's request, Processor will return all Personal Data in a commonly used format.

10.2 Deletion: Following service termination, Processor will securely delete all Personal Data unless required to retain by law.

10.3 Certification: Processor will provide written certification of data deletion upon completion.