Data Processing Agreement

1. Definitions

In this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings given to them in the Agreement or in the GDPR, as applicable.

2. Scope and Roles

This DPA applies to the Processing of Customer Data by the Processor on behalf of the Controller in connection with the provision of the Service.

The Controller is the party that determines the purposes and means of Processing of Customer Data. The Controller is the iGaming operator, affiliate company, or other business entity that subscribes to and uses the Muxbe platform.

The Processor processes Customer Data solely on behalf of, and in accordance with the documented instructions of, the Controller as described in this DPA and the Agreement.

3. Details of Processing

In accordance with Article 28(3) of the GDPR, the following details of Processing are specified:

3.1 Subject Matter and Duration

The subject matter of the Processing is the provision of the Muxbe platform for affiliate management, retention intelligence, financial reporting, AI-powered analysis, sports intelligence, and team collaboration.

The duration of the Processing shall be for the term of the Agreement between the Controller and the Processor, plus any additional period required for the deletion or return of Customer Data in accordance with Section 10 of this DPA.

3.2 Nature and Purpose of Processing

The Processor performs the following Processing activities on Customer Data in order to provide the Service:

3.3 Types of Personal Data

The following categories of Personal Data may be processed depending on the Controller's use of the Service:

3.4 Categories of Data Subjects

Customer Data may relate to the following categories of Data Subjects:

4. Controller Obligations

The Controller warrants and represents that:

5. Processor Obligations

5.1 Processing on Instructions

The Processor shall process Customer Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such notification on important grounds of public interest.

The Controller's instructions are documented in the Agreement and this DPA. The Controller's use of the platform's features and configuration settings constitutes documented instructions. Any additional or alternative instructions require mutual written agreement.

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection law.

5.2 Confidentiality

The Processor shall ensure that all persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of the Agreement.

5.3 Security of Processing

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, but are not limited to:

A detailed description of the Processor's security measures is available in the Security Policy. The Processor shall regularly review and update these measures to ensure continued appropriateness.

5.4 Privileged Access

The Controller acknowledges that the Processor's authorized personnel hold superadmin-level access to the platform infrastructure. This access is strictly limited to the following purposes:

Such access shall be exercised only by authorized personnel of the Processor and only for the purposes stated above. Access is logged where technically feasible. The Processor shall not access Customer Data for any purpose other than those necessary for the provision of the Service, performance of its obligations under the Agreement, or compliance with applicable law.

6. Sub-processing

6.1 General Authorization

The Controller provides a general written authorization for the Processor to engage Sub-processors for the Processing of Customer Data, subject to the conditions set out in this Section 6. The categories of authorized Sub-processors are described at Subprocessors. The current named list of specific Sub-processors — including provider names, processing locations, and links to each provider's data protection terms — is provided to the Controller as part of the DPA package on signature and is available on request at legal@muxbe.com.

6.2 Obligations Regarding Sub-processors

When engaging a Sub-processor, the Processor shall:

6.3 Notification of Changes

The Processor shall notify the Controller in writing (including by email to the address associated with the Controller's account) of any intended addition or replacement of Sub-processors at least thirty (30) days prior to such change, thereby giving the Controller the opportunity to object.

If the Controller objects to a new or replacement Sub-processor on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If the parties are unable to reach a resolution within thirty (30) days of the Processor's receipt of the objection, the Controller may terminate the affected portion of the Service without penalty.

6.4 Categories of Sub-processors

The current named list of specific Sub-processors — including provider names, exact processing locations, and links to each provider's data protection terms — is provided to the Controller as part of the DPA package on signature, is updated with at least thirty (30) days' notice of any material change, and is available on request at legal@muxbe.com. The categories above are maintained at /legal/subprocessors.html.

7. Data Subject Rights

The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR, including:

Requests from Data Subjects received directly by the Processor shall be promptly forwarded to the Controller without undue delay, unless the Processor is otherwise required to respond under applicable law.

Assistance with Data Subject requests is currently handled through a manual process. The Controller may submit requests via dpa@muxbe.com.

8. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Where feasible, such notification shall be made within seventy-two (72) hours of the Processor becoming aware of the breach.

The notification shall include, to the extent reasonably available at the time of notification:

Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay. The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with Supervisory Authorities that the Controller is required to carry out under Articles 35 and 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor.

10. Data Deletion and Return

10.1 Upon Termination

Upon termination or expiry of the Agreement, the Processor shall, at the Controller's election:

If the Controller does not provide instructions regarding deletion or return within thirty (30) days of termination, the Processor shall delete all Customer Data.

10.2 Scope of Deletion

Deletion of a tenant encompasses removal of all associated data, including but not limited to: the tenant registry entry, all tenant-scoped data collections, user profile records, and authentication accounts associated with the tenant.

10.3 Data Export

Prior to termination, the Controller may request export of Customer Data. Available export formats include:

10.4 Automated Data Retention

The Processor applies the following automated retention policies during the term of the Agreement:

The Controller acknowledges and agrees to these retention periods. The Processor shall inform the Controller of any material changes to these automated retention policies.

11. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit requests shall be subject to the following conditions:

12. International Data Transfers

The Controller acknowledges that the provision of the Service involves the transfer and processing of Customer Data outside the European Economic Area ("EEA"), primarily to the United States, where the Processor's cloud infrastructure, AI services, transactional email delivery, and frontend hosting Sub-processors are located. Where the Controller has configured a marketing automation platform with EU endpoints, the corresponding data may instead be processed within the EU.

Other operational service providers used by the Processor (as described in the Subprocessors page) do not process Customer Personal Data and are not relied upon for transfers of Customer Personal Data.

Such transfers are necessary for the provision of the Service and are carried out in reliance on one or more of the following safeguards:

Where required by the Controller, the Processor shall enter into Standard Contractual Clauses with the Controller and/or ensure that equivalent clauses are in place with relevant Sub-processors. The Controller may request execution of SCCs by contacting dpa@muxbe.com.

13. Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability with respect to any claims by Data Subjects or fines imposed by a Supervisory Authority to the extent that such limitation would be prohibited by applicable law.

14. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws governing the Agreement, without regard to conflict of law principles. To the extent not specified in the Agreement, this DPA shall be governed by the laws of Georgia.

Any disputes arising out of or in connection with this DPA that cannot be resolved amicably shall be submitted to the courts of competent jurisdiction as specified in the Agreement.

15. General Provisions

15.1 Relationship to the Agreement

This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between the terms of this DPA and the Agreement with respect to the protection of Personal Data, the terms of this DPA shall prevail.

15.2 Amendments

The Processor may update this DPA from time to time to reflect changes in legal requirements, Processing activities, or security measures. Material changes shall be communicated to the Controller with reasonable advance notice. Continued use of the Service after such notice constitutes acceptance of the updated DPA.

15.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that achieves, to the extent possible, the economic, legal, and commercial objectives of the original provision.

15.4 Survival

The obligations of the Processor with respect to confidentiality, data deletion, and cooperation with audits shall survive the termination or expiry of this DPA and the Agreement.

16. Contact

For any inquiries regarding this DPA, data protection matters, or to exercise any rights under this DPA, please contact:

Muxbe — Data Protection
Giorgi Kurtsikidze, Individual Entrepreneur
Email: dpa@muxbe.com