for merchant

International Processing - Payin & Payout

Terms & Conditions for Payment Processing Services

DATA PROCESSING AGREEMENT

January 21, 2025

This Data Processing Agreement (“DPA”) is an addendum to and is incorporated into the Merchant Agreement ("Agreement") between the Merchant and EBANX, referred to jointly as “Parties” or individually as “Party”, and applies to activities involving the Processing of Personal Data (as defined below) performed in connection with the Agreement and is an integral part of the Agreement for all legal purposes.

Any capitalized terms not otherwise defined in this DPA shall have the meaning given thereto in the DPA or the Applicable Laws. Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. DEFINITIONS

1.1. In this DPA, the following terms shall have the meanings defined below:

1.1.1. "Data Protection Requirements" means, to the extent applicable: (i) APAC Data Protection Requirements; (ii) European Data Protection Requirements; (iii) LATAM Data Protection Requirements; (iv) AMET Data Protection Requirements; (v) mandatory industry rules and standards including, to the extent applicable, the Payment Card Industry Data Security Standard (“PCI-DSS”); and (vi) any and all other Applicable Law related to data protection, data security, marketing, privacy, or the Processing of Personal Data.

1.1.2. "Applicable Laws" means any applicable law, regulation, directive, or other binding requirements (each as may be implemented, amended, extended, superseded, or re-enacted from time to time), including but not limited to, for the avoidance of doubt, Data Protection Requirements.

1.1.3. “LATAM Data Protection Requirements” means any and all Applicable Laws related to data protection, data security, marketing, privacy, or the Processing of Personal Data in the countries of South America, Central America, and Mexico, including the Brazilian General Data Protection Law.

1.1.4. “AMET Data Protection Requirements” means any and all Applicable Laws related to data protection, data security, marketing, privacy, or the Processing of Personal Data in Africa, the Middle East, and Turkey.

1.1.5. “European Data Protection Requirements” means any and all Applicable Laws related to data protection, data security, marketing, privacy, or the Processing of Personal Data in the European Union (“EU”), the European Economic Area (“EEA”), Switzerland, or United Kingdom (“UK”), including, to the extent applicable, the Regulation (EU) 2016/679 (“GDPR”), Directive 2002/58/EC, Directive 2009/136/EC, and UK GDPR, jointly with any local, amending or replacement legislation in any EU Member State or the UK. For the purposes of this DPA, “UK GDPR” means the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018.

1.1.6. “APAC Data Protection Requirements” means any and all Applicable Laws related to data protection, data security, marketing, privacy, or the Processing of Personal Data in the countries in Asia (excluding the countries in the Middle East) and the countries that border the Pacific Ocean on the Asian side (including Australia, Hong Kong, Japan, India, Indonesia, Malaysia, New Zealand, Philippines, Singapore, South Korea, Thailand, Taiwan, and Vietnam).

1.1.7. “Data Processing” means any operation carried out with Personal Data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction.

1.1.8. "Merchant Data" means any and all Personal Data that EBANX Processes from or on behalf of the Merchant in connection with the Agreement, including information derived from or combined with such Personal Data and the Personal Data of Merchant employees, contractors, and personnel, and Merchant Customers.

1.1.9. “Services” means the services and other activities that will be provided or performed by EBANX in accordance with the Agreement.

1.1.10. “Processor” means any natural or legal person who, on behalf of one of the Parties, processes Personal Data on behalf of the Parties under this DPA.

1.1.11. "Agreement" means the Merchant Agreement, including its addendums and annexes, containing the general terms for the provision of Services by EBANX to the Merchant.

1.1.12. "Jurisdiction-Specific Terms" means all legal or regulatory terms, conditions, or rules that govern privacy and data protection and that apply within a particular geographic area or legal jurisdiction incorporated into this DPA.

1.1.13. "Employee(s)” means any employee, worker, including subcontractors or outsourced staff, representatives, or designees, remunerated or not, under a full or partial regime, who act on behalf of the Parties and have access to the Personal Data.

1.1.14. “Government Authorities” means any authority, including judicial, vested with powers to inspect, judge, and apply pertinent laws.

1.1.15. “Security Incident” means any adverse security event or set of events, confirmed or suspected, that impacts the availability, integrity, confidentiality, or authenticity of an information asset. In the case of this DPA, the expression will refer to incidents involving the Personal Data processed in the context of the Agreement.

1.1.16. “End Date” has the meaning described in this Agreement, where it is applicable.

2. JURISDICTION-SPECIFIC TERMS

2.1. Without limiting the foregoing, the Parties shall also comply with the following jurisdiction-specific terms to the extent such terms are applicable:

2.1.1. If LATAM Data Protection Requirements apply to the Data Processing or Personal Data shared by the Parties (as applicable) under the Agreement, then the terms available at Schedule A - LATAM Terms (incorporated into this DPA by this reference) shall apply to such data.

2.1.2. If AMET Data Protection Requirements apply to the Data Processing or Personal Data shared by the Parties (as applicable) under the Agreement, then the terms available at Schedule B - AMET Terms (incorporated into this DPA by this reference) shall apply to such data.

2.1.3. If APAC Data Protection Requirements apply to the Data Processing or Personal Data shared by the Parties (as applicable) under the Agreement, then the terms available at Schedule C - APAC Terms (incorporated into this DPA by this reference) shall apply to such data.

2.1.4. If European Data Protection Requirements apply to the Data Processing or Personal Data shared between Parties (as applicable) under the Agreement, then the terms available at Schedule D - European Region Terms (incorporated into this DPA by this reference) shall apply to such data.

3. PROCESSING OF PERSONAL DATA

3.1. The performance of this Agreement requires the sharing of Personal Data between both Parties. In relation to activities involving the Processing of Personal Data under the scope of the Agreement, the Parties agree to:

3.1.1. Process the Personal Data in accordance with all Applicable Laws, including those coming into force after the signing of this DPA, ensuring in particular that every Data Processing activity be duly justified on one of the legal bases established by the Applicable Laws.

3.1.2. Process only the Personal Data necessary for executing the Agreement, including for the fulfillment of legal or regulatory obligations to which the Contracted Party is subject.

3.1.3. If the Contracted Party has access, in the context of the Contract, to Personal Data that it considers excessive or not necessary for the execution of the Contract, it shall immediately notify the other Party and disable such Personal Data.

3.1.4. If either Party performs any Data Processing activity unrelated to the performance of the Agreement, said Data Processing activity shall occur outside the context of this DPA. The Party that executes the Data Processing shall be deemed the sole Controller in relation to that activity, and the other Party shall be released from any obligation or liability derived therefrom.

3.1.5. Mutually cooperate to ensure proper compliance with the obligations relating to exercising the Data Subject's rights under the Applicable Laws applied and fulfilling any requests from the Government Authorities within the limit of their activities.

3.1.6. The Parties shall not use any type of tool, technology, reverse engineering, or other method intended to identify the Data Subjects, where Personal Data was shared in a manner that does not permit direct identification of the Data Subjects without cross-checking with other information or with access to the identification key.

3.1.7. The Parties shall not process, share, transfer, sell, rent, license, or otherwise make available any Personal Data to any third party for marketing, advertising, or promotional purposes.

4. PARTIES EMPLOYEES

4.1. The Parties shall ensure that the Data Processing of Personal Data performed in the context of the Agreement will be restricted to the Employees responsible for the Data Processing and exclusively to the extent necessary to execute the Agreement.

4.2. The Parties Employees must

a) receive training regarding Data Protection principles and Data Protection Requirements.

b) know the Parties' obligations, including those contemplated in this Agreement.

c) be subject to confidentiality agreements or professional or statutory confidentiality and data protection obligations.

5. SECURITY REQUIREMENTS

5.1. Each Party shall implement appropriate technical, administrative, and organizational measures compatible with the Data Processing activities performed. To assess the appropriate level of security, the Parties shall consider the risks posed by the Data Processing activity, particularly those related to Security Incidents.

5.2. The Parties information security and privacy program must at least:

a) Protect against the unauthorized or unlawful Processing of Personal Data.

b) Meets the applicable standards of industry practice relevant to its activities and the volume and sensitivity of the Personal Data, including the appropriate physical, technical, and organizational measures that protect against unauthorized or unlawful Data Processing.

c) Includes an appropriate network security program.

d) Complies with Data Protection Requirements applicable to the Processing thereof.

5.3. The Parties must undertake regular testing, assessing, and evaluation of the effectiveness of the technical, administrative, and organizational measures for ensuring the security of operations involving the Processing of Personal Data.

6. SUBCONTRACTORS

6.1. When any Data Processing activity is carried out through a Subcontractor, the Parties must, in relation to this Subcontractor:

6.1.1. Preserve the integrity and accuracy of the Personal Data and must update, correct, or delete such Personal Data at the request of the other Party, when required by Applicable Laws or by the Data Subject (when applicable);

6.1.2. Verify, through due diligence or equivalent procedure, that each Subcontractor is able to guarantee a level of Personal Data protection, at least equivalent to this DPA and provide evidence of this verification;

6.1.3. Enter into a formal agreement with each Subcontractor, ensuring that the agreement includes provisions at least equivalent to those in this DPA; and

6.1.4. Be exclusively liable for any and all actions and omissions related to the Data Processing conducted by any of its Subcontractors.

7. INTERNATIONAL DATA TRANSFERS

7.1. If an international data transfer by either Party is necessary for the performance of the Agreement, and the country of destination has not been considered adequate by the Government Authority of the country where the exporting Party is located, then the exporting Party shall ensure that the international data transfer will be made pursuant to one of the mechanisms contemplated in the Applicable Laws.

8. DATA SUBJECTS RIGHTS

8.1. The Parties shall mutually cooperate in complying with the obligations related to exercising Data Subjects’ rights per Applicable Laws.

8.2. The Parties shall:

8.1.2. Immediately notify the other Party upon receiving a request from the Data Subject when related to any Data Processing activity performed under the Agreement;

8.2.2. Refrain from responding to any Data Subject's request related to the Personal Data of the other Party until that Party provides written consent to the contents of the response, except where the Applicable Laws require a response within less than 48 (forty-eight) hours; and

8.2.3. If the informed Party does not provide the written consent until 2 (two) business days before the end of the timeframe required by the Applicable Laws, the other Party is allowed to fulfill the Data Subject's request.

9. SECURITY INCIDENT

9.1. When a Party identifies the occurrence of a Security Incident that may (i) cause risk or relevant damage to Data Subjects under the Applicable Laws; and (ii) impact the object of the Agreement, such Party shall immediately notify the other Party.

9.2. The notice shall include sufficient information for the affected Party to comply with any requirements imposed by Applicable Laws, including but not limited to: (i) the description of the nature of the Personal Data and the Data Subjects involved; (ii) the technical and security measures adopted to protect such Personal Data; (iii) the measures taken (and those in the process of being taken) to mitigate the effects of such Security Incident; (iv) the risks related to such Security Incident; and (v) any additional information that may help facilitate the understanding of the Security Incident, its causes and consequences, and/or that may be required by the Government Authorities.

9.3. The Parties shall investigate the causes and consequences of the Security Incident at their own expense and take the necessary measures to remedy its consequences, promptly informing the other Party about all measures taken.

9.4. The Parties shall maintain records on the Security Incident, including at least (a) a description of the nature of the Security Incident, (b) a description of the consequences of the Security Incident, and (c) a description of the measures taken or proposed by the other Party to cope with the Security Incident.

9.5. Where the Security Incident involves both Parties, the Parties shall not disclose any information concerning the Security Incident unless otherwise authorized in by the other Party or required by the Government Authorities' determination, pursuant to the Applicable Laws.

10. GOVERNMENT AUTHORITIES

10.1. The Parties shall mutually cooperate in complying with obligations or requests imposed by any competent Government Authority.

10.2. The Parties shall immediately inform the other Party upon receiving requests for information or determinations from the Government Authorities relating to any Data Processing activity performed within the context of the Agreement, except when the request is under a gag order or any other type of legal restriction that prevents the communication to be made. If such requests or determinations are related to the Personal Data shared by the other Party, then the Party subpoenaed shall submit a suggestion of answer for the other Party's validation within the time period prescribed by law or determined by the Government Authorities.

11. EXCLUSION AND RETURN OF PERSONAL DATA

11.1. Upon completion of the activities involving the Data Processing of Personal Data under the Agreement, EBANX shall cease to process Merchant's Personal Data and, upon written request, return or delete the Personal Data related to the completed activities, along with all existing copies (in digital or physical form), unless retaining the data is necessary to comply with Applicable Laws.

12. INDEMNIFICATION AND LIABILITY

12.1. The Parties shall indemnify, defend and exempt the other Party and/or its affiliates from and against any liability, loss, claim, damage, fine, penalty, and expense (including, without limitation, fines, compensation for damage, costs incurred with reparation efforts, and attorneys' fees and costs resulting from or relating to any suit, claim or allegation of third parties, including, without limitation, any regulatory or governmental authority) arising out of noncompliance with this DPA and/or with the Applicable Laws.

12.2. If the Government Authorities impose sanctions on the Parties in connection with this DPA, and if verified negligence, willful misconduct, or other liability of the other Party, then this Party shall pay the financial penalty – when applicable - and/or indemnify the innocent Party.

12.3. This DPA does not create joint liability between the Parties for any penalties relating to the Data Processing activities performed under the Agreement, so each Party shall be held severally liable within the limit of its activities.

12.4. The indemnification obligations provided in this DPA shall be in addition to and not exclusion of any indemnification obligation provided in the Agreement.

13. GENERAL PROVISIONS

13.1. Without prejudice to any provisions regarding mediation and jurisdiction:

13.1.1. The Parties hereto submit to the choice of the jurisdiction stipulated in the Agreement in connection with any disputes or claims that may in any way result from this DPA, including disputes relating to its existence, validity, or termination or the consequences of its nullity, and

13.1.2. This DPA and all extracontractual or other obligations arising out of or relating to this DPA shall be governed by the laws of the country or territory stipulated for this purpose in the Agreement.

13.2. n the event of a conflict between the provisions of this DPA and the Agreement or any other document performed between the parties, specifically in connection with activities involving the Data Processing of Personal Data, the provisions of this DPA shall prevail, except where a supervening document is executed between the Parties, expressly declaring the subsidiary nature of this DPA.

13.3. This DPA may be amended at the Parties' discretion or in the event of a supervening law, regulation, or determination by the Government Authority requiring a change in its provisions. The new provisions shall be agreed upon in good faith by the Parties and always in writing as an amendment to this DPA.

13.4. If any provision of this DPA is held void, invalid, or unenforceable, the remaining provisions shall remain in full force and effect. The void, invalid, or unenforceable provision shall be amended to ensure its validity and effectiveness while preserving the Parties' intention.

13.5. This DPA shall remain in effect until termination of the Agreement for any reason.

13.6. This DPA shall survive the expiration of the Agreement and continue to bind the Parties in relation to activities involving the Data Processing of Personal Data which originate from the Agreement and continue to be performed, though only for purposes of complying with a legal or regulatory obligation.

13.7. This DPA is performed and becomes an integral and mandatory part of the Agreement, with effects as of the date hereof. It applies, however, to all activities regarding the Data Processing of Personal Data performed since the date of performance of the Agreement.

SCHEDULE A: LATAM TERMS

1.DEFINITIONS: In addition to the defined terms in the DPA, the following definitions apply to the LATAM Terms:

1.1. “controller”, “data subject" and “data protection authority” and their variations shall have the same meanings as in the applicable LATAM Data Protection Requirements.

1.2. "ANPD" means the Brazilian National Data Protection Authority.

2.PROCESSING TERMS: the execution of the Agreement encompasses the mutual sharing of Personal Data. According to the scope of the Agreement, each Party will act as sole Controller and is subject to the LATAM Data Protection Requirements. The Parties agree as follows:

2.1. Each Party shall be individually responsible for ensuring that its Processing of the Personal Data is lawful, fair, and transparent following LATAM Data Protection Requirements, including where applicable on the basis that the data subject has unambiguously given his or her explicit consent, or on the basis of some other valid ground provided for in LATAM Data Protection Requirements.

2.2. When consent is the basis of Data Processing, the Merchant shall be responsible for obtaining the express, free, unambiguous, and informed consent of the data subject, according to the LATAM Data Protection Requirements.

2.3. EBANX will appropriately assist the Merchant in the event of a Security Incident, a notice, inquiry, audit, or investigation by the ANPD or any other relevant regulator, or of a complaint, inquiry, or request received directly from a data subject, or any third party audit, that relates to the Processing of Personal Data pursuant to the Agreement, by providing information about the relevant Processing as required for the Merchant to fulfill its obligations under the LATAM Data Protection Requirements.

2.4. EBANX shall only process Personal Data as clearly described in EBANX's privacy notice or agreement with the data subject (as applicable) or in accordance with the terms of the Agreement or as permitted by Applicable Law.

3.INTERNATIONAL TRANSFERS: To the extent that EBANX Processes or otherwise transfers Merchant Data or Personal Data (as applicable) outside the jurisdiction in which such data was originally collected or otherwise Processed by, or on behalf of, the Merchant:

3.1. EBANX shall be responsible for complying with any requirement for authorization or registration of transfer outside of the country of origin in accordance with LATAM Data Protection Requirements.

3.2. Such transfer shall be subject to any conditions that may be reasonably imposed by the Merchant, including that EBANX (or any relevant Subcontractor) enters into (and complies with) any data transfer agreement reasonably acceptable to the Merchant and consistent with LATAM Data Protection Requirements.

3.3. Where applicable, the Parties agree that such transfer will be made relying on a proper transfer mechanism, preferably Standard Contractual Clauses following LATAM Data Protection Requirements.

3.3.1. When the Data Subjects are located in Argentina, Mexico, Chile, and Peru, the Model Contractual Clauses of Red Iberoamericana de Protección De Datos (https://www.redipd.org/sites/default/files/2023-02/anexo-modelos-clausulas-contractuales-en.pdf) shall apply:

a) ANNEX A: Accession Forms for New Partners

Not applicable

b) ANNEX B: Description of the Transfer

Categories of Data Subjects whose Personal Data is transferred: Merchant's customers

Sensitive Personal Data transferred (if applicable) and restrictions or safeguards applied:on-applicable.

Transfer Frequency: Ongoing

Purpose(s) of the data transfer and further processing: payment processing, fraud prevention (if applicable), and identity verification.

c) ANNEX C: Administrative, Physical, and Technical Measures To Ensure Data Security

According to the Information Security Policy (https://www.ebanx.com/en/legal/ebankers/terms-and-conditions/information-security-policy/), PCI-DSS, ISO/IEC 27001, and ISO 27701 controls.

3.3.2. When the Data Subjects are located in Brazil, the Model Contractual Clauses, Resolução CD/ANPD nº 19/2024 (https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-19-de-23-de-agosto-de-2024-580095396), of ANPD shall apply:

a) CLAUSE 2:

Data Exporter: Merchant and its Affiliates, as defined in the Agreement.

Data Importer: EBANX and its Affiliates, as defined in the Agreement.

Purpose of processing: payment processing.

Category of personal data transferred: identification Personal Data (name, phone, email address, IP address and device identifier, government identification number, purchase information. Additional data may be transferred according to regulations and the Parties Privacy Notice.

Period of data storage: according to the "Schedule 8.1 - Data Security", 14. Data Deletion.

b) CLAUSE 3: Option B

Purpose of processing: support to the activities set in the Agreement

Data storage period: according to the Schedule 8.1 - Data Security, 14. Data Deletion.

c) CLAUSE 4: Option A

Responsible for publishing the document requested in Clause 14: Exporter and Importer

Responsible for responding to requests from holders referred to in Clause 15: Exporter and Importer

Responsible for carrying out the security incident communication provided for in Clause 16: Exporter and Importer

3.4. The Parties shall cooperate in carrying out any assessment of such transfer required under LATAM Data Protection Requirements.

SCHEDULE B: AMET TERMS

1.DEFINITIONS: In addition to the defined terms in the DPA, the following definitions apply to the AMET Terms:

1.1. “controller”, “data subject" and “data protection authority” and their variations shall have the same meanings as in the applicable AMET Data Protection Requirements.

2.PROCESSING TERMS: the execution of the Merchant Services Agreement encompasses the mutual sharing of Personal Data. According to the scope of the Agreement, each Party will act as sole Controller and is subject to the AMET Data Protection Requirements. The Parties agree as follows:

2.1. Each Party shall be individually responsible for ensuring that its Processing of the Personal Data is lawful, fair, and transparent in accordance with AMET Data Protection Requirements, including where applicable on the basis that the data subject has unambiguously given his or her explicit consent or on the basis of some other valid ground provided for in AMET Data Protection Requirement

2.2. When consent is the basis of Data Processing, the Merchant shall be responsible for obtaining the data subject's express, free, unambiguous, and informed consent, according to the AMET Data Protection Requirements.

2.3. EBANX will appropriately assist the Merchant in the event of a Data Incident, a notice, inquiry, audit, or investigation by a data protection authority or relevant regulator, or of a complaint, inquiry, or request received directly from a data subject, or any third party audit, that relates to the Processing of Personal Data pursuant to the Agreement, by providing information about the relevant Processing as required for the Merchant to fulfill its obligations under the AMET Data Protection Requirements.

2.4. EBANX shall only Process Personal Data as clearly described in its privacy notice or agreement with the data subject (as applicable) or in accordance with the terms of the Agreement or as permitted by Applicable Law.

3.1. EBANX shall be responsible for complying with any requirement for authorization or registration of transfer outside of the country of origin in accordance with AMET Data Protection Requirements.

3.3. Where applicable, the Parties agree that such transfer will be made relying on a proper transfer mechanism, preferably data protection adequacy decisions or, when not applicable, Standard Contractual Clauses, in accordance with AMET Data Protection Requirements.

3.4. When consent is required as a transfer mechanism, the Merchant is responsible for obtaining the data subject's express, free, unambiguous, and informed consent, according to the AMET Data Protection Requirements.

3.5. The Parties shall cooperate with in carrying out any assessment of such transfer required under the AMET Data Protection Requirements.

SCHEDULE C: APAC TERMS

1.1. "Controller” means the Merchant, EBANX, and its Affiliates that act as Controller of Personal Data Processed in connection with the Agreement or in the performance of the Services.

1.2. "Data subject” and “data protection authority” and their variations shall have the same meaning as the applicable APAC Data Protection Requirements.

2.PROCESSING TERMS. The Merchant and EBANX will act as sole Controllers according to the scope of the Agreement, and Personal Data will be exchanged between the Merchant and EBANX, applying the APAC Data Protection Requirements. The Parties agree as follows:

2.1. Ensure that the Processing of the Personal Data is following APAC Data Protection Requirements, including where applicable, on the basis that the data subject has unambiguously given his or her explicit consent or on the basis of some other valid ground provided for in APAC Data Protection Requirements;

2.2. Only Process the Personal Data as clearly described in EBANX's privacy notice or agreement with the Data Subject (when applicable) or by the terms of the Agreement or as permitted by Applicable Law;

2.3. To the extent required under APAC Data Protection Requirements, make a reasonable effort to ensure that the Personal Data is accurate and complete if the Personal Data is likely to be: (i) used by EBANX to make a decision that affects the relevant data subject; or (ii) disclosed by EBANX to another controller, processor or third party; and

2.4. Cease to retain the Personal Data when no longer reasonably necessary for the relevant purposes in accordance with EBANX privacy notice or agreement with the data subject (as applicable) or in accordance with the terms of the Agreement or as permitted by Applicable Law;

2.5. For the purposes of the APAC Data Protection Requirements, the description of the Processing is specified in the Agreement.

3.INTERNATIONAL TRANSFERS: To the extent that EBANX Processes or otherwise transfers Personal Data outside the jurisdiction in which such data was originally collected or otherwise Processed by, or on behalf of, the Merchant:

3.1. EBANX shall Process Personal Data only in accordance with the Agreement, the DPA, and this APAC Term, to the extent applicable, and the Merchant's documented instructions, including with regard to any transfers of Personal Data to a jurisdiction outside the jurisdiction of EBANX's operations in which such Personal Data was originally collected or otherwise Processed by, or on behalf of the Merchant.

3.2. EBANX must comply with the APAC Data Protection Requirements in respect to such transfer and ensure that any such transfer does not cause the Merchant to be in breach of any APAC Data Protection Requirements. The description of the Processing will be specified in the Agreement.

3.3. Without limiting clauses 3.1 and 3.2, EBANX shall ensure that any transfer of Merchant Data is made in accordance with a valid transfer mechanism, as applicable, in accordance with Applicable Law (including the APAC Data Protection Requirements).

SCHEDULE D: EUROPEAN REGION TERMS

1.DEFINITIONS AND APPLICABILITY: In addition to the defined terms in the DPA, the following definitions apply to these European Region Terms:

1.1. The terms “controller”, “data subject”, “processor”, and “supervisory authority” shall have the same meanings as in the GDPR or the UK GDPR (as applicable), and the terms “processed” and “process” shall be construed in accordance with the definition of “processing” described below. The terms “personal data” and “processing” in these European Region Terms shall have the same meanings as in the GDPR or the UK GDPR (as applicable) and not, for the avoidance of doubt, the definitions of “Personal Data” and “Processing” as set out in the DPA.

1.2. “Approved Purpose” means the purpose(s) for which Company may process the personal data it receives from the Merchant as a controller following the Agreement, including as may be expressly specified in the Agreement.

1.3. "Controller" means the Merchant, EBANX, and its Affiliates, which act as controllers of personal data subject to the GDPR or UK GDPR and processed in connection with the Agreement or in the performance of the Services.

1.4. "SCCs" means the European Commission’s standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in annex to Commission Decision 2021/914, which, as of the Last Updated date, are available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, and which are incorporated herein by reference.

1.5. "UK Addendum" means the UK Information Commissioner's Office's International Data Transfer Addendum to the SCCs, which, as of the Last Updated date, is available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf, and which is incorporated herein by reference.

2.CONTROLLER TERMS

2.1. The Merchant and EBANX will act as sole Controllers according to the scope of the Agreement, and Personal Data will be exchanged between the Merchant and EBANX, applying the European Data Protection Requirements. The Parties agree as follows:

2.2. If personal data is exchanged between the Merchant and EBANX in connection with the Agreement or the provision of the Services):

a) To the fullest extent permitted by applicable European Data Protection Requirements, the Parties shall each be independent controllers of the personal data and, as such shall independently determine the purposes and the means of the processing of that personal data;

b) Each Party shall be individually responsible for ensuring that its processing of the personal data is lawful, fair, and transparent in accordance with applicable European Data Protection Requirements, including where applicable on the basis that the data subject has unambiguously given his or her consent, or on the basis of some other valid ground provided for in applicable European Data Protection Requirements; and

c) Each Party shall implement and maintain appropriate technical and organisational measures to protect any such personal data in their possession or control from: (i) accidental or unlawful destruction; and (ii) loss, alteration, or unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by any processing and the nature of the personal data to be protected.

3.INTERNATIONAL TRANSFERS

3.1. If personal data is transferred by Merchant to EBANX in connection with the Agreement and EBANX is located outside the European Economic Area (“EEA”), such transfer shall be governed by the SCCs. For the avoidance of doubt, the following clauses or the UK Addendum shall not apply to the extent that personal data is transferred to a country or territory which is, at the time of such transfer, deemed to ensure an adequate level of protection by the European Commission or by the UK Information Commissioner's Office.

3.2. For the purposes of the EU SCCs, the following shall apply:

a) Module One (Controller to Controller) shall apply.

b) Clause 11: The optional clause allowing data subjects to lodge a complaint with an independent dispute resolution body is removed.

c) Clause 17: as defined in the Agreement.

Clause 18: The EU Member State where any dispute arising from these Clauses shall be resolved is the courts of the jurisdiction stipulated in the Agreement.

3.3. For the purposes of the Annex I of the SCCs:

a) LIST OF THE PARTIES

Data exporter(s):

Name: Merchant and its Affiliates, as defined in the Agreement.

Address: as defined in the Agreement.

Contact person’s name: as defined in the Agreement.

Activities relevant to the data transferred under these Clauses: All data processing activities agreed under the Agreement.

Signature and date: Signed and dated for and on behalf of the data exporter by execution of the Agreement.

Role: Controller.

Data importer(s):

Name: EBANX and its Affiliates, as defined in the Agreement.

Address: as defined in the Agreement.

Contact person's name: Giovanna Michelato, Data Protection Officer, privacy@ebanx.com

Activities relevant to the data transferred under these Clauses: All data processing activities agreed under the Agreement.

Signature and date:

b) DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: Merchant's customers.
Categories of personal data transferred: identification personal data (name, phone, email address, IP address and device identifier, government identification number, purchase information. Additional data may be transferred according to regulations and the Parties Privacy Notice.
Sensitive data transferred: not applicable.
The frequency of the transfer: the data transfer is continuous throughout the provision of the services.
Nature and purpose of the processing: EBANX's activity is as described in the Services under the Agreement. These responsibilities are focused on facilitating the Merchant's payment processing. This includes receiving payment information from the Merchant's customers, verifying its accuracy and completeness, obtaining payment authorization, and settling the authorized funds directly with the Merchants.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: EBANX shall process Personal Data during the term of the Agreement and the required by the Applicable Law and not thereafter, except if the Merchant explicitly instructs EBANX to do so.

c) SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: as defined in the Agreement.

3.4. Without prejudice to the provisions set out in Sections 4.2 to 4.6 of these European Region Terms, nothing in the Agreement or this DPA (including these European Region Terms) is intended to vary or modify the SCCs. The Merchant and EBANX agree that the optional Section I, Clause 7, and the optional paragraph in Section II, Clause 11 in the SCCs shall not apply.

3.5. For the purposes of the UK Addendum, as permitted by Clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the addendum so that:

a) the details of the parties in Table 1 shall be as set out above (with no requirement for signature);

b) for the purposes of Table 2, the addendum shall be appended to the EU SCCs (including the selection of modules and the application/disapplication of such optional clauses as specified above); and

c) the appendix information listed in Table 3 is as set out above.

3.6. In the event that the SCCs or the UK Addendum are (i) deemed invalid by the European Commission, the UK Information Commissioner's Office, a relevant regulator, or supervisory authority for whatever reason, or (ii) superseded by other standard contractual clauses issued or approved by the European Commission, the UK Information Commissioner's Office, a relevant regulator or supervisory authority, the Merchant and EBANX shall immediately comply with such other standard contractual clauses or any other valid mechanism under European Data Protection Requirements for transferring and processing personal data outside the EEA and/or the UK (as applicable).