Last Updated: September 1st, 2025
This Data Processing Agreement ("DPA") forms part of the Master SaaS Agreement, or the Order Form, or the SaaS Terms and Conditions (the "Agreement") between Digital Assets Security, Inc, or Spikerz Security Ltd. ("Spikerz") and the entity who acquires the Services under the Agreement (the "Customer") (each a "Party" and together the"Parties"). This DPA reflects theParties’ agreement with regard to the Processing of Personal Data. Allcapitalized terms not defined herein will have the meaning set forth in theAgreement or under the applicable law.
In the course ofproviding the Services to Customer pursuant to the Agreement, Spikerz mayProcess Personal Data on behalf of Customer. The Parties agree to comply withthe following provisions with respect to Personal Data Processed by Spikerzas part of the Services for Customer. 1. DEFINITIONS
1.1. "Controller"means an entity that determines the purposes and means of the Processing ofPersonal Data and shall include "Business" as defined by the CCPA.
1.2. "Customer Data Subjects"means Data Subjects whose Customer Personal Data is provided to Spikerz by theCustomer for Processing in connection with the Services.
1.3. "Customer Personal Data"means any Personal Data provided or made available to Spikerz by the Customerin connection with the Services.
1.4. "Personnel"means Spikerz’s employees and contractors engaged in the Processing of CustomerPersonal Data.
1.5. "Personal Data" means any information relating to an identified or identifiable natural person; anidentifiable natural person is one who can be identified, directly orindirectly and shall include "PersonalInformation" as defined in CCPA.
1.6. "Personal Data Breach"means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, or harm to theintegrity of, Customer Personal Data.
1.7. "Processor"means an entity which Processes Personal Data on behalf of the Controller and shall include "Service Provider" as defined by the CCPA.
1.8. "Purposes"mean (i) Spikerz’s provision of the Services in accordance with the Agreement, and (ii) further documented, reasonable instructions from Customer agreed upon by the Parties.1.1. "Services"shall have the meaning ascribed to it in the Agreement.
1.9. "Subprocessors" means any entity appointed by Spiker to Process Personal Data on behalf of Customer in connection with the Agreement, excluding any employee of Spiker.
1.10. "Supervisory Authority"means an independent public authority or a government agency established by a country, state, or territory that has appropriate jurisdiction over a Party regarding that Party’sProcessing of Personal Data.
1.11. "Data Subject", "Consumer" and "Process"or "Processing" shall have the meanings given to them or equivalent terms under applicable applicablelaw.
2.1. Scope and Roles. This DPA applies when Personal Data is Processed by Spikerz as part of Spikerz’s provision of the Services. In this context, Customer is the Controller (or Business under the CCPA) and Spikerz is the Processor (or Service Provider under the CCPA).
2.2. Details of Processing. The details of the Processing of Customer Personal Data are set forth in Annex Iof this DPA.
2.3. Customer’s Instructions. Spikerz will only ProcessCustomer Personal Data on behalf of Customer for the Purposes. Customer undertakes to provide Spikerz with lawful instructions only. The Parties agree that theAgreement and this DPA sets out Customer’s complete and final instructions to Spikerzfor the Processing ofPersonal Data. Spikerz will inform Customer immediately, if in Spikerz’s opinion an instruction infringes any provision under the applicable law and will be under no obligation to follow such instruction.
2.4. Notice and Legal Basis.Customer will document and provide all necessary notices to Data Subjects and obtain all necessary permissions and consents, to the extent required under applicable laws.
2.5. Spikerz will not (1) "Sell" or "Share" Personal Data as those terms are defined under the CCPA, (2) retain, use or disclose Personal Data for any purpose other than for the specific Purposes, except as permitted under the applicable laws, and (3) combine Personal Data that Spikerz receives or accesses to it from the Customer, except as permitted under the applicable laws. Customer will not transfer and/or disclose "Sensitive Personal Information" (as defined under the CCPA) to Spikerz, unless (1) it has expressly notified Spikerz in writing; (2) Customer provides Spikerz specific instructions regarding suchSensitive Personal Information, and in such a case, Spikerz will not retain or use such Sensitive Personal Information other than in accordance with such instructions.
3.1. Data Subject Requests. To the extent legally permitted, Spikerz shall promptly notifyCustomer if Spikerz receives a request from aCustomer Data Subject that identifies Customer and seeks to exercise the DataSubject’s rights. Taking into account the nature of the Processing, Spikerz will assist Customer by reasonable technical and organizational measures, insofar as this is possible, for the fulfillment ofCustomer's obligations regarding Data Subjects' requests
3.2. Data Protection Impact Assessment and Prior Consultation. Spikerz shall provide reasonable assistance to Customer to conduct data protection impact assessment and prior consultation with Supervisory Authorities, all in relation to Spikerz’s Processing of Customer Personal Data.
3.3. GovernmentInquiries. In the event Spikerz receives any subpoena, warrant or other judicial order by a government or other regulatory authority requiring access to or disclosure of Customer Personal Data ("Government Authority Request"),and unless such notice is prohibited by law, Spikerz will notify Customer of such Government Authority Request to enable the Customer to take necessary actions, to communicate directly with the relevant authority and to respond to the request.
4.1 Spikerz will ensure that access to Personal Data by its Personnel is limited to need to know and/or access basis to perform the Agreement and subject to written confidentiality undertakings or statutory obligations of confidentiality.
5.1. Spikerz may engage Subprocessors to Process Customer Personal Datain connection with the Services. Customer hereby provides Spikerz with a general authorization to engage Subprocessors for the provision of theServices.
5.2. Spikerz may replace or engage with a new Subprocessor ("New SubProcessor")to Process Personal Data on Customer's behalf. Spikerz will notify the Customer of the intended engagement with the New Sub processor ten (10) days prior to such engagement. Customer may object to a New Sub processor on reasonable grounds relating to the protection of the Personal Data, within ten (10) days following Spikerz’s written notice. In such an event, the Parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, Spikerz, at its own discretion, will either not appoint or replace the Subprocessor or will permit Customer to suspend or terminate the Agreement on thirty (30) days written notice. If Customer does not object within thirty (10)days after notification, Customer is deemed to have accepted the new Subprocessor.
6.1. Customer agrees that Spikerz may transfer Customer Personal Data outside the EEA, the United Kingdom, or otherrelevant geographic territory as necessary to provide the Service, in accordance with this DPA and ensuring that all transfers are made in accordance with appropriate safeguards for the transfer of Customer Personal Data.
7.1 Spikerz shall implement and maintain appropriate technical and organizational measures to ensure a level of security of Personal Data appropriate to the risk, taking into account the nature, scope and context of the Processing and the costs of implementation.
8.1. Personal Data Breach Communications. Spikerz will notify Customer without undue delay after becoming aware of a PersonalData Breach related to Customer Personal Data and provide Customer withnecessary available information about the Personal Data Breach.
8.2. Personal Data Breach Notification.In the event of a Personal Data Breach, any notification to the relevantSupervisory Authorities or Data Subjects, if required, will be the soleresponsibility of Customer and Spikerz shall reasonably assist Customer uponrequest.
9.1. Upon receipt of a writtenCustomer’s request, Spikerz will make available to Customer a report ofavailable information necessary for Customer subjectto confidentiality obligations.
9.2. Tote extent that Spikerz's provision of an audit report does not providesufficient information, or if there is no audit report or Customer is requiredto respond to a Supervisory Authority, Customer may audit Spikerz, subject tothe following provisions: (i) the auditor will be pre-approved in writing with Spikerz;(ii) the audit will be pre-scheduled in writing with Spikerz, at leastforty-five (45) days in advance; (iii) the auditor will execute anon-disclosure and non-competition undertaking toward Spikerz; (iv) the auditoill not have access to non-Customer Personal Data; (v) Parties shall mutuallydetermine in advance the details of the audit, including reasonable start date,cope, duration, security and confidentiality controls applicable to the audit;(vi) Customer will make sure that heaudit will not interfere with or damage Spikerz's business activities andinformation and network systems; (vii) Customer will bear all costs and assumeresponsibility and liability for the audit; (viii) the auditor will firstdeliver a draft report to Spikerz and allow Spikerz reasonable time and no lessthan ten (10) business days, to review and respond to the auditor’s findings,before submitting the report to the Customer; (IX) any information arising fromany adit are deemed to be Spikerz's confidential information;and (X) as soon as the purpose of theaudits completed, Spikerz will permanently dispose of the audit report.
10.1. PersonalData Deletion. Within reasonable time after the end of the provision of the Services or upon Customer reasonable request, Spikerz will return Customer Personal Data to Customer or delete such Customer PersonalData, at Customer’s choice. Notwithstanding, Customer acknowledges and agrees that Spikerz may retain copies of Customer Personal Data as necessary in order to ensure compliance with applicable law.
10.2. Anonymized and Aggregated Data. Customer authorizes Spikerz to anonymize, de-identify and aggregate Personal Data for Spikerz's legitimate business purposes, including for testing, development, improvement, security, controls, and operations of the Services, and to share and retain such PersonalData at Spikerz's discretion.
11.1 This DPA will commence on the later of the date of its execution or the effectivedate of the Agreement to which it relates and will continue until the Agreementexpires or is terminated.
12.1 Any alteration or modification of this DPA is not valid unless made in writing and executed by duly authorized personnel of both Parties. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by thosevalid provisions which achieve essentially the same objectives.