Data Processing Agreement

1. Parties

This DPA is entered into between:

• Data Controller ("Controller"): The customer who has agreed to the PlatiqData Analytics Terms of Service and who determines the purposes and means of processing personal data through the Service.
• Data Processor ("Processor"): MySpace MyVibe LLC, a Wyoming limited liability company, with its registered address at 30 N Gould St Ste 100, Sheridan, WY 82801, United States, operating the PlatiqData Analytics service.

This DPA supplements and forms an integral part of the Terms of Service and the Privacy Policy. In the event of a conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to the processing of personal data.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings given to them in the GDPR.

• Personal Data means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR.
• Processing means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• Sub-processor means any third party appointed by the Processor to process Personal Data on behalf of the Controller in connection with the provision of the Service.
• Data Subject means the identified or identifiable natural person to whom the Personal Data relates.
• Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• Standard Contractual Clauses means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission.

3. Scope and Purpose of Processing

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing and maintaining the PlatiqData Analytics service as described in the Terms of Service. This includes:

• Authenticating and managing user accounts
• Providing the analytics dashboard, query execution, and visualization features
• Managing subscription billing and payment processing
• Sending transactional communications (e.g., account verification, password resets, billing notifications)
• Maintaining audit logs for security and compliance purposes
• Providing customer support

The Processor shall not process Personal Data for any purpose other than those specified in this DPA or as otherwise documented and instructed by the Controller, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such disclosure.

4. Data Processing Details

The following describes the categories of data processed by PlatiqData Analytics:

Categories of Data Subjects

• Controller's employees, contractors, and authorized users of the Service
• Controller's administrators and billing contacts

Types of Personal Data Processed

• Account information: Name, email address, hashed password, organization name, role assignments
• Usage data: Login timestamps, feature interactions, session duration, IP addresses, browser and device information
• Analytics metadata: Dashboard configurations, saved queries, chart definitions, database connection parameters (encrypted)
• Billing data: Subscription tier, payment history, invoice records (payment card details are processed exclusively by Stripe and are never stored by the Processor)
• Audit logs: User actions, access events, and administrative changes for security and compliance

Data Not Processed

PlatiqData Analytics does not store the Controller's underlying database content. The Service connects to Controller-owned databases to execute queries and render visualizations in real time. Query results are transmitted for display purposes only and are not persistently stored on the Processor's infrastructure unless the Controller explicitly enables a caching feature. The Controller's source data remains at all times within the Controller's own infrastructure.

5. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR
• Respect the conditions for engaging Sub-processors as set out in Section 6 of this DPA
• Assist the Controller, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under the GDPR
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires retention
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits and inspections as set out in Section 10 of this DPA

Security Measures

The Processor implements and maintains the following technical and organizational security measures:

• Encryption in transit: All data transmitted between users, the Service, and connected databases is encrypted using TLS 1.2 or higher (TLS 1.3 preferred)
• Encryption at rest: All Personal Data stored on the Processor's infrastructure is encrypted using AES-256 encryption
• Tenant isolation: Multi-tenant architecture with strict logical isolation between customer environments, ensuring no cross-tenant data access
• Role-based access control (RBAC): Granular permission system restricting access to Personal Data based on user roles and organizational membership
• Audit logging: Comprehensive logging of all access events, administrative actions, and data operations for security monitoring and forensic analysis
• Infrastructure security: Hardened server configuration, firewall rules, intrusion detection, automated security updates, and DDoS protection via Cloudflare
• Credential management: Database connection credentials provided by the Controller are stored encrypted and are never logged or exposed in plaintext
• Access controls: Administrative access to production infrastructure is restricted to authorized personnel via SSH key authentication with multi-factor authentication

6. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors for the processing of Personal Data, subject to the conditions set out in this section. The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

Current Sub-processors

Changes to Sub-processors

The Processor shall notify the Controller at least 30 days in advance before adding or replacing any Sub-processor. The notification shall include the identity of the proposed Sub-processor, the nature of the processing to be performed, and the location of processing. The Controller may object to the appointment of a new Sub-processor on reasonable grounds related to data protection within 14 days of receiving such notification. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected service by providing written notice.

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including the right to:

• Access (Article 15) — Obtain confirmation of whether Personal Data is being processed and access a copy of that data
• Rectification (Article 16) — Request correction of inaccurate Personal Data or completion of incomplete data
• Erasure (Article 17) — Request deletion of Personal Data where the legal grounds for processing no longer apply
• Portability (Article 20) — Receive Personal Data in a structured, commonly used, machine-readable format
• Restriction of processing (Article 18) — Request restriction of processing under the conditions specified in the GDPR
• Objection (Article 21) — Object to processing of Personal Data based on legitimate interests or direct marketing

If the Processor receives a request directly from a Data Subject, it shall promptly notify the Controller and shall not respond to the request directly unless instructed to do so by the Controller or required by applicable law. The Processor shall provide reasonable technical and organizational assistance to enable the Controller to respond to such requests within the timeframes required by the GDPR.

8. International Data Transfers

The PlatiqData Analytics platform is hosted on infrastructure located in Falkenstein, Germany, within the European Union. The primary processing of Personal Data occurs within the EU.

Where Personal Data is transferred to Sub-processors located outside the European Economic Area (EEA), the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include:

• Adequacy decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection
• Standard Contractual Clauses (SCCs): Transfers to the United States and other third countries are governed by the European Commission's Standard Contractual Clauses (Module 3: Processor to Sub-processor), as adopted by Commission Implementing Decision (EU) 2021/914
• EU-U.S. Data Privacy Framework: Where applicable, reliance on Sub-processor certifications under the EU-U.S. Data Privacy Framework

The Controller may request information about the specific safeguards applied to any particular transfer by contacting the Processor at the address provided in Section 14.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller. The notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Processor's designated contact point from whom further information can be obtained
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects

Where it is not possible to provide all information at the same time, the Processor shall provide it in phases without further undue delay. The Processor shall document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, and shall make this documentation available to the Controller upon request.

The Processor shall cooperate with and assist the Controller in complying with the Controller's notification obligations under Articles 33 and 34 of the GDPR.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the following conditions:

• The Controller shall provide at least 30 days' written notice before conducting an audit
• Audits shall be limited to once per calendar year, unless required by a supervisory authority or in response to a Data Breach
• Audits shall be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations
• The Controller's auditor shall be bound by appropriate confidentiality obligations
• The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by the Processor

The Processor may satisfy audit requests by providing relevant certifications, attestations, or audit reports from qualified independent third-party auditors, provided such documentation is reasonably sufficient to demonstrate compliance.

11. Data Retention and Deletion

Upon termination or expiration of the Controller's subscription to the Service, the Processor shall, at the Controller's election:

• Delete all Personal Data processed on behalf of the Controller, including all copies, within 30 days of termination; or
• Return all Personal Data to the Controller in a structured, commonly used, machine-readable format within 30 days of termination, and subsequently delete all remaining copies

The Processor shall confirm the completion of deletion in writing upon the Controller's request.

Notwithstanding the foregoing, the Processor may retain Personal Data to the extent required by applicable law, regulation, or court order, provided that the Processor:

• Limits retention to the minimum data necessary to satisfy the legal obligation
• Maintains appropriate security measures for the retained data
• Deletes the retained data once the legal obligation has been fulfilled

Audit logs may be retained beyond the 30-day deletion period where required for compliance with applicable legal, regulatory, or contractual obligations. Such retention shall be limited to the minimum period necessary and the data shall remain protected by the security measures described in this DPA.

12. Duration and Termination

This DPA shall take effect upon the Controller's acceptance of the Terms of Service and shall remain in force for the duration of the Controller's subscription to the Service.

The obligations of the Processor under this DPA shall survive the termination or expiration of the subscription agreement to the extent necessary to complete the deletion or return of Personal Data as described in Section 11, and to the extent required by applicable law.

Sections 5 (Processor Obligations), 9 (Data Breach Notification), 10 (Audit Rights), and 11 (Data Retention and Deletion) shall survive termination of this DPA.

13. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the State of Wyoming, United States, without regard to its conflict of law provisions.

Notwithstanding the foregoing, where the GDPR applies to the processing of Personal Data under this DPA, the provisions of the GDPR shall take precedence over any conflicting provisions of the governing law with respect to data protection matters.

Any disputes arising from or relating to this DPA shall be subject to the exclusive jurisdiction of the state and federal courts located in Wyoming, United States, except where a supervisory authority or Data Subject has the right to bring proceedings before the courts of a different jurisdiction under the GDPR.

14. Contact

For questions, requests, or notifications related to this Data Processing Agreement, including Data Subject requests, data breach notifications, Sub-processor change objections, and audit requests, please contact:

Data Protection Contact

[email protected]

MySpace MyVibe LLC
30 N Gould St Ste 100
Sheridan, WY 82801
United States