Data Processing Agreement

2.1 GDPR Definitions

• "Personal Data": Any information relating to an identified or identifiable natural person
• "Processing": Any operation performed on personal data
• "Data Controller": The entity determining the purposes and means of processing
• "Data Processor": The entity processing personal data on behalf of the controller
• "Data Subject": The individual to whom personal data relates
• "Supervisory Authority": The independent public authority monitoring GDPR compliance

2.2 Agreement Definitions

• "Services": The services provided by the Data Processor to the Data Controller
• "Sub-processor": Any third party engaged by the Data Processor to process personal data
• "Security Incident": Any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data

3.1 Subject Matter

The Data Processor shall process personal data on behalf of the Data Controller for the purpose of providing campervan rental services, including but not limited to:

• Customer account management and authentication
• Booking and reservation processing
• Payment processing and financial transactions
• Customer support and communication
• Insurance and claims management
• Analytics and service improvement

3.2 Duration

This DPA shall remain in effect for the duration of the service agreement between the parties and shall terminate automatically upon the termination of the main agreement.

4.1 Categories of Data Subjects

• Customers and potential customers
• Website visitors and users
• Business partners and affiliates
• Employees and contractors
• Third-party service providers

4.2 Types of Personal Data

• Identity Data: Name, date of birth, passport/ID numbers
• Contact Data: Email addresses, phone numbers, postal addresses
• Financial Data: Payment card details, bank account information
• Technical Data: IP addresses, browser types, device information
• Usage Data: Website interactions, booking history, preferences
• Location Data: GPS coordinates, travel destinations
• Blockchain Data: Wallet addresses, transaction hashes

4.3 Processing Operations

• Collection and storage of personal data
• Data analysis and profiling
• Communication and marketing activities
• Payment processing and financial transactions
• Customer support and service delivery
• Compliance and regulatory reporting

6.1 General Obligations

• Process personal data only on documented instructions from the Data Controller
• Ensure that persons authorized to process personal data have committed themselves to confidentiality
• Implement appropriate technical and organizational measures to ensure data security
• Assist the Data Controller in responding to data subject requests
• Assist the Data Controller in ensuring compliance with GDPR obligations
• Delete or return all personal data after the end of services
• Make available to the Data Controller all information necessary to demonstrate compliance

6.2 Security Measures

The Data Processor shall implement the following security measures:

• Encryption: Data encryption in transit and at rest
• Access Control: Role-based access control and authentication
• Network Security: Firewalls, intrusion detection, and monitoring
• Physical Security: Secure data centers and facilities
• Backup and Recovery: Regular backups and disaster recovery procedures
• Incident Response: Security incident detection and response procedures
• Employee Training: Regular security awareness training

7.1 General Authorization

The Data Controller grants the Data Processor general written authorization to engage sub-processors, subject to the following conditions:

• The Data Processor shall inform the Data Controller of any intended changes concerning sub-processors
• The Data Controller shall have the right to object to such changes within 30 days
• The Data Processor shall impose the same data protection obligations on sub-processors
• The Data Processor shall remain fully liable to the Data Controller for the performance of sub-processors

7.2 Current Sub-processors

The following sub-processors are currently authorized:

• Stripe: Payment processing services
• Web3Auth: Blockchain authentication services
• Google Analytics: Website analytics services
• AWS/Cloud Providers: Cloud hosting and storage services
• Email Service Providers: Communication services

8.1 Assistance Obligations

The Data Processor shall assist the Data Controller in fulfilling data subject requests by:

• Providing technical and organizational support
• Implementing data subject rights requests
• Providing information about processing activities
• Facilitating data portability requests
• Supporting data deletion and rectification

8.2 Response Times

The Data Processor shall respond to data subject requests within:

• Access requests: 30 days
• Rectification requests: 15 days
• Erasure requests: 30 days
• Portability requests: 30 days
• Objection requests: 15 days

9.1 Notification Requirements

In the event of a security incident, the Data Processor shall:

• Notify the Data Controller without undue delay, and in any event within 72 hours
• Provide detailed information about the nature of the incident
• Describe the likely consequences and measures taken or proposed
• Provide the contact details of the data protection officer or other contact point
• Cooperate with the Data Controller in investigating and resolving the incident

9.2 Incident Response

The Data Processor shall implement appropriate incident response procedures including:

• Immediate containment and mitigation measures
• Forensic analysis and investigation
• Communication with relevant authorities
• Documentation and reporting
• Post-incident review and improvement

11.1 International Transfers

Where personal data is transferred outside the European Economic Area (EEA), the Data Processor shall ensure that appropriate safeguards are in place, such as:

• Adequacy decisions by the European Commission
• Standard contractual clauses approved by the European Commission
• Binding corporate rules
• Certification schemes
• Codes of conduct

11.2 Documentation

The Data Processor shall maintain documentation of all international data transfers and the safeguards implemented.

12.1 Liability

Each party shall be liable to the other party for any damages caused by its breach of this DPA. The Data Processor shall be liable to the Data Controller for any damages caused by the processing of personal data in breach of this DPA.

12.2 Indemnification

The Data Processor shall indemnify and hold harmless the Data Controller from and against any claims, damages, losses, or expenses arising from the Data Processor's breach of this DPA or applicable data protection laws.

13.1 Return or Deletion of Data

Upon termination of this DPA, the Data Processor shall:

• Return all personal data to the Data Controller, or
• Delete all personal data in its possession or control
• Provide written confirmation of deletion
• Ensure that any sub-processors also delete the data

13.2 Survival

The following provisions shall survive termination of this DPA:

• Confidentiality obligations
• Liability and indemnification provisions
• Dispute resolution procedures
• Any provisions necessary to give effect to the parties' intentions

Data Controller (Waykiko LTD)

Email: [email protected]

Data Protection Officer: [email protected]