Data Processing Agreement (DPA)

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services.
• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Processor" means the entity that processes Personal Data on behalf of the Controller.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, erasure, or destruction.
• "Sub-processor" means any third party appointed by the Processor to process Personal Data.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR, UK GDPR, CCPA, and other applicable privacy legislation.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of Data Protection Laws.

This DPA applies to all processing of Personal Data by the Processor in connection with the provision of the Services to the Controller.

Subject Matter: Provision of automated cryptocurrency trading services

Duration: The term of this DPA shall commence on the date the Controller first uses the Services and continue until all Personal Data has been deleted or returned in accordance with this DPA.

Nature and Purpose of Processing: The Processor will process Personal Data for the purpose of providing automated trading services, account management, transaction processing, customer support, and related services as described in the Privacy Policy.

Categories of Personal Data:

• Identity data (name, username, date of birth)
• Contact data (email address, phone number, physical address)
• Financial data (bank account details, payment card information, transaction history)
• Technical data (IP address, browser type, device information)
• Trading data (portfolio information, trading history, preferences)
• Usage data (log data, analytics information)

Categories of Data Subjects: Users of the Platform, including individual traders, customers, and website visitors.

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 5 below
• Respect the conditions for engaging Sub-processors as set out in Section 4 below
• Assist the Controller in responding to Data Subject requests and fulfilling the Controller's obligations under Data Protection Laws
• Assist the Controller in ensuring compliance with data security, breach notification, data protection impact assessment, and prior consultation obligations
• Delete or return all Personal Data to the Controller at the end of the provision of Services, unless applicable law requires storage of the Personal Data
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections
• Immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws

4.1 Authorization: The Controller provides general authorization for the Processor to engage Sub-processors to process Personal Data, subject to the conditions set out in this Section.

4.2 Current Sub-processors: The Processor currently engages the following categories of Sub-processors:

• Cloud Infrastructure Providers: Amazon Web Services (AWS), Google Cloud Platform
• Payment Processors: Stripe, PayPal, cryptocurrency payment gateways
• KYC/AML Verification Services: Identity verification and compliance service providers
• Customer Support Tools: Intercom, Zendesk, or similar platforms
• Email Services: SendGrid, Mailgun, or similar email delivery services
• Analytics Services: Google Analytics, Mixpanel, or similar analytics platforms

4.3 Sub-processor Obligations: The Processor shall:

• Enter into a written contract with each Sub-processor imposing data protection obligations equivalent to those in this DPA
• Remain fully liable to the Controller for the performance of the Sub-processor's obligations
• Provide at least 30 days' notice before authorizing any new Sub-processor or making changes to existing Sub-processors
• Provide the Controller with an opportunity to object to such changes on reasonable grounds within the notice period

4.4 List of Sub-processors: An up-to-date list of Sub-processors is available upon request at privacy@binanceauto.com.

The Processor implements the following security measures to protect Personal Data:

5.1 Encryption:

• TLS/SSL encryption for data in transit
• AES-256 encryption for data at rest
• End-to-end encryption for sensitive communications

5.2 Access Controls:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) for all access
• Least privilege access principles
• Regular access reviews and audits

5.3 Network Security:

• Firewalls and intrusion detection/prevention systems
• Network segmentation and isolation
• DDoS protection and mitigation
• VPN for remote access

5.4 Data Backup and Recovery:

• Regular automated backups
• Geographically distributed backup storage
• Disaster recovery and business continuity plans
• Regular recovery testing

5.5 Physical Security:

• Data centers with 24/7 security monitoring
• Biometric access controls
• Video surveillance
• Environmental controls (fire suppression, climate control)

5.6 Organizational Measures:

• Information security policies and procedures
• Employee training and awareness programs
• Confidentiality agreements
• Regular security audits and assessments
• Incident response and management procedures

The Processor shall assist the Controller in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

• Right of access: Provide access to Personal Data
• Right to rectification: Correct inaccurate or incomplete Personal Data
• Right to erasure: Delete Personal Data ("right to be forgotten")
• Right to restriction of processing: Restrict processing in certain circumstances
• Right to data portability: Provide Personal Data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests

The Processor shall respond to Controller's requests for assistance within 10 business days and provide all reasonable assistance to enable the Controller to respond to Data Subject requests within applicable legal timeframes.

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
• Provide the following information (to the extent available):
  • Description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
  • Name and contact details of the data protection officer or point of contact
  • Description of the likely consequences of the breach
  • Description of measures taken or proposed to address the breach and mitigate potential adverse effects
• Cooperate with the Controller and provide reasonable assistance in investigating and remediating the breach
• Document all Personal Data breaches and make this information available to the Controller upon request
• Not publicly disclose any Personal Data breach without prior written consent from the Controller, except as required by law

The Processor shall:

• Make available to the Controller all information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller
• Provide audit reports, certifications, and attestations (e.g., SOC 2, ISO 27001) upon request
• Provide at least 30 days' advance notice for on-site audits, unless otherwise agreed or required by a Supervisory Authority

Audits shall be conducted during regular business hours and shall not unreasonably interfere with the Processor's business operations. The Controller shall bear the costs of such audits.

Where Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to countries that do not provide an adequate level of data protection, the Processor shall ensure that such transfers are subject to appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules
• Adequacy decisions by the European Commission
• Other legally approved transfer mechanisms

The Standard Contractual Clauses (as applicable) are hereby incorporated into and form part of this DPA.

Upon termination or expiration of the Services, the Processor shall, at the Controller's choice:

• Delete all Personal Data and existing copies (unless applicable law requires storage); or
• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format

The Controller must make its choice within 30 days of termination. If no choice is made, the Processor shall delete all Personal Data.

The Processor may retain Personal Data to the extent required by applicable law, provided that it continues to ensure confidentiality and security of such Personal Data.

Upon request, the Processor shall provide written certification of deletion or return of Personal Data.

Each party's liability arising out of or related to this DPA shall be subject to the limitation of liability provisions in the Terms and Conditions.

Nothing in this DPA shall limit either party's liability for:

• Fraud or fraudulent misrepresentation
• Gross negligence or willful misconduct
• Violations of Data Protection Laws to the extent such limitations are prohibited by law
• Data breaches caused by failure to implement appropriate security measures

This DPA shall commence on the date the Controller first uses the Services and continue until the earlier of:

• Termination of the Terms and Conditions
• Completion of all processing of Personal Data by the Processor

Sections relating to confidentiality, data deletion, limitation of liability, and any other provisions that by their nature should survive shall survive termination of this DPA.

This DPA shall be governed by and construed in accordance with the laws specified in the Terms and Conditions, without regard to conflict of law principles.

For Data Subjects in the EU/EEA, UK, or Switzerland, this DPA shall also be governed by applicable Data Protection Laws, and the parties agree to submit to the jurisdiction of the courts or Supervisory Authorities in the Data Subject's country of residence for matters related to data protection.

The Processor may amend this DPA from time to time to reflect changes in Data Protection Laws or business practices. Material changes will be communicated to the Controller with at least 30 days' notice.

If the Controller objects to any amendments, it may terminate the Services within the notice period. Continued use of the Services after the notice period constitutes acceptance of the amendments.

For any questions or concerns regarding this DPA, please contact:

• Data Protection Officer: dpo@binanceauto.com
• Legal Department: legal@binanceauto.com
• Privacy Team: privacy@binanceauto.com
• Address: 123 Crypto Street, Suite 456, San Francisco, CA 94102, USA