Data Processing Addendum

This Data Processing Addendum ("DPA") applies where, and only to the extent that, Aidfine LLC ("Aidfine") processes Customer Personal Data on behalf of a business customer ("Customer") in connection with the Services.

This DPA is intended to supplement the applicable Terms & Conditions, Order Form, checkout flow, subscription terms, or other agreement governing Customer's use of the Services (collectively, the "Agreement").

This DPA does not apply to processing for which Aidfine acts as an independent controller or business, including processing relating to account administration, billing and payment operations, fraud prevention, service security, legal compliance, and related business operations outside the scope of Customer Data processed on Customer's behalf.

As between the parties, Customer acts as the controller or analogous business customer with respect to Customer Personal Data, and Aidfine acts as the processor or analogous service provider, to the extent Aidfine processes Customer Personal Data contained in Customer Data on Customer's behalf.

Customer remains responsible for determining the purposes of processing, selecting the categories of personal data submitted to the Services, establishing an appropriate legal basis, and providing any required notices to data subjects.

Aidfine acts as an independent controller or business for data it processes for its own account, including data relating to account administration, subscription and billing management, payment operations, fraud prevention, service security, direct customer relationship management, and legal compliance.

Customer's use of the Services, administrative configuration of the Services, the Agreement, and Customer's written communications and support instructions together constitute Customer's documented instructions to Aidfine for the processing of Customer Personal Data under this DPA.

Aidfine will process Customer Personal Data only on documented instructions from Customer, as necessary to provide, secure, support, maintain, and improve the Services in accordance with the Agreement, or as otherwise required by applicable law.

Aidfine may refuse or suspend any instruction that is unlawful, technically unsafe, inconsistent with the Agreement, or reasonably likely to compromise the security, integrity, or reliable operation of the Services.

Aidfine restricts access to Customer Personal Data to personnel, contractors, and subprocessors with a legitimate need to know such data for the purposes of providing, supporting, securing, or lawfully operating the Services.

Persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual, statutory, or otherwise legally binding.

Support, troubleshooting, maintenance, and security access are limited to what is reasonably necessary for the relevant service, security, or legal purpose.

Aidfine maintains technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful access, disclosure, alteration, loss, or destruction, taking into account the nature of the Services and the risks presented by the processing.

Additional details regarding Aidfine's technical and organizational measures are summarized in Annex II. No method of transmission, storage, or processing is completely secure, and the measures described in this DPA are intended to be risk-based, reasonable, and commercially credible rather than absolute guarantees.

Customer grants Aidfine a general authorization to engage subprocessors that are reasonably necessary to provide, support, secure, or maintain the Services.

Aidfine will impose written data protection and confidentiality obligations on subprocessors that are appropriate to the services they provide and that require protection of Customer Personal Data in a manner materially consistent with this DPA.

Aidfine remains responsible for its subprocessors to the extent required by applicable law.

Aidfine may update its subprocessors or subprocessor categories from time to time and will provide reasonable prior notice of material changes by reasonable means. Customer may object to a material change on reasonable data protection grounds within 15 days after notice.

If the parties cannot resolve a reasonable objection in good faith, Aidfine may provide a commercially reasonable alternative or, if no such alternative is reasonably available, permit Customer to terminate the affected Services.

Third-party services selected, connected, or instructed directly by Customer are not Aidfine subprocessors to the extent they operate under Customer's separate relationship, configuration, or instructions. Likewise, provider relationships used by Aidfine in its independent controller capacity, including certain billing, payment, fraud prevention, security, website, or compliance operations, are outside the scope of this DPA except to the extent they process Customer Personal Data on Aidfine's behalf as processor.

Aidfine may process Customer Personal Data in the United States and in other countries where Aidfine or its subprocessors operate.

Where required by applicable law for international transfers of Customer Personal Data, the parties agree that the European Commission's Standard Contractual Clauses, together with any applicable UK and Swiss transfer mechanisms, will apply as supplemented as reasonably necessary for the relevant transfer scenario.

Aidfine will not transfer Customer Personal Data in a manner prohibited by applicable data protection law and will maintain a transfer framework that is appropriate to the Services and the relevant jurisdictions.

Taking into account the nature of the processing, Aidfine will provide reasonable assistance to Customer in responding to requests from data subjects to exercise their rights under applicable data protection law.

If Aidfine receives a direct request from a data subject relating to Customer Personal Data, Aidfine may redirect the requester to Customer or notify Customer, unless Aidfine is legally prohibited from doing so.

Customer remains responsible for assessing and responding to data subject requests as controller, except to the extent applicable law expressly requires Aidfine to act differently.

Aidfine will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data processed under this DPA.

Aidfine's notification may include information available at the time regarding the nature of the incident, the categories of Customer Personal Data affected, the likely impact, and the remediation or mitigation measures taken or proposed.

Information may be provided in phases as it becomes reasonably available. Customer remains responsible for determining whether notifications to supervisory authorities, regulators, individuals, or third parties are required under applicable law.

During the term of the Agreement, and for any limited post-termination retrieval period made available under the Agreement, Customer may retrieve or export Customer Data using the Services' available functionality or other standard offboarding support offered by Aidfine.

Following termination or expiration, Customer Personal Data may first become inaccessible before full deletion is completed. Deletion may occur asynchronously through ordinary operational processes, including storage-layer workflows, queued deletion tasks, archival handling, and backup rotation.

Aidfine may retain Customer Personal Data to the extent required by applicable law or reasonably necessary for legitimate security, fraud prevention, business continuity, dispute resolution, legal hold, or compliance purposes. Any retained data will remain subject to appropriate safeguards for so long as it is retained.

Aidfine may satisfy Customer's audit and information rights by providing reasonable documentation and compliance materials first, including security summaries, policy information, subprocessor information, and responses to reasonable due diligence questionnaires.

Where additional verification is required by applicable law or reasonably justified in light of Customer's processing risk, any further audit must be limited, controlled, non-disruptive, and subject to appropriate confidentiality restrictions.

No audit right under this DPA requires Aidfine to disclose source code, vulnerability details that would materially increase security risk, trade secrets, internal pricing information, or data relating to other customers.

Unless required by law or triggered by a confirmed incident materially affecting Customer Personal Data, in-depth audit activity will be limited to no more than once annually and during normal business hours.

This DPA is intended to form part of the Agreement where incorporated by reference or otherwise agreed between Aidfine and Customer.

If there is a conflict between this DPA and the Agreement, this DPA will control solely with respect to the processing of Customer Personal Data governed by this DPA.

The liability limitations, exclusions, and risk allocation provisions of the Agreement apply to this DPA to the maximum extent permitted by applicable law.

Nothing in this DPA expands Aidfine's obligations beyond the scope of Customer Personal Data processing for which Aidfine acts as processor or analogous service provider under the Agreement.

Subject matter and duration. Aidfine processes Customer Personal Data as necessary to provide, secure, support, maintain, and administer the Services during the term of the Agreement and for any limited retrieval, deletion, backup, legal retention, or security period permitted under the Agreement or applicable law.

Nature and purpose of processing. Processing may include collection, upload, storage, organization, review, transformation, retrieval, display, analysis, matching, reporting, support access, troubleshooting, security monitoring, and deletion of Customer Personal Data in connection with the Services.

Categories of data subjects may include Customer's authorized users, administrators, finance and accounting personnel, employees, contractors, counterparties, vendors, payees, payers, and other individuals whose personal data appears in Customer Data submitted to the Services.

Types of personal data may include names, business contact details, role and account identifiers, uploaded file contents, spreadsheet data, transaction references, descriptions, dates, amounts, balances, report outputs, comments, support content, and other personal data included by or on behalf of Customer in Customer Data.

Aidfine maintains measures designed to protect Customer Personal Data in a manner appropriate to the Services and the risks presented by the processing. These measures may include the following categories of controls:

Aidfine may use subprocessors or processor-side service providers in categories reasonably necessary to operate the Services. Depending on deployment and service configuration, these categories may include:

Customer-directed integrations and third-party services chosen or enabled directly by Customer are not treated as Aidfine subprocessors to the extent they operate under Customer's own configuration, relationship, or contractual terms.

Providers engaged by Aidfine in its independent controller capacity, including certain billing, payment, fraud prevention, website, and corporate operations providers, are outside the scope of this Annex except to the extent they process Customer Personal Data on Aidfine's behalf as processor.