Data Processing Agreement

1.1

"Controller" means the entity that determines the purposes and means of processing personal data. In this context, the enterprise customer is the Controller.

1.2

"Processor" means EarnLayer Inc., which processes personal data on behalf of the Controller.

1.3

"Personal Data" means any information relating to an identified or identifiable natural person.

1.4

"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

2.1 Subject Matter

Processing of personal data in connection with EarnLayer's advertising and monetization services, including user interactions, ad impressions, revenue tracking, and payment processing.

2.2 Duration

For the duration of the Publisher Agreement and until all personal data is deleted or returned in accordance with this DPA.

2.3 Nature and Purpose

Processing personal data to provide advertising services, track performance, process payments, and ensure service functionality and security.

2.4 Types of Personal Data

• Account information (email, name, business details)
• Payment and financial information
• Usage data (ad impressions, clicks, revenue)
• Technical data (IP addresses, device information)
• Communication data (support interactions)

2.5 Categories of Data Subjects

• Publisher account holders
• End users interacting with publisher content
• Authorized representatives of enterprise customers

3.1 Processing Instructions

EarnLayer will process personal data only in accordance with documented instructions from the Controller and as necessary to provide the services under the Publisher Agreement.

3.2 Confidentiality

EarnLayer will ensure that persons authorized to process personal data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

EarnLayer will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments and audits
• Incident response and breach notification procedures
• Data backup and recovery procedures

3.4 Sub-processors

EarnLayer may engage sub-processors to process personal data, provided that:

• Sub-processors are bound by the same data protection obligations
• Controller is notified of any intended changes to sub-processors
• Controller has the right to object to new sub-processors
• Current sub-processors include: Railway (hosting), PostHog (analytics), Stripe (payments)

4.1 Assistance with Rights

EarnLayer will assist the Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws, including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)

4.2 Response Time

EarnLayer will respond to Controller requests for assistance within 30 days, or as required by applicable law.

5.1 Breach Notification

EarnLayer will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller's data. The notification will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

5.2 Cooperation

EarnLayer will provide reasonable cooperation and assistance to the Controller in connection with any data breach, including assistance with notifications to supervisory authorities and data subjects where required.

6.1 Retention Period

Personal data will be retained only for as long as necessary to provide the services or as required by law.

6.2 Deletion

Upon termination of the Publisher Agreement or upon Controller's request, EarnLayer will delete or return all personal data to the Controller, unless retention is required by law. Deletion will be completed within 30 days of termination or request.

7.1 Audit Requests

EarnLayer will make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws.

7.2 Audit Procedures

Upon reasonable notice, EarnLayer will allow and contribute to audits conducted by the Controller or an independent auditor, subject to confidentiality obligations and reasonable limitations on frequency and scope.

8.1 Transfer Mechanisms

Where personal data is transferred outside the European Economic Area (EEA), EarnLayer will ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Other appropriate safeguards as required by applicable law

9.1 Governing Law

This DPA is governed by the laws of Canada, without regard to conflict of law principles.

9.2 Modifications

This DPA may be modified by mutual written agreement of the parties or as required to comply with changes in applicable data protection laws.

9.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions will continue in full force and effect.