Data Processing Addendum

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer") and RoyaleOps ("Processor"). This DPA applies where RoyaleOps processes Personal Data on your behalf in connection with our services.

2. Definitions

In this DPA, the following terms have the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR, CCPA, and other regional laws.
• "Controller" means the entity that determines the purposes and means of Processing Personal Data.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller.

3. Scope and Roles

3.1 Scope

This DPA applies to the Processing of Personal Data by RoyaleOps on behalf of Customer in connection with the provision of our services.

3.2 Roles

The parties acknowledge that with regard to the Processing of Personal Data, Customer is the Controller and RoyaleOps is the Processor.

4. Processor Obligations

RoyaleOps shall Process Personal Data only:

• On documented instructions from Customer (including as set forth in the Terms of Service)
• In compliance with Data Protection Laws
• For the purposes of providing the services

RoyaleOps shall not sell, share, or otherwise disclose Personal Data except as required by law or as instructed by Customer.

5. Security Measures

5.1 Technical and Organizational Measures

RoyaleOps shall implement appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of Personal Data in transit and at rest
• Access controls and authentication mechanisms
• Regular security testing and monitoring
• Incident response procedures

5.2 Confidentiality

RoyaleOps shall ensure that any personnel authorized to Process Personal Data are subject to confidentiality obligations.

5.3 Data Breach Notification

In the event of a Personal Data breach, RoyaleOps shall notify Customer without undue delay after becoming aware of the breach.

5.4 Security Audits

RoyaleOps shall make available to Customer information necessary to demonstrate compliance with this DPA and allow for reasonable audits.

6. Sub-processors

Customer acknowledges and agrees that RoyaleOps may engage third-party sub-processors to Process Personal Data. RoyaleOps shall ensure that sub-processors are bound by data protection obligations no less protective than those in this DPA.

RoyaleOps may update the list of sub-processors from time to time. Customer may object to the appointment of a new sub-processor on reasonable grounds by notifying RoyaleOps within 10 days.

7. International Data Transfers

To the extent that RoyaleOps Processes Personal Data in a jurisdiction different from Customer's jurisdiction, RoyaleOps shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses or other mechanisms approved under Data Protection Laws.

8. Data Subject Rights

RoyaleOps shall, to the extent legally permitted, promptly notify Customer if it receives a request from a data subject to exercise their rights under Data Protection Laws. RoyaleOps shall provide reasonable assistance to Customer in responding to such requests.

9. Data Retention and Deletion

RoyaleOps shall retain Personal Data only for as long as necessary to provide the services or as required by law. Upon termination of the services or upon Customer's request, RoyaleOps shall delete or return all Personal Data, unless legally required to retain it.

10. Customer Responsibilities

Customer shall:

• Ensure that it has a lawful basis for the Processing of Personal Data
• Provide clear and accurate instructions to RoyaleOps regarding Processing
• Comply with all applicable Data Protection Laws in connection with its use of the services

11. Data Protection Impact Assessments

RoyaleOps shall provide reasonable assistance to Customer in conducting data protection impact assessments where required under Data Protection Laws.

12. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service.

13. Term and Termination

This DPA shall remain in effect for as long as RoyaleOps Processes Personal Data on behalf of Customer. Upon termination, the data deletion provisions in Section 9 shall apply.

14. Contact Information

For questions about this DPA or data protection matters, please contact: support@royaleops.com