Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service and Privacy Policy between Elysium Labs, LLC ("Controller", "we", "us", "our") and the third-party service providers ("Processor") that process personal data on our behalf in connection with the Too Social mobile application ("App").

This DPA is designed to ensure compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act ("CCPA"), collectively referred to as "Data Protection Laws".

1. DEFINITIONS

The terms "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" shall have the meanings given to them in the applicable Data Protection Laws.

For the purpose of this DPA:

• "Controller" means Elysium Labs, LLC, which determines the purposes and means of the Processing of Personal Data.
• "Processor" means the third-party service provider that Processes Personal Data on behalf of the Controller.
• "Sub-processor" means any entity engaged by the Processor to assist in fulfilling its obligations with respect to providing services to the Controller.
• "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
• "Personal Data" means any information relating to a Data Subject.
• "Processing" means any operation or set of operations performed on Personal Data.
• "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including GDPR, UK GDPR, and CCPA.

2. PROCESSING OF PERSONAL DATA

2.1 Processing Instructions

The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such information.

2.2 Purpose of Processing

The purpose of the Processing is to provide the services as described in our Terms of Service and Privacy Policy, specifically related to our Too Social mobile application which functions as a friend-finding service. The Processing activities may include, but are not limited to:

• Storage and management of user profiles and preferences
• Processing user interactions and connections
• Analytics and usage statistics
• Personalized advertising
• Push notifications
• Account management and authentication

2.3 Categories of Personal Data

The categories of Personal Data that may be Processed under this DPA include:

• Identifiers (names, usernames, email addresses)
• Contact information
• Age and date of birth
• Gender and preferences
• Profile images
• Location data (country)
• Device information and identifiers
• Usage data and interaction history
• Social media usernames (for premium users)

2.4 Categories of Data Subjects

The categories of Data Subjects whose Personal Data may be Processed under this DPA include:

• App users (all of whom are 16 years of age or older)
• Potential users (all of whom are 16 years of age or older)
• Customers who make purchases within the App

2.5 Duration of Processing

The Processor shall Process Personal Data for the duration of the agreement between the Controller and the Processor, or until the Controller instructs the Processor to return or delete the Personal Data in accordance with Section 9 of this DPA.

3. PROCESSOR'S OBLIGATIONS

3.1 Confidentiality and Age Verification

The Processor shall ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Controller confirms that the Services are designed for and directed only to individuals who are at least 16 years of age. The Processor acknowledges this age restriction and agrees not to knowingly process data from any individual under 16 years of age. If the Processor becomes aware that it has collected Personal Data from anyone under 16 years of age, it shall promptly notify the Controller and take steps to delete such information.

3.2 Technical and Organizational Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate:

• The pseudonymization and encryption of Personal Data;
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

3.3 Compliance with Instructions

The Processor shall Process Personal Data only on documented instructions from the Controller, unless required to do so by law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

3.4 Assistance to Controller

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under the applicable Data Protection Laws.

4. SUB-PROCESSORS

4.1 General Authorization

The Controller hereby provides general authorization for the Processor to engage Sub-processors, provided that the Processor:

• Provides the Controller with a list of current Sub-processors upon request;
• Notifies the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes;
• Ensures that each Sub-processor is bound by data protection terms that are at least as protective as those set out in this DPA;
• Remains fully liable to the Controller for the performance of the Sub-processor's obligations.

4.2 Categories of Sub-processors

As of the date of this DPA, the Controller authorizes the use of Sub-processors in the following categories:

• Database and authentication service providers
• Cloud hosting and infrastructure service providers
• Analytics and monitoring service providers
• Push notification service providers
• Content delivery network (CDN) providers
• Advertising technology providers
• Payment processing service providers
• Customer support service providers
• Security and fraud prevention service providers

The Controller acknowledges that these categories of Sub-processors are necessary for the provision of the Services. The Controller may request additional information about specific Sub-processors within these categories by contacting the email address listed in Section 12.6.

5. DATA SUBJECT RIGHTS

5.1 Data Subject Requests

The Processor shall promptly notify the Controller if it receives any request from a Data Subject under any Data Protection Law in respect of the Data Subject's Personal Data, and shall provide full cooperation and assistance to the Controller in relation to any such request.

5.2 Response to Requests

The Processor shall not respond to any Data Subject request without the Controller's prior written approval, except to confirm that the request relates to the Controller, to which the Data Subject should address the request.

6. DATA SECURITY

6.1 Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:

• Data encryption at rest and in transit;
• Regular security testing and vulnerability assessments;
• Access controls and authentication mechanisms;
• Regular backups and data recovery procedures;
• Implementation of security policies and procedures;
• Employee training on data security and privacy;
• Physical security measures for data centers and office locations.

6.2 Security Documentation

The Processor shall maintain documentation of its security measures and shall make such documentation available to the Controller upon request.

6.3 Age Verification Measures

The Processor shall support the Controller's age verification mechanisms to ensure that the Services are not used by individuals under 16 years of age. This may include:

• Implementation of age verification checks during registration or authentication processes
• Application of age-appropriate design principles in user interfaces
• Technical measures to detect and prevent the creation of accounts by users under 16 years of age
• Process for handling discovered accounts of underage users

7. DATA BREACH NOTIFICATION

7.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach. Such notification shall:

• Describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
• Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• Describe the likely consequences of the Personal Data Breach;
• Describe the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.2 Assistance with Notification Obligations

The Processor shall assist the Controller in fulfilling the Controller's obligations to notify the relevant Supervisory Authority and affected Data Subjects of a Personal Data Breach, as required under applicable Data Protection Laws.

8. DATA IMPACT ASSESSMENT AND PRIOR CONSULTATION

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with Supervisory Authorities that the Controller is required to carry out under applicable Data Protection Laws, in each case solely in relation to Processing of Personal Data by the Processor on behalf of the Controller and taking into account the nature of the Processing and information available to the Processor.

9. DELETION OR RETURN OF PERSONAL DATA

9.1 End of Service Provision and Data Retention

Upon termination of the services or upon the Controller's request, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires storage of the Personal Data.

The Processor shall adhere to the following data retention periods unless otherwise instructed by the Controller:

• Active User Account Data: Retained for the duration of the user's account
• Inactive Account Data: Retained for up to 12 months after the last account activity
• Transaction Data: Retained for 7 years for tax and financial compliance purposes
• Usage Analytics: Anonymized after 24 months
• Communication Records: Retained for 24 months
• Logs and Security Data: Retained for 12 months unless needed for ongoing security investigations

9.2 Certification of Deletion

Upon request, the Processor shall provide written certification to the Controller that it has fully complied with this Section.

10. AUDIT RIGHTS

10.1 Information and Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

10.2 Timing and Costs

Audits shall be conducted during regular business hours, with reasonable advance notice to the Processor, and subject to reasonable confidentiality procedures. The Controller shall bear any costs incurred in connection with an audit unless the audit reveals material non-compliance with this DPA, in which case the Processor shall bear the costs.

11. INTERNATIONAL TRANSFERS

11.1 Transfer Mechanisms

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA), UK, or the jurisdiction where the Controller is established unless the recipient is established in a country that the European Commission or relevant authority has decided provides an adequate level of protection for Personal Data, or one of the following safeguards is implemented:

• Binding Corporate Rules;
• Standard Contractual Clauses adopted by the European Commission or relevant authority;
• An approved code of conduct;
• An approved certification mechanism.

11.2 Standard Contractual Clauses

Where the parties rely on Standard Contractual Clauses for transfers of Personal Data, the parties hereby incorporate the Standard Contractual Clauses by reference into this DPA.

12. GENERAL TERMS

12.1 Governing Law

This DPA shall be governed by the laws of the State of Texas, United States, without regard to its conflict of law principles.

12.2 Order of Precedence

In the event of a conflict between this DPA and the Terms of Service or Privacy Policy, this DPA shall prevail with regard to the parties' data protection obligations.

12.3 Modifications

Any modifications to this DPA must be in writing and signed by authorized representatives of both parties.

12.4 Severability

Should any provision of this DPA be found invalid or unenforceable, the remainder of the DPA will remain valid and enforceable. The parties shall replace the invalid or unenforceable provision with a valid and enforceable provision that comes closest to the intention of the parties.

12.5 App Store Compliance

The parties acknowledge that this DPA is intended to comply with the requirements of the Apple App Store and Google Play Store, and both parties agree to promptly update this DPA as necessary to maintain compliance with evolving app store policies and guidelines regarding data privacy and protection.

12.6 Contact Information

For any questions or concerns regarding this DPA, please contact us at:

privacy@elysiumlabs.com