Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below:

• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Processor" means the entity that processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Data Subject" means the individual to whom Personal Data relates.

2. Scope and Roles

This DPA applies where Gilji processes Personal Data on behalf of the Customer in connection with the provision of our services. In such cases, the Customer acts as the Controller and Gilji acts as the Processor.

3. Processing Instructions

Gilji will only process Personal Data in accordance with the Customer's documented instructions, unless required to do otherwise by applicable law. The Customer's instructions are set out in the main agreement and this DPA.

4. Security Measures

Gilji implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Measures to ensure ongoing confidentiality, integrity, and availability
• Regular testing and evaluation of security measures
• Employee training and access controls

5. Sub-processors

The Customer authorizes Gilji to engage sub-processors to process Personal Data. Gilji maintains a list of current sub-processors and will notify the Customer of any changes. Gilji ensures that sub-processors are bound by data protection obligations no less protective than those in this DPA.

6. Data Subject Rights

Gilji will assist the Customer in responding to requests from Data Subjects to exercise their rights under applicable data protection law. Gilji will promptly notify the Customer of any such requests received directly.

7. Data Breach Notification

Gilji will notify the Customer without undue delay after becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories of data affected, and measures taken to address the breach.

8. Data Deletion

Upon termination of the agreement, Gilji will delete or return all Personal Data to the Customer, unless retention is required by applicable law. The Customer may request a certificate of deletion.

9. International Transfers

Where Personal Data is transferred outside the EEA, Gilji ensures appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

10. Audits

Gilji will make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits. The Customer may conduct audits upon reasonable notice.