This Data Processing Agreement ("DPA") forms part of, and is governed by, the Master Services Agreement (the "Agreement") between Pacific Digital Industries, Inc. doing business as SweepstakesPros ("Agency"), and the Client, as defined in the Agreement. Except as expressly modified by this DPA, the Agreement remains unmodified and in full force and effect. This DPA reflects the parties' agreement with respect to the Processing of Personal Data.

In case of any conflict with the terms of the Agreement, this DPA will take precedence; provided, however, that all obligations of the Agency under this DPA are and shall remain subject to the disclaimers set forth in Exhibit A Section 13.d of the Master Services Agreement.

Agency may update these terms to reflect changes in law, sub-processor requirements, security standards, or functionality of the Services; provided that any update will not materially diminish Agency's data protection obligations or Client's rights hereunder. Updates will apply to (i) new Statements of Work executed after the update effective date, and (ii) existing Statements of Work only where required by applicable law or with Client's written consent. Agency will post the updated DPA and, where materially relevant, provide notice to Client via email.

The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning set forth in the Agreement.

1. Definitions
   1. "California Personal Information" means Personal Data that is subject to the CCPA.
   2. "CCPA" means California Civil Code Sec. 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 ("CPRA").
   3. "Client Personal Data" means Personal Data contained within Client Content that the Agency Processes as a Processor on behalf of the Client or on behalf of Client’s Clients.
   4. "Client Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data transmitted, stored, or otherwise Processed by Agency.
   5. "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data.
   6. "Data Protection Laws" means all applicable worldwide legislation relating to data protection and privacy which applies to the Processing of Personal Data, including without limitation European Data Protection Laws, the CCPA, Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), and other applicable United States federal and state privacy laws.
   7. "Data Subject" means the individual to whom Personal Data relates.
   8. "European Data Protection Laws" means data protection laws applicable in Europe, including: (i) the General Data Protection Regulation ("GDPR"); (ii) the UK GDPR; and (iii) the Swiss Federal Data Protection Act and its Ordinance ("Swiss DPA").
   9. "Government Identifiers" means government-issued identification numbers and documents, including taxpayer identification numbers (e.g., SSN/ITIN/EIN or non-U.S. equivalents), national ID numbers, driver's license numbers, passport numbers, and any images or scans of such documents and data extracted from them.
   10. "Personal Data" means any information relating to an identified or identifiable individual where such information is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws.
   11. "Processing" means any operation or set of operations which is performed on Personal Data. The terms "Process," "Processes," and "Processed" will be construed accordingly.
   12. "Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
   13. "Sub-Processor" means any Processor engaged by the Agency to assist in fulfilling its obligations with respect to the Processing of Client Personal Data under the Agreement.
2. Role of the Parties
   1. The parties acknowledge that for the Processing of Client Personal Data, Client is the Controller and Agency is the Processor.
   2. Where Client acts as a Processor for another Controller, Agency shall act as a Sub-Processor. Agency will Process such Personal Data in accordance with Client's instructions.
   3. For any other Personal Data not defined as Client Personal Data, each party is an independent Controller and shall be responsible for its own compliance with Data Protection Laws.
   4. Ownership of Client Personal Data. As between the parties, Client is and shall remain the sole owner of all right, title, and interest in and to Client Personal Data. Agency shall not receive any ownership or similar right in Client Personal Data.
   5. Winner Validation and Tax Reporting. To the extent Agency collects or Processes Government Identifiers to validate winners (identity/age/residency) and/or to fulfill Client's tax reporting obligations (e.g., W-9/W-8/1099), Agency acts as Processor on Client's documented instructions and will use such data solely for those purposes and as required by law. If, and only if, Agency is the payer/withholding agent under applicable tax law, Agency acts as an independent Controller for that limited subset to comply with legal obligations, without expanding the scope of use.
3. Client Responsibilities
   1. Compliance with Laws. The Client is responsible for complying with all requirements that apply to it under Data Protection Laws, including for: (i) the accuracy and legality of Client Personal Data and the means by which it was acquired; (ii) providing adequate privacy notices and obtaining any necessary consents; and (iii) ensuring it has the right to transfer Client Personal Data to the Agency for Processing in accordance with the Agreement. Client will inform Agency without undue delay if it is not able to comply with its responsibilities under this 'Compliance with Laws' section or Data Protection Laws.
   2. Client Instructions. The Client is responsible for ensuring that its instructions to the Agency regarding the Processing of Client Personal Data comply with applicable laws. The parties agree that the Agreement and this DPA constitute the Client’s complete instructions to the Agency.
   3. Security. The Client is responsible for independently determining whether the data security provided for in the Services adequately meets its obligations under Data Protection Laws.
4. Agency Obligations as Processor
   1. Compliance with Instructions. The Agency will only Process Client Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of the Client’s lawful instructions. Agency is not responsible for compliance with any Data Protection Laws applicable to Client or Client’s industry that are not generally applicable to Agency.
   2. Conflict of Laws. If Agency becomes aware that it cannot Process Client Personal Data in accordance with Client’s instructions due to a legal requirement under any applicable law, Agency will (i) promptly notify Client of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Client Personal Data) until such time as Client issues new instructions with which Agency is able to comply. If this provision is invoked, Agency will not be liable to Client under the Agreement for any failure to perform the applicable Services until such time as Client issues new lawful instructions with regard to the Processing.
   3. Security. The Agency will implement and maintain appropriate technical and organizational measures to protect Client Personal Data from a Client Personal Data Breach, meeting standard industry practices and complying with applicable law. Such measures will include:
      1. Ensuring that personnel authorized to Process Client Personal Data are subject to appropriate confidentiality obligations;
      2. Conducting background investigations on personnel who will have access to Client Personal Data, where permitted by law; and
      3. Keeping Client Personal Data logically distinct from other data.
   4. Encryption. Agency shall implement encryption at rest and in transit consistent with industry standards, with appropriate key management, to protect Personal Data. All electronic files containing Personal Data shall be transmitted only via secure, encrypted transfer methods (e.g., HTTPS/TLS, SFTP, or encrypted email using S/MIME or PGP).
   5. Confidentiality. The Agency will ensure that any personnel authorized to Process Client Personal Data are subject to appropriate confidentiality obligations.
   6. Client Personal Data Breaches. The Agency will notify the Client without undue delay after becoming aware of any Client Personal Data Breach and take appropriate measures to address the Client Personal Data Breach, including measures to mitigate any adverse effects resulting from the Client Personal Data Breach. Agency will provide timely information relating to the Client Personal Data Breach as it becomes known or reasonably requested by Client. Subject to the disclaimers in Exhibit A Section 13.d of the Agreement, at Client’s request, Agency will promptly provide Client with such reasonable assistance as necessary to enable Client to notify competent authorities and/or affected Data Subjects of relevant Client Personal Data Breaches, if Client is required to do so under Data Protection Laws.
   Notices under this Section will be sent to Client's designated Client Project Manager in the applicable SOW (or, if none, to the Client notice email in the Agreement) and to Agency at .
   7. Destruction or Return of Client Personal Data. Upon termination or expiration of the Agreement, or at the Client's written request (which may be given by email), the Agency will, at the Client's direction, either securely destroy all Client Personal Data or return it to the Client. The Agency may retain any Client Personal Data that it is legally required to retain. Any Client Personal Data retained for archival purposes in accordance with the Agency's document retention policy will be kept and maintained as confidential and secure, and will not be Processed for any purpose other than that for which it was originally collected, regardless of the termination or expiration of this Agreement. Agency will complete the requested return or deletion within a commercially reasonable period, not to exceed forty-five (45) days from Client's written request or termination/expiration, subject to lawful retention; backup copies will be deleted in the ordinary course on the next regular rotation cycle.
   8. Government Identifiers—Minimal Use and Safeguards. Agency shall: (i) use Government Identifiers only to validate winners, administer prizes, prevent fraud/abuse, and perform tax reporting as instructed; no sale/share or marketing use; (ii) collect/transmit via encrypted methods (e.g., TLS portal, SFTP, or encrypted email); (iii) limit access on a need-to-know basis and store encrypted (including backups); and (iv) Agency will retain Government Identifiers only for as long as necessary for winner validation, prize administration, fraud prevention, legal compliance, and recordkeeping, and in accordance with applicable law and Agency's documented retention schedule; by way of example, winner tax records (including tax identification numbers and associated ID documentation) may be retained only for periods required by applicable tax and recordkeeping laws/requirements. Upon expiry of the applicable retention period, Agency will delete or irreversibly anonymize such data (with backups deleted on the next regular cycle).
5. Data Subject Requests. Upon Client’s written request Agency will provide reasonable assistance to Client to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Client Personal Data under the Agreement. Client will reimburse Agency for the commercially reasonable costs arising from this assistance. If a Data Subject Request is made directly to the Agency, the Agency will promptly inform the Client and advise the Data Subject to submit their request to the Client. The Client is solely responsible for substantively responding to such requests. Agency may decline deletion/restriction where Processing of Government Identifiers is required by law (e.g., tax recordkeeping) and will inform Client accordingly.
6. Sub-Processors. The Client agrees that the Agency may engage Sub-Processors to Process Client Personal Data on its behalf. The Agency will impose data protection terms on its Sub-Processors that provide at least the same level of protection for Client Personal Data as those in this DPA. The Agency will remain responsible for each Sub-Processor's compliance with the obligations of this DPA. The list of Sub-Processors that are currently engaged by Agency is posted at http://www.sweepstakespros.com/privacy/sub-processors/. At least 15 days before Agency engages a Sub-Processor, Agency will update the applicable website and provide Client with a mechanism to obtain notice of that update. To object to a Sub-Processor on reasonable grounds relating to the protection of Client Personal Data, Client can notify Agency in writing of such an objection and the parties will discuss Client’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Agency will, at its sole discretion, either not appoint the new Sub-Processor, or permit Client to suspend or terminate the affected Services in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Client prior to suspension or termination).
7. Data Transfers. The Client acknowledges that the Agency may access and Process Client Personal Data on a global basis, and that such data may be transferred to and Processed in the United States and other jurisdictions where the Agency's personnel, affiliates and Sub-Processors operate. The Agency will ensure such transfers comply with Data Protection Laws.
8. Demonstration of Compliance. The Agency will make all information reasonably necessary to demonstrate compliance with this DPA available to the Client. Client may, at its expense, audit Agency’s compliance with this DPA no more than once per calendar year, unless Client has reasonable grounds to suspect non-compliance. Client shall perform any such audit during Agency's normal business hours and upon reasonable prior written notice. Agency will: (a) reasonably cooperate with the audit; (b) grant Client and its representatives necessary access to records and information relevant to Agency's performance under this DPA; and (c) address any identified non-compliance by implementing industry-standard practices and certify such correction in writing to Client.
9. Additional Provisions for European Data
   1. Scope. This section applies only to Personal Data originating from Europe.
   2. Role of Parties. The Client is the Controller (or a Processor on behalf of another Controller), and the Agency is the Processor.
   3. Data Transfers. The Agency will not transfer European Data to a country not recognized as providing an adequate level of protection unless it first takes all necessary measures, such as transferring data to a recipient that has executed the Standard Contractual Clauses.
   4. Data Transfer Mechanisms. The parties agree that any transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to any country not recognized as providing an adequate level of protection shall be governed by the Standard Contractual Clauses for the transfer of personal data to third countries as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor) and, where Client acts as a Processor and Agency a Sub-Processor, Module Three (Processor to Processor), and/or the UK Addendum to the EU Standard Contractual Clauses, as applicable. For the purposes of Clause 17 of the SCCs, the governing law shall be the law of Ireland. For the purposes of Clause 18 of the SCCs, the parties agree to submit to the jurisdiction of the courts of Dublin, Ireland. The parties’ signatures on the Agreement are deemed to constitute execution of the SCCs and, as applicable, the UK Addendum. In the event of any conflict between this DPA/Agreement and the SCCs or UK Addendum, the SCCs/UK Addendum shall prevail to the extent required by their terms. For purposes of SCC Clause 13 (Competent Supervisory Authority), the competent authority shall be: (i) where the data exporter is established in the EU, the supervisory authority of that Member State; (ii) where the exporter is not established in the EU but is subject to GDPR Article 3(2), the supervisory authority of the Member State in which its Article 27 representative is established; or (iii) if neither (i) nor (ii) applies, the Irish Data Protection Commission. For Swiss transfers, the competent authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC). The parties may update Annex I(C) to reflect the correct authority without formal amendment to this DPA. For UK transfers, the relevant supervisory authority is the UK Information Commissioner's Office (ICO) as set out in the UK Addendum. For the avoidance of doubt, nothing in the Agreement or this DPA limits either party's obligations under the SCCs or the UK Addendum.
   5. Annexes. The Annexes to the SCCs and the UK Addendum are hereby deemed to be completed as follows:
      1. Annex I: Details of Processing
         1. List of Parties
            • Data Exporter (Client): The Client as defined in the Agreement.
            • Data Importer (Agency): Pacific Digital Industries, Inc. dba SweepstakesPros.
            • Competent Supervisory Authority: As set out in Section 9.d of this DPA.
         2. Description of Transfer
            • Categories of Data Subjects: Individuals whose data is submitted by or for the Client, including its end users, customers, contacts, entrants/participants, winners (and, where applicable, travel companions), judges, and Client personnel.
            • Categories of Personal Data: Any Personal Data submitted to or collected by the Services for the Client, the extent of which is determined and controlled by the Client, this may include, but is not limited to, identifiers (e.g., name, email, phone, address, IP), date of birth/age, entry content, and—for winners—Government Identifiers (including tax identification numbers and government ID document images/scans and extracted data) needed for validation, prize administration, fraud prevention, tax reporting, and support communications.
            • Nature of the Processing: Storage, retrieval, and other Processing necessary to provide the Services pursuant to the Agreement.
            • Purpose of the Transfer: To enable the Agency to provide the Services as defined in the Agreement and any applicable Statement of Work, including winner validation (identity/age/residency), prize administration, fraud prevention, and tax reporting.
            • Frequency of Transfer: Continuous or on an as-needed basis. Entrant/participant data may be continuous or event-driven while a promotion is live. Winner validation and tax documentation are event-driven and one-off per prize claim/award.
            • Retention: Subject to the 'Destruction or Return of Client Personal Data' section of this DPA, Agency will retain Client Personal Data for the Agreement term unless otherwise agreed in writing or required by law. Government Identifiers (including tax identification numbers and related ID documentation) are retained in accordance with applicable law and Agency's documented retention schedule (for example, up to seven (7) years for winner tax records), after which they are deleted or irreversibly anonymized (with backups deleted on the next regular cycle).
      2. Annex II: Security Measures. The Agency maintains and adheres to internal, written information security policies and implements a range of technical and organizational security measures to protect Client Personal Data. These measures include industry-standard practices for access control, data encryption, incident management, and personnel management, which are regularly reviewed and updated to ensure a high level of protection for all data. You may view SweepstakesPros Security Practices at http://www.sweepstakespros.com/privacy/security, which provides an overview of our security standards. Additional safeguards for Government Identifiers: encryption in transit/at rest, role-based access, audit logging, masking/redaction in interfaces where full values are unnecessary, and no use in test/dev except with de-identified values. Agency will not materially reduce the overall administrative, physical, and technical security measures described in Annex II during the Term. If Agency modifies its Security Practices page referenced herein, such modifications will not materially diminish the level of protection for Client Personal Data.
      3. Annex III: Sub-Processors. The Agency engages Sub-Processors to assist with its data processing activities, including for operations and infrastructure, product and Service features, support, and content delivery. You may view Agency’s Sub-Processors List at http://www.sweepstakespros.com/privacy/sub-processors which includes the purpose for engaging each Sub-Processor. The Agency will provide the Client with an opportunity to object to the engagement of new Sub-Processors on reasonable grounds.
   6. EU/UK Targeting Notice & Representative (GDPR/UK GDPR Art. 27). Client shall notify Agency in writing before any Promotion that targets data subjects in the European Union or the United Kingdom or monitors their behavior there. For such Promotions, Agency will, where required by Article 27 GDPR/UK GDPR, designate an EU and/or UK representative for Agency’s processor-level processing. Agency may pass through reasonable representative fees and related costs to Client in accordance with the Agreement. Client remains responsible for its own Article 27 obligations (if any) as controller.
10. Additional Provisions for California Personal Information
    1. Scope. This section applies only to California Personal Information.
    2. Role of Parties. The Client is a "Business" and the Agency is a "Service Provider" for the purposes of the CCPA.
    3. Responsibilities. The Agency certifies that it will Process California Personal Information strictly for the purpose of performing the Services and will not sell or share it. Agency will not (i) retain, use, or disclose California Personal Information for any purpose other than the specific business purposes described in the Agreement and this DPA; (ii) retain, use, or disclose such information outside the direct business relationship between the parties; or (iii) combine such information with personal information it receives from, or on behalf of, another person or entity, except as permitted by Cal. Civ. Code §1798.140(ag)(1). Agency certifies it understands and will comply with these restrictions and will notify Client if it determines it can no longer meet its CPRA obligations. Client may take reasonable and appropriate steps to ensure Agency's Processing is consistent with CPRA requirements.
    4. Sensitive Personal Information. Government Identifiers constitute "Sensitive Personal Information" under the CPRA; Agency will not sell or share it and will use/disclose it only as permitted by the CPRA and as necessary to perform the Services or comply with law.
11. General Provisions
    1. Governing Law and Venue. Except to the extent required otherwise by applicable data protection laws or by the EU Standard Contractual Clauses and/or UK Addendum (together, the “Transfer Mechanisms”), this DPA is governed by, and construed in accordance with, the governing-law and venue/jurisdiction provisions set forth in the Agreement. For clarity, the governing-law and forum selections specified in the Transfer Mechanisms apply solely to those Transfer Mechanisms and related cross-border transfers.
    2. Limitation of Liability. The Agency's aggregate liability arising out of or related to this DPA will be subject to the limitations set out in the main Agreement.
    3. Severability. If any provision of this DPA is found to be invalid or unenforceable, the validity and enforceability of the other provisions will not be affected.