Data Processing Addendum

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined in this DPA have the meanings given to them in the Agreement.

• "Customer Personal Data" means any personal data that we process on behalf of the Customer in connection with the provision of our services under the Agreement.
• "Data Protection Laws" means the Data Protection (Jersey) Law 2018 ("DPJL 2018") and all subordinate legislation made under it, the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the UK GDPR to the extent applicable, and any other applicable data protection or privacy laws.
• "Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates.
• "Processing" means any operation or set of operations performed on Customer Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
• "Standard Contractual Clauses" ("SCCs") means the contractual clauses approved by the European Commission (or equivalent clauses recognised by the Jersey Office of the Information Commissioner) for the transfer of personal data to processors established in third countries.
• "Subprocessor" means any third party engaged by us to process Customer Personal Data on behalf of the Customer.
• "JOIC" means the Jersey Office of the Information Commissioner, the supervisory authority responsible for data protection in Jersey.

2. Processing of Customer Personal Data

2.1 Scope and Purpose

We shall process Customer Personal Data only on your documented instructions and solely for the purposes of providing the services described in the Agreement and as further detailed in Schedule 1 of this DPA. We shall not process Customer Personal Data for any other purpose unless required to do so by applicable law, in which case we shall inform you of that legal requirement before processing (unless prohibited from doing so by law).

2.2 No Selling of Data

We shall not sell, rent, or otherwise commercially exploit Customer Personal Data. We shall not disclose Customer Personal Data to any third party for that third party's own commercial purposes.

2.3 No Sharing for Advertising

We shall not share Customer Personal Data with any third party for advertising, marketing, or profiling purposes unrelated to the services provided under the Agreement.

2.4 Compliance

We shall comply with all applicable Data Protection Laws in respect of our processing of Customer Personal Data. We shall promptly inform you if, in our opinion, an instruction from you infringes applicable Data Protection Laws.

3. International Data Transfers

3.1 Jersey Adequacy Status

Jersey has been recognised by the European Commission as providing an adequate level of data protection. Transfers of personal data from the EEA to Jersey are therefore permitted without additional safeguards under EU adequacy decisions.

3.2 Transfers to Third Countries

Where Customer Personal Data is transferred to a country outside Jersey, the EEA, or the UK that has not been deemed to provide an adequate level of data protection, we shall ensure that appropriate safeguards are in place in accordance with applicable Data Protection Laws. Such safeguards may include:

• Standard Contractual Clauses approved by the European Commission or recognised by the JOIC
• Binding corporate rules approved by a competent supervisory authority
• Any other transfer mechanism permitted under applicable Data Protection Laws

3.3 Transfer Impact Assessments

Upon request, we shall provide you with information regarding the legal framework applicable in the destination country, including any relevant access by public authorities, to enable you to carry out transfer impact assessments.

4. Confidentiality and Security

4.1 Personnel Confidentiality

We shall ensure that all personnel authorised to process Customer Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access to Customer Personal Data shall be limited to those personnel who require such access to perform the services under the Agreement.

4.2 Technical and Organisational Measures

We shall implement and maintain appropriate technical and organisational security measures to protect Customer Personal Data against Security Incidents, as described in Schedule 2 of this DPA. These measures shall take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk to the rights of Data Subjects.

4.3 Ongoing Security

We shall regularly test, assess, and evaluate the effectiveness of our technical and organisational measures and update them as necessary to maintain an appropriate level of security.

5. Subprocessors

5.1 General Authorisation

You provide general written authorisation for us to engage Subprocessors to process Customer Personal Data on your behalf. A current list of Subprocessors is available at ikigai.je/subprocessors.

5.2 Notification of Changes

We shall notify you of any intended addition or replacement of Subprocessors at least thirty (30) days prior to such change, giving you the opportunity to object. If you reasonably object to a new Subprocessor on legitimate data protection grounds, we shall use commercially reasonable efforts to make available to you a change in the services or recommend a commercially reasonable alternative. If no alternative is available, either party may terminate the affected portion of the services.

5.3 Subprocessor Obligations

We shall impose data protection obligations on each Subprocessor that are no less protective than those set out in this DPA by way of a written contract. We shall remain fully liable to you for the performance of each Subprocessor's obligations.

6. Data Subject Rights

6.1 Customer Responsibility

As Controller, you are responsible for responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

6.2 Assistance

We shall, taking into account the nature of the processing, provide you with reasonable assistance to fulfil your obligations to respond to Data Subject requests. If we receive a request directly from a Data Subject, we shall promptly redirect the request to you and shall not respond to the Data Subject directly unless instructed by you or required by law.

7. Security Incidents

7.1 Notification

We shall notify you without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Security Incident affecting Customer Personal Data. Such notification shall include:

• A description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the point of contact from whom further information may be obtained
• A description of the likely consequences of the Security Incident
• A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate its possible adverse effects

7.2 Remediation

We shall take all reasonable steps to contain, investigate, and remediate any Security Incident and shall cooperate with you in any investigation and in meeting any obligations to notify the JOIC or affected Data Subjects under applicable Data Protection Laws.

7.3 Records

We shall maintain a record of all Security Incidents, including the facts surrounding the incident, its effects, and the remedial actions taken.

8. Data Protection Impact Assessments

We shall provide you with reasonable assistance in connection with any data protection impact assessment and any prior consultation with the JOIC or other supervisory authority that you are required to carry out under applicable Data Protection Laws, taking into account the nature of the processing and the information available to us.

9. Deletion of Customer Personal Data

9.1 Upon Termination

Upon termination or expiry of the Agreement, we shall, at your choice, delete or return all Customer Personal Data within ninety (90) days, unless retention is required by applicable law. We shall provide written confirmation of deletion upon request.

9.2 Subprocessor Data

We shall ensure that our Subprocessors delete or return Customer Personal Data in accordance with the same timeframes and conditions set out in this section.

9.3 Backup Copies

Where Customer Personal Data exists in backup systems, we shall delete such data when the backup is next overwritten in the ordinary course of business, or within one hundred and eighty (180) days of termination, whichever is sooner.

10. Audits

10.1 Audit Rights

You have the right to conduct an audit of our processing activities up to once per calendar year, or more frequently where required by a supervisory authority or following a Security Incident. Such audits shall be conducted at your expense and upon reasonable prior written notice of at least thirty (30) days.

10.2 Audit Procedures

Audits shall be conducted during normal business hours and shall not unreasonably interfere with our business operations. You may appoint a qualified, independent third-party auditor, subject to our reasonable approval and provided such auditor enters into appropriate confidentiality obligations.

10.3 Information and Cooperation

We shall make available to you all information necessary to demonstrate compliance with the obligations set out in this DPA and shall cooperate with any audit or inspection. We may provide relevant certifications, audit reports, or other documentation in lieu of a physical audit where reasonably sufficient.

11. Analytics Data

We may collect and use anonymised and aggregated data derived from Customer Personal Data for purposes of improving our services, benchmarking, and generating industry insights, provided that such data does not identify any individual Data Subject or the Customer. Such anonymised data shall not be considered Customer Personal Data for the purposes of this DPA.

12. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law.

13. General

13.1 Precedence

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Customer Personal Data.

13.2 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Island of Jersey, and the parties submit to the exclusive jurisdiction of the courts of Jersey.

13.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.4 Contact

For any questions regarding this DPA or our data processing practices, please contact us at hello@ikigai.je.

Schedule 1: Details of Processing

Categories of Data Subjects

• Employees, contractors, and representatives of the Customer
• Customers and prospective customers of the Customer
• Visitors to the Customer's websites and digital properties

Types of Personal Data

• Name (first name, last name)
• Email address
• Telephone number
• Company or organisation name
• Job title
• IP address
• Browser and device information
• Website usage data (pages visited, session duration, referral source)
• Marketing engagement data (email opens, click-throughs, ad interactions)
• CRM records and contact history

Purpose of Processing

Customer Personal Data is processed for the purpose of providing growth marketing services under the Agreement, including but not limited to:

• Website analytics and performance measurement
• Search engine optimisation and paid advertising campaign management
• CRM configuration, data migration, and integration
• Email marketing and marketing automation
• Conversion rate optimisation and A/B testing
• Reporting and data analysis for marketing performance

Duration of Processing

Processing shall continue for the duration of the Agreement plus the period required for deletion of Customer Personal Data in accordance with Section 9 of this DPA.

Schedule 2: Security Measures

We implement the following technical and organisational measures to protect Customer Personal Data:

Access Controls

• Role-based access controls with the principle of least privilege
• Multi-factor authentication for all systems containing Customer Personal Data
• Unique user accounts; no shared or generic credentials
• Prompt revocation of access upon personnel departure or role change
• Regular access reviews conducted at least quarterly

Encryption

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256 or equivalent
• Encrypted backups stored in geographically separate locations

Monitoring and Logging

• Audit logging of access to systems containing Customer Personal Data
• Monitoring for unauthorised access attempts and anomalous activity
• Log retention for a minimum of twelve (12) months

Incident Response

• Documented incident response plan with defined roles and responsibilities
• Regular testing and review of incident response procedures
• Defined escalation paths and communication protocols

Business Continuity

• Regular backups of Customer Personal Data with tested restoration procedures
• Redundant infrastructure to minimise risk of service disruption
• Disaster recovery procedures with defined recovery time objectives

Personnel Security

• Confidentiality agreements for all personnel with access to Customer Personal Data
• Data protection training provided upon onboarding and annually thereafter
• Clear desk and screen lock policies