Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy of Mewayz Global, Corp. ("Mewayz", "we", "us", or "our"). This DPA applies when Mewayz processes Personal Data on behalf of the Customer in the course of providing the Mewayz platform services.

This DPA establishes the Controller-Processor relationship between the Customer and Mewayz in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection legislation.

By using Mewayz services, the Customer agrees to be bound by the terms of this DPA. This DPA is effective as of the date the Customer accepts our Terms of Service or begins using our services.

2. Definitions

The following definitions apply to this DPA, in accordance with GDPR Article 4:

• Controller — The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
• Processor — The natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
• Sub-processor — Any third party engaged by the Processor to assist in the processing of Personal Data on behalf of the Controller.
• Personal Data — Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier.
• Processing — Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
• Data Subject — An identified or identifiable natural person whose Personal Data is being processed.

3. Scope & Roles

Under this DPA, the Customer acts as the Controller and Mewayz acts as the Processor with respect to the Personal Data processed through the Mewayz platform.

Mewayz shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which the Processor is subject.

Mewayz shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection legislation.

4. Data Processing Details

The following describes the nature, purpose, and scope of the data processing activities carried out by Mewayz:

Categories of Personal Data:

• Account Data — Name, email address, phone number, company name, job title, login credentials.
• Contact Data — Contact information of the Customer's end users, clients, or leads stored within the Mewayz platform.
• Usage Data — Platform interaction logs, feature usage analytics, IP addresses, browser and device information.
• Content Data — Files, documents, messages, notes, and any other content uploaded or created by the Customer within the platform.

Categories of Data Subjects:

• The Customer's end users and platform users
• The Customer's employees and team members
• The Customer's contacts, clients, and leads

Purpose of Processing:

Providing, maintaining, and improving the Mewayz platform services as described in the Terms of Service, including CRM, project management, invoicing, helpdesk, and all other modules available within the platform.

5. Security Measures

Mewayz implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption at Rest — All Personal Data stored on our servers is encrypted using AES-256 encryption standards.
• Encryption in Transit — All data transmitted between the Customer and Mewayz is protected using TLS 1.2 or higher encryption protocols.
• Access Controls — Strict role-based access controls ensure that only authorized personnel can access Personal Data. Multi-factor authentication is enforced for all administrative access.
• Regular Security Reviews — We conduct periodic security assessments, vulnerability scans, and code reviews to identify and remediate potential security risks.
• Incident Response Procedures — We maintain documented incident response procedures that include identification, containment, eradication, recovery, and post-incident review processes.
• Backup & Recovery — Regular automated backups are performed and securely stored. Recovery procedures are tested periodically to ensure data integrity and availability.

6. Sub-processors

Mewayz engages the following sub-processors to assist in providing our services. Each sub-processor has been vetted for compliance with applicable data protection requirements:

• Stripe, Inc. — Payment processing. Location: United States. Data processed: payment and billing information.
• Cloudflare, Inc. — Content delivery network (CDN) and security services. Location: United States (global edge network). Data processed: traffic data, IP addresses.
• Hetzner Online GmbH — Server hosting and infrastructure. Location: European Union / United States. Data processed: all platform data as stored on servers.

Mewayz shall notify the Customer before adding or replacing any sub-processor, providing the Customer with an opportunity to object to such changes. If the Customer reasonably objects, Mewayz shall make reasonable efforts to provide an alternative solution or the Customer may terminate the affected services.

Mewayz shall impose on each sub-processor, by way of contract, data protection obligations no less protective than those set out in this DPA.

7. Data Subject Rights

Mewayz shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under GDPR, including:

• Right of Access (Article 15) — The right to obtain confirmation and access to their Personal Data.
• Right to Rectification (Article 16) — The right to have inaccurate Personal Data corrected.
• Right to Erasure (Article 17) — The right to have Personal Data deleted under certain circumstances.
• Right to Restriction (Article 18) — The right to restrict the processing of Personal Data.
• Right to Data Portability (Article 20) — The right to receive Personal Data in a structured, commonly used, and machine-readable format.

Mewayz shall promptly notify the Controller upon receiving a request from a Data Subject and shall not respond to such requests directly unless authorized by the Controller.

8. Data Breach Notification

In the event of a Personal Data breach, Mewayz shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of the breach, in accordance with GDPR Article 33.

The notification shall include:

• A description of the nature of the Personal Data breach, including the categories and approximate number of Data Subjects and Personal Data records affected.
• The name and contact details of the data protection officer or other contact point where more information can be obtained.
• A description of the likely consequences of the Personal Data breach.
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

Mewayz shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.

9. Data Transfers

Where Personal Data is transferred from the European Economic Area (EEA) to countries outside the EEA that have not been deemed to provide an adequate level of data protection, Mewayz ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission for EU-US and other international data transfers.
• Additional technical and organizational measures to supplement the SCCs where necessary, based on transfer impact assessments.

Mewayz shall inform the Controller of any changes to the data transfer mechanisms and shall ensure that any transfer complies with applicable data protection legislation.

10. Data Retention & Deletion

Upon termination or expiry of the agreement between the Customer and Mewayz, Mewayz shall, at the choice of the Controller:

• Delete all Personal Data processed on behalf of the Controller within 30 days of receiving a written request; or
• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format within 30 days of receiving a written request.

Mewayz shall delete existing copies of Personal Data unless European Union or Member State law requires storage of the Personal Data. Upon request, Mewayz shall provide written confirmation of data deletion.

11. Audits

Mewayz shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and GDPR Article 28.

The Controller, or an independent third-party auditor mandated by the Controller, may conduct audits to verify Mewayz's compliance with this DPA, subject to the following conditions:

• The Controller shall provide reasonable prior written notice of at least 30 days before conducting any audit.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with Mewayz's operations.
• The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by Mewayz.
• Audit results and any information obtained shall be treated as confidential.

12. Contact

For any questions regarding this Data Processing Agreement or data protection inquiries, please contact us:

• Company: Mewayz Global, Corp.
• Address: 131 Continental Dr, Suite 305, Newark, DE 19713, USA
• Data Protection Email: [email protected]
• EIN: 38-4374855
• Website: https://mewayz.com