Data Processing Agreement (DPA)

1. Definitions and Interpretation

1.1 Definitions

In this DPA, the following terms shall have the meanings set forth below:

"Customer" or "Data Controller" means the entity that has entered into the TiCloud Terms of Service and determines the purposes and means of processing Personal Data (typically Merchant Account holders).
"TiCloud" or "Data Processor" means TiCloud Receipt Management System, which processes Personal Data on behalf of the Data Controller.
"Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.
"Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including but not limited to:
- EU General Data Protection Regulation (GDPR) (EU) 2016/679
- UK Data Protection Act 2018 and UK GDPR
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- Other applicable state, provincial, federal, and international data protection laws
"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Sub-processor" means any third party engaged by TiCloud to process Personal Data on behalf of the Data Controller.
"Data Subject" means the individual to whom Personal Data relates.
"Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to countries outside the EEA.
"Services" means the TiCloud Receipt Management System services as described in the Terms of Service.
"Supervisory Authority" means the relevant data protection authority with jurisdiction over the Data Controller or Data Processor.

1.2 Interpretation

References to "including" means "including without limitation"
Headings are for convenience only and do not affect interpretation
This DPA shall be read in conjunction with the Terms of Service
In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to Personal Data processing

2. Scope and Purpose of Processing

2.1 Scope of DPA

This DPA applies to all processing of Personal Data by TiCloud on behalf of Customer in connection with the provision of the Services.

2.2 Purpose of Processing

TiCloud shall process Personal Data only for the following purposes:

Providing the receipt management services as described in the Terms of Service
Processing and storing digital receipts created by Customer for their customers
Enabling Customer to create, manage, and deliver receipts to end-users
Facilitating merchant-customer interactions through the TiCloud platform
Providing customer support to Customer and their end-users
Maintaining security and preventing fraud
Complying with legal obligations
Any other purpose explicitly instructed by Customer in writing

2.3 Duration of Processing

Processing shall continue for the duration of the Services agreement and for such additional period as necessary to comply with legal obligations or as instructed by Customer.

2.4 Nature of Processing

The nature of processing includes:

Collection and storage of receipt data
Organization and structuring of transaction information
Retrieval and consultation of stored receipts
Transmission to Customer's end-users
Deletion or anonymization upon instruction

3. Roles and Responsibilities

3.1 Data Controller (Customer)

Customer is the Data Controller for all Personal Data of their end-users processed through the Services. As Data Controller, Customer:

Determines the purposes and means of processing Personal Data
Ensures it has a lawful basis for processing under applicable Data Protection Laws
Is responsible for obtaining necessary consents from Data Subjects
Must provide adequate privacy notices to Data Subjects
Ensures processing instructions to TiCloud comply with Data Protection Laws
Is responsible for responding to Data Subject rights requests (with TiCloud's assistance)

3.2 Data Processor (TiCloud)

TiCloud is the Data Processor and processes Personal Data only on behalf of and according to the documented instructions of Customer. As Data Processor, TiCloud:

Processes Personal Data only as instructed by Customer
Implements appropriate technical and organizational security measures
Assists Customer in fulfilling Data Subject rights requests
Assists Customer with data breach notifications
Makes available information necessary to demonstrate compliance
Deletes or returns Personal Data upon termination (as instructed)

3.3 Joint Controller Scenarios

In limited scenarios where TiCloud and Customer jointly determine processing purposes and means, the parties shall enter into a separate joint controller agreement as required by GDPR Article 26.

4. Types of Personal Data and Data Subjects

4.1 Categories of Data Subjects

The Personal Data processed under this DPA may relate to the following categories of Data Subjects:

Customer's end-users (consumers using TiCloud to store receipts)
Customer's employees or representatives (merchant account administrators)
Individuals whose information appears on receipts

4.2 Types of Personal Data

The Personal Data processed may include:

Data Category	Examples
Identification Data	Name, email address, phone number (if provided), user ID
Transaction Data	Purchase amounts, dates, items purchased, payment methods
Receipt Data	Digital receipt images, merchant names, transaction details
Technical Data	IP address, device identifiers, usage logs
Interaction Data	QR code scans, merchant-customer interactions, timestamps
Special Categories (Incidental)	Health data (if pharmacy receipts), financial data (if visible on receipts)

4.3 Sensitive Personal Data

Customer acknowledges that receipts may incidentally contain sensitive or special categories of personal data. Customer is responsible for:

Obtaining explicit consent where required for processing sensitive data
Redacting sensitive information before creating receipts where appropriate
Informing TiCloud if processing includes sensitive data requiring additional safeguards

5. Data Controller Obligations

Customer, as Data Controller, represents, warrants, and undertakes that:

5.1 Legal Basis and Compliance

It has a lawful basis for processing under applicable Data Protection Laws (e.g., consent, contract, legitimate interest)
It complies with all applicable Data Protection Laws in its capacity as Data Controller
All processing instructions provided to TiCloud are lawful and comply with Data Protection Laws

5.2 Consent and Notices

It has obtained all necessary consents from Data Subjects for the processing of their Personal Data
It has provided adequate privacy notices to Data Subjects, including information about TiCloud's role as processor
It has informed Data Subjects about international data transfers where applicable

5.3 Data Quality

Personal Data provided to TiCloud is accurate, adequate, relevant, and limited to what is necessary
It will promptly correct or delete inaccurate Personal Data
It will not provide Personal Data of minors without proper parental consent where required

5.4 Security

It will implement appropriate security measures for data under its control
It will securely manage access credentials and API keys
It will promptly notify TiCloud of any security incidents affecting Customer's systems

5.5 Instructions

All processing instructions to TiCloud will be documented and lawful
Instructions will be provided through designated communication channels
Customer acknowledges that TiCloud may refuse instructions that violate Data Protection Laws

6. Data Processor Obligations

TiCloud, as Data Processor, undertakes to:

6.1 Processing Instructions

Process Personal Data only on documented instructions from Customer, including regarding international transfers
Inform Customer immediately if, in TiCloud's opinion, an instruction violates Data Protection Laws
Not process Personal Data for any purpose other than as instructed by Customer, except where required by law

6.2 Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality
Maintain the confidentiality of Personal Data and not disclose it to third parties without authorization
Ensure all employees, contractors, and sub-processors are bound by confidentiality obligations

6.3 Security (See Section 7)

Implement and maintain appropriate technical and organizational security measures
Regularly test, assess, and evaluate the effectiveness of security measures
Ensure security measures comply with GDPR Article 32 and equivalent provisions in other Data Protection Laws

6.4 Sub-processors (See Section 8)

Not engage sub-processors without prior written authorization from Customer
Impose data protection obligations on sub-processors equivalent to this DPA
Remain liable for sub-processor's processing activities

6.5 Assistance to Controller

Assist Customer in responding to Data Subject rights requests (see Section 9)
Assist Customer with data breach notifications (see Section 10)
Assist Customer with Data Protection Impact Assessments (DPIAs) when required
Assist Customer with prior consultations with supervisory authorities when required

6.6 Records and Documentation

Maintain records of all processing activities carried out on behalf of Customer (GDPR Article 30)
Make available to Customer all information necessary to demonstrate compliance with this DPA
Provide evidence of compliance certifications and audit reports upon request

6.7 Data Deletion/Return (See Section 13)

Delete or return all Personal Data to Customer upon termination of Services
Delete existing copies unless retention is required by law

7. Security Measures

7.1 Security Commitment

TiCloud implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account:

The state of the art
The costs of implementation
The nature, scope, context, and purposes of processing
The risks to the rights and freedoms of Data Subjects

7.2 Technical Security Measures

Security Control	Implementation
Encryption in Transit	TLS 1.2+ for all data transmission; HTTPS enforced
Encryption at Rest	AES-256 encryption for databases and file storage
Access Controls	Role-based access control (RBAC); principle of least privilege; multi-factor authentication (MFA) for administrative access
Authentication	Bcrypt password hashing; JWT token-based authentication; session management
Network Security	Firewalls; intrusion detection/prevention systems (IDS/IPS); DDoS protection; API rate limiting
Data Segregation	Logical separation of customer data; isolated database schemas
Backup & Recovery	Encrypted daily backups; tested disaster recovery procedures; 99.9% uptime SLA
Secure Development	Security code reviews; dependency scanning; OWASP Top 10 compliance

7.3 Organizational Security Measures

Personnel Security:
- Background checks for employees with access to Personal Data
- Mandatory security and privacy training for all staff
- Confidentiality and non-disclosure agreements
- Immediate access revocation upon employee termination
Physical Security:
- Secure data centers with 24/7 surveillance
- Biometric access controls for server rooms
- Environmental controls (fire suppression, climate control)
Incident Response:
- Documented incident response plan
- 24/7 security monitoring and alerting
- Regular security drills and tabletop exercises
Auditing and Logging:
- Comprehensive audit logging of all data access
- Log retention for minimum 12 months
- Regular log review and analysis
- Immutable audit trails

7.4 Security Certifications and Compliance

TiCloud maintains or is working toward the following certifications:

ISO 27001 (Information Security Management)
SOC 2 Type II (Security, Availability, Confidentiality)
GDPR compliance attestation
Regular penetration testing by independent third parties

7.5 Security Updates

TiCloud will regularly review and update security measures
Material changes to security measures will be communicated to Customer
Customer may request updated security documentation annually

8. Sub-processors

8.1 General Authorization

Customer provides general authorization for TiCloud to engage sub-processors to process Personal Data, subject to the conditions in this Section 8.

8.2 Current Sub-processors

TiCloud currently engages the following sub-processors:

Sub-processor	Service Provided	Location	Data Transferred
Amazon Web Services (AWS)	Cloud hosting and infrastructure	EU, US (per Customer preference)	All Personal Data
OpenAI	Receipt OCR and text extraction	United States	Receipt images (anonymized where possible)
Email Service Provider (e.g., SendGrid)	Transactional email delivery	United States	Email addresses, names, communication content
FTP Storage Provider	Receipt image storage	France/EU	Receipt images

8.3 Sub-processor Requirements

TiCloud ensures that all sub-processors:

Are bound by written agreements imposing data protection obligations equivalent to this DPA
Implement appropriate technical and organizational security measures
Process Personal Data only on TiCloud's instructions (which reflect Customer's instructions)
Comply with applicable Data Protection Laws
Have Standard Contractual Clauses in place for international transfers (where applicable)

8.4 New Sub-processors

TiCloud will inform Customer of any intended changes concerning the addition or replacement of sub-processors
Notification will be provided at least 30 days in advance via email to Customer's registered contact
Updated sub-processor list maintained at: https://ticloud.app/sub-processors

8.5 Objection Rights

Customer may object to a new sub-processor on reasonable data protection grounds
Objections must be submitted in writing within 14 days of notification
If objection is validated, TiCloud will:
- Not engage the sub-processor for Customer's data, or
- Provide alternative solutions, or
- Allow Customer to suspend or terminate Services without penalty

8.6 Liability

TiCloud shall remain fully liable to Customer for the performance of sub-processors' obligations and for any acts or omissions of sub-processors.

9. Data Subject Rights

9.1 TiCloud's Assistance Obligations

TiCloud shall, taking into account the nature of processing, assist Customer by implementing appropriate technical and organizational measures to fulfill Customer's obligation to respond to Data Subject rights requests, including:

Right of Access: Provide Customer with tools to retrieve Data Subject's Personal Data in structured, machine-readable format (JSON, CSV)
Right to Rectification: Enable Customer to correct inaccurate or incomplete Personal Data
Right to Erasure ("Right to be Forgotten"): Delete Personal Data upon Customer's instruction within 30 days
Right to Restriction of Processing: Implement technical measures to restrict processing when requested
Right to Data Portability: Provide data export functionality in portable formats
Right to Object: Cease processing specific categories of data upon instruction
Rights Related to Automated Decision-Making: Provide information about automated processing logic and facilitate human review

9.2 Request Handling Process

Data Subjects should submit rights requests directly to Customer (Data Controller)
If TiCloud receives a Data Subject request directly, it will forward it to Customer within 2 business days
Customer is responsible for verifying Data Subject identity and determining the validity of requests
TiCloud will assist Customer in responding within the timelines required by Data Protection Laws (typically 30 days)

9.3 Tools and Support

TiCloud provides the following tools to assist with Data Subject rights:

Self-service data export functionality in the admin dashboard
API endpoints for programmatic data retrieval and deletion
Dedicated support channel for rights requests: dsr@ticloud.app
Documentation and guidance on handling rights requests

9.4 Fees for Assistance

Assistance with up to 10 Data Subject rights requests per month is included at no additional charge
Additional requests may be subject to reasonable fees based on time and resources required
No fees for requests that can be fulfilled using self-service tools

10. Data Breach Notification

10.1 Notification to Customer

TiCloud shall notify Customer without undue delay, and in any event within 24 hours, upon becoming aware of a Data Breach affecting Customer's Personal Data.

10.2 Breach Notification Content

The notification shall include, to the extent available:

Description of the nature of the Data Breach, including categories and approximate number of Data Subjects affected
Categories and approximate number of Personal Data records affected
Name and contact details of TiCloud's data protection officer or other contact point
Description of the likely consequences of the Data Breach
Description of measures taken or proposed to address the Data Breach and mitigate its adverse effects
Timeline of the breach (when it occurred, when it was detected)
Affected systems and data categories

10.3 Notification Method

Initial notification via email and phone to Customer's designated security contact
Follow-up written notification with detailed incident report within 72 hours
Ongoing updates as investigation progresses

10.4 Customer Obligations

Customer acknowledges that:

Customer is responsible for notifying supervisory authorities within 72 hours (GDPR) or as required by applicable law
Customer is responsible for notifying affected Data Subjects where required by law
Customer must maintain accurate contact information for breach notifications

10.5 TiCloud's Remediation

Following a Data Breach, TiCloud shall:

Conduct a thorough investigation to determine root cause
Implement immediate containment measures
Remediate vulnerabilities that led to the breach
Provide Customer with a detailed post-incident report
Implement additional security measures to prevent recurrence
Cooperate with Customer's investigations and regulatory inquiries

10.6 No Undue Delay

TiCloud commits to industry-leading breach notification timelines and shall not unduly delay notifications to Customer, recognizing that Customer needs adequate time to fulfill its own notification obligations to authorities and Data Subjects.

11. Audits and Inspections

11.1 Audit Rights

Customer has the right to conduct audits and inspections of TiCloud's data processing activities, including:

Review of TiCloud's compliance with this DPA and Data Protection Laws
Inspection of security measures and controls
Review of processing records and documentation
Assessment of sub-processor compliance

11.2 Audit Frequency

Customer may conduct or commission one audit per calendar year at no additional cost
Additional audits may be conducted if there is a Data Breach or evidence of non-compliance
Audits requested by supervisory authorities are not subject to frequency limitations

11.3 Audit Process

Notice: Customer shall provide at least 30 days' written notice of intent to audit (except for breach-related audits)
Scope: Audit scope shall be reasonable and focused on compliance with this DPA
Timing: Audits shall be conducted during normal business hours
Auditor: Customer may use independent third-party auditors bound by confidentiality obligations
Disruption: Audits shall be conducted in a manner that minimizes disruption to TiCloud's operations

11.4 Alternative Compliance Verification

As an alternative to on-site audits, TiCloud may provide:

SOC 2 Type II reports (issued within the last 12 months)
ISO 27001 certification and audit reports
Third-party penetration testing reports
Security questionnaire responses (e.g., SIG, CAIQ)
Compliance attestations and certifications

11.5 Costs

TiCloud shall bear the cost of providing audit documentation and access for the annual audit
Customer shall bear costs of third-party auditors
For audits exceeding one per year, reasonable fees may apply to compensate for TiCloud's time and resources

11.6 Audit Findings

Customer shall share audit findings with TiCloud
TiCloud shall address any identified non-compliance within a reasonable timeframe (typically 30-90 days depending on severity)
TiCloud shall provide remediation plans for significant findings

11.7 Confidentiality

Audit findings and TiCloud's internal documentation are confidential and shall not be disclosed to third parties except as required by law or with TiCloud's consent.

12. International Data Transfers

12.1 Transfer Mechanisms

When Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or other jurisdictions with data localization requirements, TiCloud ensures adequate protection through the following mechanisms:

12.2 Standard Contractual Clauses (SCCs)

For transfers from the EU/EEA/UK to countries without adequacy decisions, TiCloud implements Standard Contractual Clauses as approved by:
- European Commission (EU SCCs - Commission Implementing Decision 2021/914)
- UK Information Commissioner's Office (UK International Data Transfer Agreement/Addendum)
The SCCs are incorporated into this DPA by reference (see Section 16)
TiCloud commits to the obligations of a "data importer" under the SCCs

12.3 Adequacy Decisions

TiCloud may transfer Personal Data to countries deemed adequate by the European Commission or UK, including:

Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, Uruguay
EU-US Data Privacy Framework participants (when applicable)

12.4 Additional Safeguards

In addition to SCCs, TiCloud implements supplementary measures as recommended by the European Data Protection Board (EDPB), including:

Encryption: End-to-end encryption for data in transit and at rest
Pseudonymization: Separation of identifying data from content where feasible
Access Controls: Strict limitations on who can access Personal Data
Contractual Protections: Contractual obligations for processors to resist unlawful government access requests
Transparency: Commitment to notify Customer of government data access requests (unless legally prohibited)

12.5 Data Localization Options

TiCloud offers data localization options for Customers who require data to remain in specific regions:

EU Region: Data stored exclusively in EU data centers
US Region: Data stored in US data centers
Customer may specify preferred region during account setup

12.6 Transfer Impact Assessment

TiCloud has conducted Transfer Impact Assessments (TIAs) for all international transfers as required by Schrems II
TiCloud will cooperate with Customer's own TIA processes
TiCloud will provide information about local laws affecting data protection in countries where data is processed

12.7 Government Access Requests

TiCloud commits to notify Customer of any government or law enforcement requests for Personal Data, unless legally prohibited
TiCloud will challenge overly broad or unlawful requests
TiCloud will seek assurances that requests are lawful and proportionate
Transparency reports published annually at: https://ticloud.app/transparency

12.8 Canadian Transfers (PIPEDA)

For Canadian Customers, transfers of Personal Data outside Canada are subject to:

Notification to Data Subjects that their information may be processed abroad
Contractual requirements that foreign processors provide comparable protection
Customer acknowledgment that data may be accessible to foreign governments under lawful authority

12.9 US State Law Compliance

For transfers relevant to California, Virginia, Colorado, Connecticut, and Utah privacy laws:

TiCloud acts as a Service Provider/Processor and does not "sell" or "share" Personal Data
Contractual restrictions prevent TiCloud from retaining, using, or disclosing Personal Data outside the business relationship
TiCloud certifies it understands and will comply with applicable restrictions

13. Data Deletion and Return

13.1 Deletion or Return Upon Termination

Upon termination or expiration of the Services agreement, TiCloud shall, at Customer's choice:

Delete: Securely delete all Personal Data, including backups, within 90 days of termination, OR
Return: Return all Personal Data to Customer in a structured, machine-readable format (JSON, CSV) within 30 days

13.2 Customer Election

Customer must notify TiCloud of their choice (deletion or return) within 30 days of termination
If no instruction is received, TiCloud will delete all Personal Data after 90 days
Customer may request both return AND deletion (return first, followed by certified deletion)

13.3 Deletion Methods

TiCloud uses the following secure deletion methods:

Database Records: Cryptographic erasure (destroy encryption keys) or secure multi-pass overwriting
File Storage: DOD 5220.22-M standard (7-pass overwrite) or cryptographic erasure
Backups: Deleted from all backup systems within 180 days maximum
Certificates: TiCloud will provide a certificate of deletion upon request

13.4 Legal Retention Exceptions

TiCloud may retain Personal Data to the extent and for the period required by applicable law (e.g., tax records, audit logs)
Any retained data will be isolated, protected, and not used for any other purpose
TiCloud will inform Customer of any legal retention requirements preventing complete deletion
Retained data will be deleted once legal obligations expire

13.5 Return Format

When data return is requested, TiCloud will provide:

Structured data in JSON or CSV format
Receipt images in original format (JPEG, PNG, PDF)
Metadata files documenting data structure
Secure transfer via encrypted download link or SFTP
Verification checksums (SHA-256) for data integrity

13.6 Ongoing Processing During Transition

During the transition period (up to 30 days post-termination), TiCloud will continue to process Personal Data in accordance with this DPA
Customer may access and export data through the platform during this period
After 30 days, data export functionality will be disabled unless extended access is arranged

13.7 Sub-processor Data Deletion

TiCloud shall ensure that all sub-processors delete or return Personal Data in accordance with their agreements
TiCloud will provide evidence of sub-processor deletion upon request

14. Liability and Indemnification

14.1 General Liability

Each party shall be liable for damages caused by its breach of this DPA in accordance with applicable Data Protection Laws
TiCloud shall be liable to Customer for damages caused by sub-processors as if caused by TiCloud directly
Liability limitations in the main Services Agreement apply, except where prohibited by Data Protection Laws

14.2 GDPR Liability Chain (Article 82)

For EU/UK Data Subjects:

TiCloud shall be liable for damages only where it has not complied with GDPR obligations specifically directed at processors, or where it has acted outside or contrary to lawful instructions from Customer
TiCloud is exempt from liability if it proves it is not in any way responsible for the event giving rise to damage
Where both Customer and TiCloud are liable for the same damage, Customer and TiCloud shall be jointly and severally liable
If TiCloud pays compensation, it is entitled to claim back from Customer the portion corresponding to Customer's responsibility

14.3 Indemnification by TiCloud

TiCloud shall indemnify, defend, and hold harmless Customer from and against any claims, losses, damages, fines, or penalties arising from:

TiCloud's breach of this DPA or Data Protection Laws
TiCloud's negligence or willful misconduct in processing Personal Data
Acts or omissions of TiCloud's sub-processors (where TiCloud failed to properly vet or contractually bind them)
Data Breaches caused by TiCloud's security failures

Exceptions: TiCloud is not liable for claims arising from:

Customer's unlawful processing instructions
Customer's breach of this DPA or Data Protection Laws
Customer's failure to obtain proper consents or provide adequate privacy notices
Modifications to TiCloud Services made by Customer or third parties

14.4 Indemnification by Customer

Customer shall indemnify TiCloud from claims arising from:

Customer's breach of this DPA or Data Protection Laws
Unlawful or improper processing instructions provided by Customer
Customer's failure to obtain necessary consents or provide privacy notices
Customer's processing of Personal Data outside the scope of this DPA

14.5 Regulatory Fines and Penalties

Customer Responsibility: Customer is responsible for fines/penalties resulting from Customer's violations as Data Controller (e.g., lack of legal basis, inadequate privacy notices)
TiCloud Responsibility: TiCloud is responsible for fines/penalties resulting from TiCloud's violations as Data Processor (e.g., processing outside instructions, inadequate security)
Parties will cooperate to minimize regulatory exposure and respond to supervisory authority investigations

14.6 Limitation of Liability

Except as prohibited by Data Protection Laws:

TiCloud's total aggregate liability under this DPA shall not exceed the fees paid by Customer in the 12 months preceding the claim
Neither party shall be liable for indirect, incidental, consequential, or punitive damages
Important: Some Data Protection Laws (e.g., GDPR Article 82) do not allow limitation of liability for data protection violations; this limitation may not apply to such claims

14.7 Insurance

TiCloud maintains cyber liability insurance covering data breaches and privacy claims
Coverage limits: $2,000,000 per occurrence / $5,000,000 aggregate (subject to change)
Certificate of insurance available upon request

15. Duration and Termination

15.1 Duration

This DPA takes effect on the date Customer accepts the TiCloud Terms of Service
This DPA remains in force for as long as TiCloud processes Personal Data on behalf of Customer
Certain provisions survive termination (see Section 15.5)

15.2 Termination of Services Agreement

This DPA automatically terminates upon termination of the main Services Agreement
Data deletion/return obligations survive termination (Section 13)
Customer may terminate Services if TiCloud materially breaches this DPA and fails to cure within 30 days

15.3 Termination for Data Protection Violations

Either party may terminate this DPA and the Services Agreement immediately if:

The other party commits a material breach of Data Protection Laws
Continuing the agreement would result in violation of Data Protection Laws
A supervisory authority orders cessation of processing
International data transfer mechanisms are invalidated and no alternative exists

15.4 Effect of Termination

Upon termination:

TiCloud shall immediately cease all processing of Personal Data (except for deletion/return activities)
TiCloud shall delete or return Personal Data as instructed (Section 13)
TiCloud shall return or destroy confidential information of Customer
Accrued rights and obligations remain enforceable

15.5 Surviving Provisions

The following provisions survive termination:

Section 13 (Data Deletion and Return)
Section 14 (Liability and Indemnification)
Confidentiality obligations
Audit rights related to termination (for 12 months post-termination)
Any provisions necessary to enforce rights or obligations that accrued prior to termination

15.6 No Penalty for DPA Termination

If Customer terminates due to TiCloud's DPA breach or data protection concerns, no early termination fees apply
Customer shall receive a pro-rata refund of prepaid fees for unused services

16. Standard Contractual Clauses

16.1 Incorporation of SCCs

The Standard Contractual Clauses for international data transfers are hereby incorporated into this DPA by reference:

EU Standard Contractual Clauses: Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679
UK International Data Transfer Agreement: UK Information Commissioner's Office International Data Transfer Agreement (IDTA) and/or Addendum to the EU SCCs
Swiss SCCs: Swiss Federal Data Protection and Information Commissioner approved clauses (where applicable)

16.2 Module Selection

For the purposes of the EU SCCs, the following modules apply:

Module 2 (Controller to Processor): Applies when Customer is Controller and TiCloud is Processor
Module 3 (Processor to Sub-processor): Applies for sub-processor relationships

16.3 SCC Details and Selections

Clause	Selection/Detail
Clause 7 (Docking Clause)	Optional docking available for additional exporters/importers
Clause 9 (Use of Sub-processors)	OPTION 2: General authorization with notification (as per Section 8 of this DPA)
Clause 11 (Redress)	Data subjects have enforceable third-party beneficiary rights
Clause 13 (Supervision)	Supervisory authority: Customer's lead supervisory authority in EU/EEA
Clause 17 (Governing Law)	Law of the EU Member State where Customer is established (for EU customers)
Clause 18 (Jurisdiction)	Courts of the EU Member State where Customer is established

16.4 Annex Information

Annex I - Parties and Processing Details:

Data Exporter (Customer): Details as specified in Customer's account information
Data Importer (TiCloud):
- Name: TiCloud Receipt Management System
- Address: 199 rue Hélène Boucher, 34710 Castelnau le Lez, France
- Contact: dpo@ticloud.app
Processing Operations: As described in Section 2 of this DPA
Categories of Data: As described in Section 4 of this DPA
Data Subjects: As described in Section 4.1 of this DPA
Sensitive Data: Potentially incidental (as described in Section 4.3)
Transfer Frequency: Continuous during term of Services
Retention Period: As described in Section 13 of this DPA

Annex II - Technical and Organizational Security Measures:

As described in Section 7 of this DPA
Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
Ability to restore availability and access to Personal Data in a timely manner in the event of incident
Regular testing, assessment, and evaluation of effectiveness

Annex III - List of Sub-processors:

As described in Section 8.2 of this DPA
Updated list maintained at: https://ticloud.app/sub-processors

16.5 Order of Precedence

In case of conflict between provisions:

Standard Contractual Clauses (where applicable to international transfers)
This Data Processing Agreement
Main Terms of Service

16.6 Full Text of SCCs

The complete text of the Standard Contractual Clauses is available at:

EU SCCs: https://ticloud.app/sccs-eu
UK IDTA: https://ticloud.app/sccs-uk
Executed copies available upon request: legal@ticloud.app

17. Contact Information

Data Protection Officer

Name: Thomas Wyskiel

Email: dpo@ticloud.app

Phone: +33 (0) [Contact Number]

Legal and Compliance

Email: legal@ticloud.app

For DPA Questions: dpa@ticloud.app

Data Subject Rights Requests

Email: dsr@ticloud.app

Response Time: Within 48 hours

Security and Data Breaches

Email: security@ticloud.app

24/7 Hotline: [Emergency Contact Number]

Postal Address

TiCloud Receipt Management System
Attn: Data Protection Officer
199 rue Hélène Boucher
34710 Castelnau le Lez
France

Customer Portal

Access DPA management tools: https://ticloud.app/admin/dpa

18. Additional Provisions

18.1 Amendments

TiCloud may update this DPA to reflect changes in Data Protection Laws or business practices
Material changes will be communicated to Customer at least 30 days in advance
Continued use of Services after effective date constitutes acceptance of amendments
Customer may object to material changes and terminate Services without penalty

18.2 Severability

If any provision is found invalid or unenforceable, it shall be modified to the minimum extent necessary to make it valid
Remaining provisions shall remain in full force and effect
Parties shall negotiate in good faith to replace invalid provisions

18.3 Entire Agreement

This DPA, together with the Terms of Service and incorporated SCCs, constitutes the entire agreement regarding Personal Data processing
Supersedes all prior agreements, communications, and understandings regarding data processing
No oral modifications; amendments must be in writing

18.4 Language

This DPA is executed in English
Translations available for convenience, but English version controls in case of discrepancy
Available languages: English, French, German, Spanish

18.5 Counterparts

This DPA may be executed in counterparts, each of which constitutes an original
Electronic signatures are valid and binding
DPA is incorporated by reference when Customer accepts Terms of Service

18.6 Notices

All notices under this DPA shall be in writing and delivered to:

To TiCloud: legal@ticloud.app and physical address above
To Customer: Email address registered in Customer account
Notices are effective upon receipt
Customer must keep contact information current

19. Acceptance and Execution

Agreement Execution

This Data Processing Agreement is automatically executed and incorporated by reference when Customer:

Accepts the TiCloud Terms of Service, OR
Creates a TiCloud merchant account, OR
Uses TiCloud Services in a capacity that involves processing Personal Data as a Controller

Acceptance Date: The date Customer first accepts Terms of Service or creates an account

Binding Agreement: By using TiCloud Services, Customer acknowledges that:

Customer has read and understood this DPA
Customer agrees to be bound by all terms and conditions herein
Customer has authority to bind their organization to this DPA
Customer accepts the Standard Contractual Clauses incorporated herein

Custom DPA Requests: Enterprise customers requiring customized DPA terms may contact: enterprise@ticloud.app

Compliance Summary

This DPA ensures compliance with:

✓ GDPR Article 28 (Processor Requirements)
✓ GDPR Article 32 (Security of Processing)
✓ GDPR Article 33 (Breach Notification)
✓ GDPR Article 44-50 (International Transfers)
✓ UK Data Protection Act 2018
✓ CCPA/CPRA Service Provider Requirements
✓ VCDPA, CPA, CTDPA, UCPA Processor Obligations
✓ PIPEDA Principle 4.1.3 (Accountability for Transfers)
✓ Standard Contractual Clauses (EU Commission 2021/914)
✓ UK International Data Transfer Agreement (IDTA)

Table of Contents