Data Processing Agreement

01Introduction

This Data Processing Agreement governs the Processing of Personal Data by Kyttx on behalf of Sellers and other business Users in connection with the Kyttx Platform.

This DPA applies where Kyttx Processes Personal Data as a Processor, service provider, contractor, or similar role on behalf of a Seller or other business User that acts as a Controller, business, or similar role under applicable Data Protection Laws.

This DPA is incorporated into and forms part of the Kyttx Master Terms of Service, Seller / Merchant Agreement, Privacy Policy, Cookie Policy, and other applicable Kyttx Policies.

By using Kyttx as a Seller, Merchant, business User, account owner, or organization that provides, uploads, collects, or otherwise Processes Personal Data through Kyttx, you agree to this DPA.

If you do not agree to this DPA, you must not use Kyttx to Process Personal Data for which you are responsible.

02Purpose of This DPA

Kyttx provides software infrastructure that allows Sellers to create, host, sell, manage, and deliver Seller Offerings.

In connection with those services, Sellers may provide or make available Personal Data to Kyttx, including Buyer Data.

This DPA is intended to define the parties? privacy and data protection responsibilities when Kyttx Processes such Personal Data on behalf of Sellers.

03Relationship to Other Terms

This DPA applies in addition to all other Kyttx terms and policies.

If there is a conflict between this DPA and the Kyttx Master Terms of Service, this DPA controls for Processing of Personal Data where Kyttx acts as a Processor on behalf of a Seller, unless expressly stated otherwise.

If there is a conflict between this DPA and the Privacy Policy, the Privacy Policy controls for Personal Data that Kyttx Processes as an independent Controller, and this DPA controls for Personal Data that Kyttx Processes as a Processor on behalf of a Seller.

04Definitions

For purposes of this DPA:

?Applicable Data Protection Laws? means any data protection, privacy, electronic communications, cybersecurity, or similar law applicable to the Processing of Personal Data under this DPA, including where applicable the GDPR, UK GDPR, Swiss FADP, UAE data protection laws, DIFC data protection laws, United States state privacy laws, and other applicable privacy laws.

?Controller? means the party that determines the purposes and means of Processing Personal Data, or the equivalent term under Applicable Data Protection Laws.

?Processor? means the party that Processes Personal Data on behalf of a Controller, or the equivalent term under Applicable Data Protection Laws.

?Business,? ?Service Provider,? ?Contractor,? ?Consumer,? ?Sale,? ?Share,? ?Targeted Advertising,? and similar terms have the meanings given to them under applicable United States privacy laws, where such laws apply.

?Data Subject? means an identified or identifiable person to whom Personal Data relates.

?Personal Data? means information that identifies, relates to, describes, can reasonably be associated with, or could reasonably be linked to an identified or identifiable person, or equivalent terms under Applicable Data Protection Laws.

?Processing? means any operation performed on Personal Data, including collection, use, storage, hosting, disclosure, transfer, analysis, transmission, deletion, or other handling.

?Seller Personal Data? means Personal Data Processed by Kyttx on behalf of a Seller or business User under this DPA.

?Buyer Data? means Personal Data relating to Buyers, Customers, Members, subscribers, purchasers, participants, or other end users of Seller Offerings.

?Subprocessor? means a third party engaged by Kyttx to Process Seller Personal Data on behalf of Kyttx.

?Services? means the Kyttx Platform and related services provided to Sellers.

Capitalized terms not defined in this DPA have the meanings given in the Kyttx Master Terms of Service or Privacy Policy.

05Roles of the Parties

For Seller Personal Data, the Seller is generally the Controller and Kyttx is generally the Processor.

For purposes of United States privacy laws, where applicable, the Seller is generally the Business and Kyttx is generally the Service Provider or Contractor.

Kyttx may also Process certain Personal Data as an independent Controller, including Personal Data related to:

• Account registration.
• Platform administration.
• Billing and Fees.
• Payment-related records.
• Fraud prevention.
• Security.
• Compliance.
• Legal obligations.
• Support.
• Analytics.
• Product improvement.
• Communications with Users.
• Enforcement of Kyttx Policies.
• Corporate operations.

Such Controller Processing is governed by the Kyttx Privacy Policy, not this DPA.

Third-Party Payment Providers, such as Stripe, may act as independent Controllers for payment processing, KYC, identity verification, fraud prevention, financial compliance, and related services.

06Seller Responsibilities

The Seller is responsible for:

• Complying with Applicable Data Protection Laws.
• Determining the lawful purposes and means of Processing Seller Personal Data.
• Providing required privacy notices to Data Subjects.
• Obtaining required consents where needed.
• Establishing lawful bases for Processing.
• Ensuring Personal Data provided to Kyttx is lawfully collected.
• Ensuring Seller instructions to Kyttx are lawful.
• Responding to Data Subject requests where Seller is Controller.
• Ensuring marketing communications are lawful.
• Ensuring use of Buyer Data is lawful.
• Ensuring Operators and team members use Buyer Data lawfully.
• Limiting Personal Data collected through Seller Offerings to what is necessary.
• Avoiding unauthorized collection of sensitive Personal Data.
• Maintaining appropriate records.
• Complying with tax, consumer, marketing, communications, and e-commerce laws related to Personal Data.
• Ensuring Seller privacy policies accurately describe Seller Processing.

Seller must not instruct Kyttx to Process Personal Data in violation of Applicable Data Protection Laws.

07Kyttx Responsibilities as Processor

Where Kyttx acts as Processor, Kyttx will:

• Process Seller Personal Data only on documented instructions from Seller, unless required by law.
• Maintain reasonable security measures.
• Use Subprocessors in accordance with this DPA.
• Assist Seller with Data Subject requests where required and reasonably possible.
• Assist Seller with security incident obligations where required and reasonably possible.
• Assist Seller with data protection impact assessments where required and reasonably possible.
• Make information available to demonstrate compliance as required by Applicable Data Protection Laws.
• Delete or return Seller Personal Data as described in this DPA.
• Ensure personnel authorized to Process Seller Personal Data are bound by confidentiality obligations.
• Comply with Applicable Data Protection Laws applicable to Kyttx as Processor.

08Seller Instructions

Seller instructs Kyttx to Process Seller Personal Data as necessary to:

• Provide the Services.
• Operate the Platform.
• Host Seller Offerings.
• Provide Buyer access.
• Support checkout-related workflows.
• Support payment-related workflows.
• Manage subscriptions.
• Manage payment plans.
• Manage trials.
• Manage communities.
• Manage course access.
• Manage files and downloads.
• Manage forms and bookings.
• Manage automations.
• Manage communications.
• Provide analytics.
• Provide support.
• Troubleshoot issues.
• Prevent fraud and abuse.
• Maintain security.
• Comply with law.
• Enforce Kyttx Policies.
• Manage refunds, chargebacks, and disputes.
• Use Subprocessors.
• Transfer Seller Personal Data internationally as described in this DPA.
• Otherwise provide and improve the Services.

Seller may provide additional instructions through Platform settings, written agreements, or support requests, provided such instructions are lawful, technically feasible, commercially reasonable, and consistent with Kyttx Policies.

Kyttx may reject or decline instructions that Kyttx determines are unlawful, unreasonable, technically infeasible, inconsistent with Kyttx Policies, or likely to create legal, security, privacy, payment, compliance, or platform risk.

09Details of Processing

The subject matter of Processing is the provision of the Kyttx Platform and related services.

The duration of Processing is the term of the Seller?s use of the Platform and any additional period required for retention, deletion, legal compliance, dispute resolution, security, fraud prevention, payment compliance, or enforcement.

The nature and purpose of Processing includes hosting, storage, transmission, access management, content delivery, communications, analytics, payment-related workflows, support, security, fraud prevention, compliance, dispute management, and Platform operations.

The categories of Data Subjects may include:

• Buyers.
• Customers.
• Members.
• Subscribers.
• Purchasers.
• Participants.
• Community members.
• Seller personnel.
• Operator personnel.
• Team members.
• Affiliates.
• Visitors.
• Support contacts.
• Other individuals whose Personal Data is submitted through the Platform.

The categories of Personal Data may include:

• Name.
• Email address.
• Account information.
• Purchase history.
• Access status.
• Subscription status.
• Payment status.
• Refund records.
• Chargeback records.
• Dispute records.
• Support communications.
• Form submissions.
• Booking information.
• Community activity.
• Content progress.
• Files or submissions.
• IP address.
• Device information.
• Browser information.
• Usage data.
• Analytics data.
• Communications data.
• Other data submitted by Seller, Buyer, Operator, or Users through the Platform.

Sensitive Personal Data should not be submitted unless necessary, lawful, properly protected, and permitted by Kyttx.

10Confidentiality

Kyttx will ensure that personnel authorized to Process Seller Personal Data are subject to confidentiality obligations or professional secrecy obligations.

Seller must ensure that its personnel, Operators, agencies, contractors, team members, and service providers with access to Seller Personal Data are subject to appropriate confidentiality obligations.

11Security Measures

Kyttx will implement and maintain reasonable administrative, technical, and organizational measures designed to protect Seller Personal Data against unauthorized access, loss, misuse, alteration, disclosure, or destruction.

Security measures may include, where appropriate:

• Access controls.
• Authentication controls.
• Authorization controls.
• Encryption in transit where appropriate.
• Encryption at rest where appropriate.
• Logging and monitoring.
• Secure hosting.
• Secure development practices.
• Vulnerability management.
• Incident response processes.
• Data backup practices.
• Internal access restrictions.
• Permission controls.
• Network security controls.
• Fraud prevention controls.
• Security reviews.
• Employee or contractor confidentiality obligations.

Kyttx may update security measures from time to time, provided the updates do not materially reduce overall protection.

No system is completely secure. Kyttx does not guarantee absolute security.

12Seller Security Responsibilities

Seller is responsible for security measures within Seller?s control, including:

• Securing Seller account credentials.
• Enabling multi-factor authentication where available.
• Managing team permissions.
• Managing Operator permissions.
• Removing access when no longer needed.
• Protecting exported data.
• Securing Seller devices.
• Securing Seller systems.
• Securing third-party tools.
• Preventing unauthorized access.
• Monitoring account activity.
• Using strong passwords.
• Avoiding credential sharing.
• Promptly notifying Kyttx of suspected incidents.

Kyttx is not responsible for security incidents caused by Seller?s failure to secure accounts, devices, personnel, Operators, or exported data.

13Subprocessors

Seller authorizes Kyttx to engage Subprocessors to Process Seller Personal Data.

Subprocessors may include providers of:

• Cloud hosting.
• Infrastructure.
• Databases.
• Storage.
• Analytics.
• Security.
• Fraud prevention.
• Identity verification.
• Payment-related services.
• Tax services.
• Support tools.
• Email delivery.
• SMS delivery.
• Notifications.
• File hosting.
• AI tools.
• Logging and monitoring.
• Error tracking.
• Product analytics.
• Other services necessary to operate Kyttx.

Kyttx will enter into agreements with Subprocessors requiring them to protect Seller Personal Data in a manner materially consistent with this DPA where required by Applicable Data Protection Laws.

14Subprocessor Changes

Kyttx may add, replace, or remove Subprocessors from time to time.

Kyttx may provide notice of Subprocessor changes through the Platform, a webpage, dashboard notice, email, or another reasonable method where required by Applicable Data Protection Laws.

Seller may object to a new Subprocessor where required by Applicable Data Protection Laws by providing written notice to Kyttx with specific reasons for the objection.

If Seller objects, Kyttx may:

• Address the objection.
• Provide an alternative where commercially reasonable.
• Restrict affected features.
• Allow Seller to stop using affected services.
• Terminate affected services.
• Determine that the objection is unreasonable and continue using the Subprocessor where legally permitted.

15International Transfers

Seller authorizes Kyttx and its Subprocessors to transfer Seller Personal Data internationally.

Seller Personal Data may be processed in countries where Kyttx, Subprocessors, Sellers, Operators, Third-Party Payment Providers, or service providers operate.

Where required by Applicable Data Protection Laws, Kyttx may use transfer mechanisms such as:

• Adequacy decisions.
• Standard contractual clauses.
• International data transfer agreements.
• Data processing agreements.
• Consent.
• Contractual necessity.
• Legitimate interests.
• Other lawful transfer mechanisms.

Seller is responsible for ensuring that its use of the Platform and transfer of Personal Data to Kyttx complies with Applicable Data Protection Laws.

16Standard Contractual Clauses

Where GDPR, UK GDPR, Swiss FADP, or similar laws require standard contractual clauses or equivalent transfer mechanisms, the parties agree that applicable standard contractual clauses or equivalent mechanisms are incorporated by reference to the extent required.

The parties agree that:

• Seller is the data exporter where Seller transfers Seller Personal Data to Kyttx.
• Kyttx is the data importer where Kyttx receives Seller Personal Data outside the relevant protected region.
• The relevant module will generally be Controller-to-Processor where Seller is Controller and Kyttx is Processor.
• The details of Processing are described in this DPA.
• Subprocessors may be used as described in this DPA.
• The governing law and supervisory authority provisions will be completed as required by applicable law.
• If there is a conflict between this DPA and mandatory standard contractual clauses, the mandatory clauses will control to the extent required.

Kyttx may provide additional transfer terms or documents where legally required.

17United States Privacy Laws

Where United States privacy laws apply and Kyttx acts as a Service Provider, Processor, or Contractor on behalf of Seller, Kyttx will Process Seller Personal Data only for permitted business purposes and as otherwise allowed by applicable law.

Kyttx will not sell Seller Personal Data or share Seller Personal Data for cross-context behavioral advertising where prohibited by applicable law, unless Seller has instructed Kyttx to do so and such instruction is lawful.

Kyttx will not retain, use, or disclose Seller Personal Data outside the business relationship except as permitted by applicable law.

Seller is responsible for providing required notices and handling consumer rights requests where Seller is the Business or Controller.

18Data Subject Requests

Seller is responsible for responding to Data Subject requests where Seller is the Controller.

Data Subject requests may include requests to:

• Access Personal Data.
• Correct Personal Data.
• Delete Personal Data.
• Restrict Processing.
• Object to Processing.
• Withdraw consent.
• Request portability.
• Opt out of certain Processing.
• Appeal decisions where applicable.

Kyttx will provide reasonable assistance to Seller in responding to Data Subject requests where required by Applicable Data Protection Laws and where technically feasible.

If Kyttx receives a request relating to Seller Personal Data, Kyttx may:

• Direct the requester to Seller.
• Notify Seller.
• Respond where Kyttx is required by law.
• Respond where Kyttx is the Controller for the relevant data.
• Take other action Kyttx determines appropriate.

Kyttx may require verification before acting on a request.

19Deletion and Return of Personal Data

Upon termination of the Services or upon Seller?s lawful instruction, Kyttx will delete or return Seller Personal Data where required by Applicable Data Protection Laws and technically feasible.

Kyttx may retain Seller Personal Data where necessary or appropriate for:

• Legal compliance.
• Tax compliance.
• Accounting.
• Payment provider requirements.
• Chargeback defense.
• Refund disputes.
• Buyer complaints.
• Fraud prevention.
• Security.
• Enforcement of agreements.
• Dispute resolution.
• Backup retention.
• Recordkeeping.
• Legitimate business purposes permitted by law.

Kyttx may delete data according to its retention schedules and technical capabilities.

20Data Incidents

Kyttx will notify Seller without undue delay after becoming aware of a data incident affecting Seller Personal Data where notification is required by Applicable Data Protection Laws.

Notification may include, where available and appropriate:

• Nature of the incident.
• Categories of affected data.
• Categories of affected Data Subjects.
• Likely consequences.
• Measures taken or proposed.
• Recommended steps for Seller.
• Contact information.

Kyttx may provide information in phases as it becomes available.

Seller is responsible for determining whether to notify Data Subjects, regulators, authorities, or others, except where Kyttx is independently required to do so by law.

Seller must promptly notify Kyttx if Seller becomes aware of a data incident affecting Seller Personal Data Processed through Kyttx.

21Data Protection Impact Assessments

Where required by Applicable Data Protection Laws and reasonably requested by Seller, Kyttx will provide reasonable assistance with data protection impact assessments, prior consultations, or similar assessments related to Kyttx?s Processing of Seller Personal Data.

Such assistance is limited to information in Kyttx?s possession and may be subject to confidentiality, security, and commercial limitations.

Kyttx may charge reasonable fees for assistance that is not included in standard support or that requires significant resources, where permitted by law.

22Audits and Compliance Information

Kyttx will make available information reasonably necessary to demonstrate compliance with this DPA where required by Applicable Data Protection Laws.

Kyttx may satisfy audit obligations by providing:

• Security documentation.
• Compliance summaries.
• Certifications, if available.
• Third-party audit reports, if available.
• Written responses.
• Platform documentation.
• Other reasonable information.

On-site audits are permitted only where required by Applicable Data Protection Laws and subject to reasonable notice, confidentiality, security controls, scope limitations, and Kyttx?s operational requirements.

Kyttx may charge reasonable fees for audits that require significant resources, where permitted by law.

Seller must not use audits to access confidential information, trade secrets, security-sensitive information, or information relating to other Users.

23Sensitive Personal Data

Seller must not submit Sensitive Personal Data to Kyttx unless:

• It is necessary for the Seller Offering.
• It is lawful.
• Seller has a valid legal basis.
• Seller has provided required notices.
• Seller has obtained required consents.
• Seller has implemented appropriate safeguards.
• Kyttx permits such Processing.
• The Processing complies with Kyttx Policies.

Sensitive Personal Data may include data relating to health, biometric information, government IDs, financial account information, precise location, racial or ethnic origin, religious beliefs, political opinions, union membership, sexual orientation, criminal history, or similar categories under Applicable Data Protection Laws.

Kyttx may restrict, delete, or prohibit Processing of Sensitive Personal Data where Kyttx determines that such Processing creates legal, privacy, security, or platform risk.

24Children?s Data

Kyttx is not intended for persons under 18.

Seller must not knowingly collect, upload, or Process Personal Data of persons under 18 through Kyttx unless expressly permitted by Kyttx in writing and legally compliant.

Kyttx may delete or restrict Personal Data relating to persons under 18 where discovered.

25Marketing Communications

Seller is responsible for ensuring that marketing communications sent through Kyttx comply with applicable privacy, anti-spam, telecommunications, marketing, and consumer protection laws.

Seller must:

• Obtain required consents.
• Maintain consent records.
• Honor opt-outs.
• Include required notices.
• Avoid deceptive sender information.
• Avoid misleading subject lines.
• Avoid unlawful automated messaging.
• Comply with unsubscribe requirements.
• Comply with Kyttx Policies.

Kyttx may restrict or suspend communication tools where Seller activity creates legal, privacy, spam, deliverability, reputational, or platform risk.

26Cookies and Tracking

Seller is responsible for complying with Applicable Data Protection Laws relating to cookies, pixels, analytics, tracking, advertising, attribution, affiliate tools, and similar technologies used for Seller Offerings.

If Kyttx allows Seller-controlled tracking, Seller must provide required notices and obtain required consents.

Seller must not install or use unauthorized scripts, pixels, cookies, trackers, or similar technologies.

Kyttx may restrict or remove tracking technologies where they create legal, privacy, security, or platform risk.

27Operators and Team Members

Seller is responsible for Operators, agencies, contractors, employees, team members, service providers, and other persons Seller authorizes to access Seller Personal Data.

Seller must ensure such persons:

• Access only necessary Personal Data.
• Use Personal Data only for authorized purposes.
• Comply with confidentiality obligations.
• Comply with Applicable Data Protection Laws.
• Comply with Kyttx Policies.
• Protect Personal Data.
• Do not misuse Buyer Data.
• Do not export Personal Data without authorization.
• Lose access when authorization ends.

Kyttx may restrict Operator or team access where Kyttx determines that access creates privacy, security, legal, compliance, or platform risk.

28Data Minimization

Seller must not collect, upload, or request more Personal Data than necessary for the lawful purpose of the Seller Offering.

Seller must avoid collecting Sensitive Personal Data unless necessary and legally permitted.

Kyttx may restrict forms, fields, uploads, or data collection practices that Kyttx determines create privacy, security, or compliance risk.

29Accuracy

Seller is responsible for ensuring that Seller Personal Data submitted to Kyttx is accurate, complete, and current where required.

Kyttx is not responsible for inaccurate Personal Data provided by Seller, Buyers, Operators, or other Users.

30Kyttx as Independent Controller

Nothing in this DPA restricts Kyttx from Processing Personal Data as an independent Controller where Kyttx has its own purposes and legal basis.

Kyttx may Process Personal Data as Controller for purposes such as:

• Account administration.
• Platform security.
• Fraud prevention.
• Payment-related records.
• Kyttx Fees.
• Compliance.
• Legal obligations.
• Support.
• Analytics.
• Product improvement.
• Enforcement.
• Corporate operations.
• Communications.
• Dispute resolution.
• Tax and accounting.

Such Processing is governed by the Kyttx Privacy Policy.

31Third-Party Payment Providers

Third-Party Payment Providers may act as independent Controllers for payment processing, KYC, identity verification, fraud prevention, financial compliance, and related activities.

Seller acknowledges that Third-Party Payment Providers may process Personal Data under their own terms and privacy policies.

Kyttx is not responsible for the independent privacy practices of Third-Party Payment Providers.

32Liability

Each party?s liability under this DPA is subject to the limitations of liability in the Kyttx Master Terms of Service and applicable agreements, except to the extent such limitation is prohibited by Applicable Data Protection Laws.

Seller is responsible for claims, losses, liabilities, damages, fines, penalties, costs, and expenses arising from Seller?s violation of this DPA, Seller?s violation of Applicable Data Protection Laws, Seller?s unlawful instructions, Seller?s misuse of Personal Data, or Seller?s failure to provide required notices or obtain required consents.

33Indemnification

Seller agrees to defend, indemnify, and hold harmless Kyttx and its owners, directors, officers, employees, contractors, agents, affiliates, licensors, service providers, and payment partners from and against claims, demands, disputes, losses, liabilities, damages, fines, penalties, costs, and expenses, including reasonable legal fees, arising out of or relating to:

• Seller?s violation of this DPA.
• Seller?s violation of Applicable Data Protection Laws.
• Seller?s unlawful Processing of Personal Data.
• Seller?s unlawful instructions to Kyttx.
• Seller?s failure to provide required privacy notices.
• Seller?s failure to obtain required consents.
• Seller?s misuse of Buyer Data.
• Seller?s marketing communications.
• Seller?s cookies or tracking technologies.
• Seller?s Operators, agencies, contractors, employees, or team members.
• Seller?s collection of Sensitive Personal Data.
• Seller?s failure to respond to Data Subject requests.
• Any claim that Kyttx is responsible for Seller?s privacy obligations.

34Modifications

Kyttx may modify this DPA from time to time.

Kyttx may provide notice by posting an updated version, updating the ?Last Updated? date, sending email notice, displaying in-app notice, updating the dashboard, or using another reasonable method.

Changes are effective when posted or when otherwise stated.

Seller?s continued use of the Platform after changes become effective constitutes acceptance of the updated DPA.

Kyttx may make immediate changes where required or appropriate due to legal requirements, privacy requirements, payment partner requirements, security issues, fraud risk, compliance issues, operational changes, corporate restructuring, or urgent platform needs.

35Term and Termination

This DPA remains in effect for as long as Kyttx Processes Seller Personal Data on behalf of Seller.

Termination or expiration of the Seller?s account or the Kyttx terms does not affect obligations that by their nature should survive, including confidentiality, deletion, retention, security, audit, liability, indemnification, dispute resolution, and legal compliance obligations.

36Dispute Resolution

Any dispute, claim, or controversy arising out of or relating to this DPA, Seller Personal Data, privacy obligations, Processing, Subprocessors, data incidents, Data Subject requests, international transfers, or related matters will be resolved according to the Kyttx Arbitration & Dispute Resolution Agreement and the dispute resolution provisions in the Kyttx Master Terms of Service.

Unless mandatory law requires otherwise:

• Governing law shall be the laws of the Dubai International Financial Centre.
• Arbitration shall be administered by the Dubai International Arbitration Centre.
• The seat of arbitration shall be the Dubai International Financial Centre, Dubai, United Arab Emirates.
• The language shall be English.
• The tribunal shall consist of one arbitrator.
• Disputes shall be confidential.
• Claims must be brought individually and not as class, collective, consolidated, representative, or group claims.
• The prevailing party may recover costs and legal fees where permitted.

Before commencing arbitration, the party raising the dispute must provide written notice and allow 30 days for informal resolution.

Kyttx may seek urgent court relief for data misuse, confidentiality breaches, security threats, illegal activity, intellectual property misuse, fraud, or other urgent harm.

37Contact

For privacy and data protection matters:

legal@kyttx.com

For support:

support@kyttx.com

Website:

https://kyttx.com