MatchMyBiz Data Processing Addendum (DPA)
Effective Date: February 22, 2026
Version: 1.0
This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (“MSA”) or other agreement between MatchMyBiz (“Processor”) and the enterprise customer (“Controller”). This DPA applies where Processor processes Personal Data on behalf of Controller under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and similar regulations.
1. Roles of the Parties
Controller determines the purposes and means of processing Personal Data.
Processor processes Personal Data solely on documented instructions from Controller, except where required by law.
Where applicable, the parties acknowledge that each may act as an independent controller for certain data processing activities.
2. Categories of Data and Data Subjects
Categories of Personal Data may include business contact information (names, emails, job titles), account credentials, uploaded documents, trade communications, and any personal data included in user-generated content.
Categories of Data Subjects may include Customer employees, representatives, buyers, suppliers, contractors, and business counterparties.
Sensitive personal data is not intended to be processed; however, if included in user-uploaded content, such data is processed under Controller’s responsibility.
3. Nature and Purpose of Processing
Processor shall process Personal Data solely for the purpose of providing the MatchMyBiz platform services, including hosting, matching, communication, analytics, fraud prevention, and security.
Processing includes collection, storage, retrieval, consultation, use, transmission, and deletion.
4. Confidentiality
Processor shall ensure that persons authorized to process Personal Data are subject to confidentiality obligations and receive appropriate training.
5. Security Measures
Processor shall implement appropriate technical and organizational measures designed to protect Personal Data, including encryption in transit, access controls, logging, monitoring, and secure hosting environments.
Processor shall regularly review and update security practices in light of evolving risks.
6. Subprocessors
Controller authorizes Processor to engage subprocessors to support service delivery (e.g., hosting, infrastructure, analytics, payment processors).
Processor shall ensure subprocessors are bound by written agreements imposing data protection obligations no less protective than those in this DPA.
Processor shall provide a list of subprocessors upon request and notify Controller of material changes where required by law.
7. International Data Transfers
Where Personal Data is transferred outside the European Economic Area or UK, Processor shall implement appropriate safeguards, including Standard Contractual Clauses (SCCs) or equivalent lawful transfer mechanisms.
8. Assistance with Data Subject Rights
Processor shall, taking into account the nature of processing, assist Controller in responding to requests from data subjects exercising their rights under applicable law.
Processor shall promptly notify Controller if it receives a data subject request directly.
9. Personal Data Breach Notification
Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach affecting Controller data.
Notification shall include available information regarding the nature of the breach, likely consequences, and measures taken or proposed.
10. Audit and Compliance
Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.
Audits shall be limited to reasonable frequency, scope, and confidentiality protections, and may be satisfied through third-party certifications where available.
11. Deletion or Return of Data
Upon termination of services, Processor shall delete or return Personal Data at Controller’s choice, unless retention is required by law.
Backup copies may be retained in accordance with standard retention cycles and securely deleted thereafter.
12. Liability
Liability arising under this DPA shall be subject to the limitations of liability set forth in the MSA, except as otherwise required by applicable law.
13. Governing Law
This DPA shall be governed by the same governing law specified in the MSA, except where EU data protection law mandates otherwise.