Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Controller," or "you") and Legacy ("Processor," "we," or "us").

This DPA governs the processing of Personal Data (as defined below) by Legacy on behalf of Customer in connection with the provision of our secure file transfer and beneficiary management Service.

By using the Service, you agree to the terms of this DPA. If you do not agree, you must not use the Service.

The following terms have the meanings set out below:

Applicability: This DPA applies to all processing of Personal Data by Legacy on behalf of Customer in connection with the Service.

Roles: Customer acts as Controller and determines the purposes and means of processing. Legacy acts as Processor and processes Personal Data only on behalf of and according to Customer's documented instructions.

Instructions: Customer's use of the Service, including uploading files and designating beneficiaries, constitutes documented instructions to Legacy to process Personal Data.

Compliance: Both parties agree to comply with all applicable Data Protection Laws.

Legacy, as Processor, agrees to:

• Process only on instructions: Process Personal Data only on documented instructions from Customer, unless required by law.
• Confidentiality: Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
• Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 7).
• Sub-processors: Engage Sub-processors only with Customer's prior authorization and under a written contract imposing the same obligations as this DPA.
• Data Subject rights: Assist Customer in responding to Data Subject requests to exercise their rights.
• Breach notification: Notify Customer without undue delay upon becoming aware of a Personal Data breach.
• Deletion: Delete or return Personal Data upon termination of services, unless required to retain it by law.
• Audits: Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits.

Authorization: Customer authorizes Legacy to engage the Sub-processors listed below. We will notify Customer of any changes to Sub-processors at least 30 days in advance.

Objection Right: Customer may object to the engagement of a new Sub-processor within 14 days of notification. If Customer objects, we will work with you to find a solution or allow you to terminate the Service.

Legacy implements the following technical and organizational security measures:

Legacy will assist Customer in fulfilling Data Subject requests to exercise their rights under Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

Customer is responsible for responding to Data Subject requests. We will provide reasonable assistance, including providing access to relevant Personal Data within our systems, within 10 business days of Customer's request.

Notification: Legacy will notify Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting Customer's data.

Information Provided: The notification will include:

• Description of the nature of the breach
• Categories and approximate number of affected Data Subjects and records
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for more information

Cooperation: We will cooperate with Customer and regulatory authorities in investigating and resolving the breach.

Customer has the right to audit Legacy's compliance with this DPA, subject to the following conditions:

• Audits may be conducted once per year unless required more frequently by law
• Customer must provide at least 30 days' notice
• Audits must be conducted during business hours
• Audits must not unreasonably interfere with our operations
• Customer may use a qualified third-party auditor

Alternative: We may provide compliance certifications (e.g., SOC 2 reports) in lieu of an on-site audit.

Upon termination of the Service or upon Customer's request, Legacy will:

• Delete all Personal Data within 90 days
• Certify deletion upon request
• Return Personal Data to Customer if requested before deletion

Exceptions: We may retain Personal Data to the extent required by applicable law or for legitimate business purposes (e.g., backups, legal holds).

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.

Transfer Mechanisms: For transfers from the EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions (where applicable)
• Other approved transfer mechanisms under GDPR

We ensure that all international transfers comply with applicable Data Protection Laws and provide an adequate level of protection.

Liability: Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

Customer Indemnity: Customer will indemnify Legacy against claims arising from Customer's instructions that violate Data Protection Laws or this DPA.

Legacy Indemnity: Legacy will indemnify Customer against claims arising from Legacy's breach of this DPA or Data Protection Laws.

This DPA will remain in effect for as long as Legacy processes Personal Data on behalf of Customer.

Upon termination:

• Legacy will cease processing Personal Data
• Customer may request return of Personal Data
• Legacy will delete or anonymize all Personal Data (subject to legal retention requirements)

Sections that by their nature should survive termination will survive, including confidentiality, liability, and audit rights for claims arising before termination.