Data Processing Agreement

Last Updated: January 1, 2024

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Settler Inc. ("Settler") and the Customer. This DPA applies to the processing of Personal Data by Settler on behalf of the Customer.

1. Definitions

"Controller" means the entity which determines the purposes and means of the processing of Personal Data.
"Processor" means the entity which processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person.

2. Processing of Personal Data

Settler shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.

3. Confidentiality

Settler ensures that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Security of Processing

Settler takes all measures required pursuant to Article 32 of the GDPR (Security of processing), including encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

5. Sub-processors

Customer grants Settler a general authorization to engage sub-processors. A current list of sub-processors is available at settler.dev/legal/subprocessors. Settler shall inform the Customer of any intended changes concerning the addition or replacement of other sub-processors.

6. International Data Transfers

For transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to countries that do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws, Settler relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• The EU-U.S. Data Privacy Framework (where applicable).

7. Data Subject Rights

Settler shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject's rights.

8. Deletion or Return of Personal Data

At the choice of the Customer, Settler shall delete or return all the Personal Data to the Customer after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.