Data Processing Agreement

1. Definitions

In this DPA, capitalized terms not defined herein have the meanings given to them in the Agreement. The following terms have the meanings set out below:

• "Agreement" means the underlying service agreement between Controller and Zelfium for the provision of the Services.
• "APPI" means Japan's Act on the Protection of Personal Information (個人情報の保護に関する法律), as amended from time to time.
• "Assessment Data" means all data generated through the administration of Zelfium's personality assessments, including the 77 Likert-scale responses, response times for each item, and the resulting personality scores across 8 scales, 16 subscales, and 41 components.
• "Controller" means the entity that determines the purposes and means of the processing of Personal Data and that has entered into the Agreement with Zelfium.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• "Personal Data" means any information relating to a Data Subject that is processed by Zelfium on behalf of the Controller in connection with the Services.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Profile Data" means the computed personality profile derived from Assessment Data, including scale scores, subscale scores, component scores, and any AI-generated narrative interpretations.
• "Processor" means Zelfium Inc., which processes Personal Data on behalf of the Controller.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• "Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation, as defined in GDPR Article 9. For the purposes of this DPA, personality assessment data that may reveal psychological characteristics is treated as Special Category Data.
• "Sub-processor" means any third party engaged by Zelfium to process Personal Data on behalf of the Controller.
• "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to GDPR Article 51, or the Personal Information Protection Commission (PPC) of Japan under the APPI.

2. Scope of Processing

This DPA applies to all Personal Data processed by Zelfium on behalf of the Controller in connection with the Services. The details of the processing are described in Annex I.

2.1 Processing Activities

Zelfium processes Personal Data for the following purposes:

• Administration of personality assessments (SymbolMAG)
• Generation of personality profiles and scores
• AI-powered personality insights and narrative interpretations
• Relationship compatibility analysis (Affinia)
• Career pathing and professional development analysis (Libra)
• Secure storage and retrieval of assessment results
• Technical support and service maintenance

2.2 Categories of Data Subjects

• End Users who create accounts on the Zelfium platform
• Assessment Takers who complete personality assessments
• API consumers who access Services programmatically on behalf of their own end users

2.3 Types of Personal Data

• Name and email address
• Assessment responses (77 Likert-scale items)
• Response times for each assessment item
• Personality profile scores (8 scales, 16 subscales, 41 components)
• IP address and device information
• Account authentication data

2.4 Special Category Data

The Services involve the processing of personality assessment data that may constitute Special Category Data under GDPR Article 9, insofar as such data may reveal psychological characteristics of Data Subjects. Zelfium applies enhanced safeguards to such data as described in Annex II, including pseudonymization, strict access controls, and encryption at rest.

2.5 Purpose Limitation

Zelfium shall process Personal Data solely for the purpose of providing the Services as described in the Agreement and this DPA. Zelfium shall not process Personal Data for any other purpose, including for its own commercial benefit, unless expressly instructed by the Controller in writing.

3. Controller Obligations

The Controller warrants and undertakes that:

3.1 Lawful Basis

The Controller has established and shall maintain a valid lawful basis for the processing of Personal Data under GDPR Article 6, and, where Special Category Data is processed, an additional lawful basis under GDPR Article 9(2). In particular, the Controller shall obtain explicit consent from Data Subjects under Article 9(2)(a) for the processing of personality assessment data that may reveal psychological characteristics.

3.2 Data Protection Impact Assessment

Where the processing is likely to result in a high risk to the rights and freedoms of Data Subjects, the Controller shall carry out a Data Protection Impact Assessment (DPIA) in accordance with GDPR Article 35. This is particularly relevant where Libra is used in employment or recruitment contexts, as automated profiling in such contexts may trigger the DPIA requirement. Zelfium shall provide reasonable assistance to the Controller in conducting the DPIA upon request.

3.3 Transparency

The Controller shall provide Data Subjects with all information required under GDPR Articles 13 and 14, including information about the processing of their Personal Data by Zelfium as Processor, the categories of data processed, and the involvement of AI-powered analysis in generating personality insights.

3.4 Data Subject Rights

The Controller is responsible for responding to Data Subject rights requests and shall coordinate with Zelfium as necessary to fulfill such requests in accordance with Section 7 of this DPA.

3.5 Instructions

The Controller shall ensure that its processing instructions to Zelfium comply with applicable data protection laws. The Controller acknowledges that Zelfium is not required to assess the lawfulness of the Controller's instructions, but shall inform the Controller if, in Zelfium's opinion, an instruction infringes applicable data protection law.

4. Processor Obligations

Zelfium, as Processor, undertakes the following obligations in accordance with GDPR Article 28(3):

4.1 Processing on Instructions

Zelfium shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, Zelfium shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

4.2 Confidentiality

Zelfium shall ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require such access for the performance of the Services.

4.3 Security

Zelfium shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures described in Annex II. Given that the Services involve Special Category Data (personality assessment data), Zelfium applies enhanced security measures proportionate to the sensitivity of such data.

4.4 Data Subject Rights Assistance

Taking into account the nature of the processing, Zelfium shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to Data Subject rights requests, as further described in Section 7.

4.5 Breach Notification Assistance

Zelfium shall assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of processing and the information available to Zelfium, as further described in Section 8.

4.6 Deletion and Return

At the choice of the Controller, Zelfium shall delete or return all Personal Data to the Controller after the end of the provision of Services, and shall delete existing copies unless applicable law requires storage, as further described in Section 11.

4.7 Audit and Demonstration of Compliance

Zelfium shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as further described in Section 10.

4.8 Notification of Infringing Instructions

Zelfium shall immediately inform the Controller if, in Zelfium's opinion, an instruction from the Controller infringes the GDPR, the APPI, or other applicable data protection provisions.

4.9 CCPA Compliance

To the extent that the CCPA applies, Zelfium acts as a "service provider" within the meaning of the CCPA. Zelfium shall not sell or share Personal Data, shall not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement, and shall not combine Personal Data received from the Controller with Personal Data received from other sources, except as permitted by the CCPA.

5. Sub-processors

5.1 Authorized Sub-processors

The Controller grants Zelfium general authorization to engage Sub-processors for the processing of Personal Data. The current list of Sub-processors is set out in Annex III and includes:

• Supabase Inc. (San Francisco, USA) — Database hosting and authentication services. Safeguards: SOC 2 Type II, encryption at rest and in transit, SCCs Module 3 (Processor to Sub-processor).
• Stripe Inc. (San Francisco, USA) — Payment processing. Safeguards: PCI DSS Level 1, SOC 2 Type II, SCCs, Stripe DPA.
• OpenAI LLC (San Francisco, USA) — AI inference for personality insight generation (GPT-4o). Safeguards: zero-retention API (no training on customer data), SOC 2 Type II, SCCs, OpenAI DPA.
• Vercel Inc. (San Francisco, USA) — Frontend hosting and edge functions. Safeguards: SOC 2 Type II, edge encryption, SCCs, Vercel DPA.

5.2 New Sub-processors

Zelfium shall notify the Controller at least 30 days prior to engaging any new Sub-processor, providing the name, location, and intended processing activities of the proposed Sub-processor. Notification shall be provided via email to the Controller's designated contact or through updates to the Sub-processor list published at https://app.zelfium.ai/dpa.

5.3 Objection Right

The Controller may object to the engagement of a new Sub-processor by providing written notice to Zelfium within 14 days of receiving notification. The objection must state reasonable grounds related to data protection. If the Controller objects, Zelfium shall use commercially reasonable efforts to make available an alternative Sub-processor or modify the Services to avoid the use of the objected Sub-processor. If no alternative is reasonably available, either party may terminate the affected portion of the Services.

5.4 Sub-processor Obligations

Zelfium shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. In particular, each Sub-processor shall provide sufficient guarantees to implement appropriate technical and organizational measures such that the processing meets the requirements of the GDPR.

5.5 Liability

Zelfium shall remain fully liable to the Controller for the performance of each Sub-processor's obligations. Where a Sub-processor fails to fulfill its data protection obligations, Zelfium shall remain liable to the Controller for the Sub-processor's acts and omissions as if they were Zelfium's own.

6. Security Measures

Zelfium implements and maintains the following technical and organizational measures in accordance with GDPR Article 32, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of Data Subjects. A detailed description is provided in Annex II.

6.1 Encryption

• In transit: All data transmitted between clients, servers, and Sub-processors is encrypted using TLS 1.3. Connections using older, deprecated protocols are rejected.
• At rest: All Personal Data stored in databases and backup systems is encrypted using AES-256 encryption.

6.2 Access Control

• Role-based access control (RBAC) ensuring least-privilege access
• Multi-factor authentication (MFA) mandatory for all administrative access
• Individual user accounts with unique credentials (no shared accounts)
• Automatic session expiration and re-authentication requirements
• Access revocation upon personnel departure or role change

6.3 Monitoring and Logging

• Comprehensive audit logging of all access to Personal Data
• Real-time security monitoring and anomaly detection
• Log retention for a minimum of 12 months
• Regular review of access logs by security personnel

6.4 Vulnerability Management

• Regular penetration testing by qualified third parties
• Automated vulnerability scanning of infrastructure and applications
• Timely patching of security vulnerabilities according to severity
• Dependency auditing for third-party libraries and packages

6.5 Incident Response

• Documented incident response plan with designated response team
• Defined escalation procedures and communication protocols
• Post-incident review and lessons-learned process

6.6 Business Continuity

• Automated daily backups with geographic redundancy
• Disaster recovery plan with defined recovery time objectives
• Regular testing of backup restoration procedures

6.7 Personnel Security

• Background checks for personnel with access to Personal Data
• Confidentiality agreements for all employees and contractors
• Regular security awareness training
• Immediate access revocation upon termination of employment

7. Data Subject Rights Assistance

7.1 Scope of Assistance

Zelfium shall assist the Controller in fulfilling its obligations to respond to Data Subject rights requests under the GDPR, including:

• Right of access (Article 15) — Zelfium shall provide the Controller with a copy of the Data Subject's Personal Data held by Zelfium in a structured, commonly used, and machine-readable format.
• Right to rectification (Article 16) — Zelfium shall correct inaccurate Personal Data upon the Controller's instruction.
• Right to erasure (Article 17) — Zelfium shall delete the Data Subject's Personal Data upon the Controller's instruction, subject to any applicable legal retention requirements.
• Right to restriction of processing (Article 18) — Zelfium shall restrict the processing of the Data Subject's Personal Data upon the Controller's instruction.
• Right to data portability (Article 20) — Zelfium shall provide the Data Subject's Personal Data in a structured, commonly used, and machine-readable format (JSON or CSV).
• Right to object (Article 21) — Zelfium shall cease processing the Data Subject's Personal Data upon the Controller's instruction.
• Rights related to automated decision-making (Article 22) — Zelfium shall provide meaningful information about the logic involved in any automated processing, including AI-powered personality analysis, and shall facilitate human intervention upon the Controller's request.

7.2 Response Timeline

Zelfium shall respond to the Controller's requests for assistance with Data Subject rights within 5 business days of receiving the request. Where the request requires complex technical measures, Zelfium shall notify the Controller within 5 business days and provide an estimated completion timeline.

7.3 Direct Requests

If Zelfium receives a request directly from a Data Subject, Zelfium shall promptly forward the request to the Controller unless otherwise instructed by the Controller. Zelfium shall not respond to the Data Subject directly unless authorized by the Controller to do so.

8. Breach Notification

8.1 Notification Obligation

Zelfium shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data breach. Notification shall be sent to the Controller's designated contact by email and, where possible, by telephone.

8.2 Notification Content

The notification shall include, to the extent reasonably ascertainable:

• A description of the nature of the Personal Data breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Zelfium data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to be taken by Zelfium to address the breach, including measures to mitigate its possible adverse effects

8.3 Controller Responsibilities

The Controller is responsible for notifying the competent Supervisory Authority within 72 hours of becoming aware of a breach (GDPR Article 33) and for notifying affected Data Subjects where required (GDPR Article 34). Zelfium shall provide all information and cooperation reasonably necessary to assist the Controller in meeting these obligations.

8.4 Cooperation

Zelfium shall cooperate fully with the Controller in investigating, remediating, and mitigating the effects of any Personal Data breach. Zelfium shall preserve all relevant evidence and logs related to the breach.

8.5 Documentation

Zelfium shall document all Personal Data breaches, regardless of whether they meet the threshold for notification to the Supervisory Authority. Documentation shall include the facts relating to the breach, its effects, and the remedial actions taken, and shall be made available to the Controller upon request.

9. International Transfers

9.1 Transfer Locations

As of the effective date of this DPA, all Sub-processors are located in the United States of America. A Japan-US adequacy decision under GDPR Article 45 has not been adopted as of the effective date; accordingly, transfers are governed by the safeguards described in this Section.

9.2 Standard Contractual Clauses

Transfers of Personal Data from the European Economic Area (EEA), Switzerland, or the United Kingdom to the United States are governed by the EU Standard Contractual Clauses (2021/914), Module 2 (Controller to Processor), incorporated by reference into this DPA. The details of the SCCs are set out in Annex IV.

9.3 Supplementary Measures

In accordance with the European Data Protection Board (EDPB) Recommendations 01/2020 on supplementary measures, Zelfium implements the following additional safeguards:

• Technical measures: End-to-end encryption (TLS 1.3 in transit, AES-256 at rest), pseudonymization of assessment data (linked by UUID rather than direct identifiers), strict access controls limiting data access to authorized personnel only.
• Organizational measures: Written data handling policies, regular staff training on data protection, vendor due diligence assessments, access logging and monitoring, appointment of a data protection officer.
• Contractual measures: Data processing agreements with all Sub-processors, audit rights, notification obligations for government access requests, prohibition on voluntary disclosure to government authorities absent legal compulsion.

9.4 APPI Cross-Border Transfer

In compliance with APPI Article 28, the Controller is informed that Personal Data may be transferred to the United States for processing by Zelfium's Sub-processors. The applicable safeguards include SCCs, Sub-processor DPAs, encryption, and the technical and organizational measures described in Annex II. Zelfium shall provide the Controller with information regarding the personal information protection system in the destination country upon request.

9.5 Transfer Impact Assessment

Zelfium has conducted a Transfer Impact Assessment (TIA) evaluating the laws and practices of the United States as they relate to the transferred Personal Data. The TIA is available to the Controller upon written request to contact@zelfium.com.

9.6 Changes in Law

If changes in applicable law render the international transfer of Personal Data unlawful or impracticable under the mechanisms described in this Section, the parties shall cooperate in good faith to identify and implement an alternative lawful transfer mechanism. If no alternative mechanism is available within a reasonable period, either party may terminate the affected processing activities, and Zelfium shall return or delete the affected Personal Data in accordance with Section 11.

10. Audit Rights

10.1 Right to Audit

The Controller, or a qualified independent auditor appointed by the Controller, may audit Zelfium's compliance with this DPA. The Controller shall provide at least 30 days written notice prior to conducting an audit.

10.2 Scope and Conditions

Audits shall be conducted during normal business hours (Japan Standard Time), shall not unreasonably interfere with Zelfium's operations, and shall be limited to no more than one audit per calendar year, unless an audit reveals material non-compliance or is required by a Supervisory Authority.

10.3 Alternative Assurance

Zelfium may satisfy an audit request by providing the Controller with a current SOC 2 Type II report (or equivalent independent third-party certification) covering the systems and processes relevant to the processing of Personal Data. If the report does not adequately address the Controller's concerns, the Controller retains the right to conduct an on-site audit.

10.4 Costs

The Controller shall bear the costs of any audit it initiates, unless the audit reveals material non-compliance by Zelfium with this DPA, in which case Zelfium shall bear the reasonable costs of the audit.

10.5 Supervisory Authority Audits

Zelfium shall cooperate with any audit or inspection conducted by a competent Supervisory Authority and shall provide all information and access reasonably required for such purposes.

11. Return and Deletion of Personal Data

11.1 Return of Data

Upon termination or expiry of the Agreement, the Controller may request the return of all Personal Data in a structured, commonly used, and machine-readable format (JSON or CSV). Such request must be made within 30 days of termination. Zelfium shall fulfill the request within 30 days of receiving it.

11.2 Deletion

After the 30-day return period described in Section 11.1, or upon the Controller's written instruction (whichever is earlier), Zelfium shall delete all Personal Data in its possession, including all copies in active systems. Zelfium shall provide written certification of deletion upon the Controller's request.

11.3 Backup Data

Personal Data retained in backup systems shall be deleted within 90 days of the deletion of the corresponding data from active systems, in accordance with Zelfium's backup rotation cycle. During this period, Zelfium shall continue to protect the backed-up data in accordance with this DPA and shall not actively process it.

11.4 Legal Retention

Where applicable law requires Zelfium to retain certain Personal Data beyond the deletion timeline specified above, Zelfium shall (a) notify the Controller of the legal requirement and the specific data affected, (b) retain only the minimum data necessary to comply with the legal obligation, and (c) continue to protect such data in accordance with this DPA until deletion.

12. Liability

12.1 Limitation of Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement, except as provided in this Section.

12.2 Data Subject and Supervisory Authority Rights

Nothing in this DPA shall limit any Data Subject's rights under the GDPR or other applicable data protection law, or any Supervisory Authority's powers under such law.

12.3 Indemnification

Each party shall indemnify the other party against any fines, damages, costs, or expenses (including reasonable legal fees) arising from the indemnifying party's breach of its obligations under this DPA or applicable data protection law, provided that the indemnified party has not contributed to the breach through its own acts or omissions.

12.4 Joint and Several Liability

Where both the Controller and Zelfium are involved in the same processing that has caused damage to a Data Subject, each party shall be held liable for the entire damage in accordance with GDPR Article 82(4), in order to ensure effective compensation of the Data Subject. The party that has paid full compensation shall be entitled to claim back from the other party the portion of the compensation corresponding to the other party's part of the responsibility for the damage (GDPR Article 82(5)).

12.5 Governing Law

This DPA shall be governed by and construed in accordance with the laws of Japan, without regard to its conflict of laws principles. For processing subject to the GDPR, the provisions of the GDPR shall apply to the extent they cannot be derogated from by agreement between the parties. Disputes arising under this DPA shall be submitted to the exclusive jurisdiction of the courts of Tokyo, Japan, except where GDPR Article 79 grants Data Subjects the right to bring proceedings before the courts of the Member State where they have their habitual residence.

Annex I: Description of Processing

Annex II: Technical and Organizational Measures (TOMs)

The following measures are implemented by Zelfium to protect Personal Data in accordance with GDPR Article 32:

1. Access Control

• Role-based access control (RBAC) with least-privilege principle
• Multi-factor authentication (MFA) for all administrative and production access
• Single sign-on (SSO) integration where applicable
• Automatic account lockout after repeated failed authentication attempts
• Quarterly access reviews to verify appropriateness of granted permissions
• Immediate access revocation upon personnel departure or role change

2. Encryption

• TLS 1.3 for all data in transit; deprecated protocols (TLS 1.0, 1.1, SSL) are rejected
• AES-256 encryption for all data at rest, including database storage and backups
• Encryption key management with regular key rotation
• Certificate management with automated renewal

3. Pseudonymization

• Assessment data is linked to Data Subjects by UUID, not by directly identifying information
• Internal processing uses pseudonymized identifiers wherever technically feasible
• Re-identification requires access to a separately secured mapping table

4. Data Integrity

• Input validation on all data entry points (Zod schema validation)
• Database integrity constraints and referential integrity enforcement
• Immutable audit logs that cannot be modified or deleted
• Checksums for data integrity verification during transfer and storage

5. Availability and Resilience

• Multi-region cloud hosting with automatic failover
• Automated daily backups with geographic redundancy
• Disaster recovery plan with defined recovery point objective (RPO) and recovery time objective (RTO)
• Regular testing of backup restoration procedures
• DDoS protection and traffic management

6. Monitoring and Logging

• Real-time security monitoring with automated alerting
• Anomaly detection for unusual access patterns or data exfiltration attempts
• Centralized log aggregation with minimum 12-month retention
• Regular log review by security personnel

7. Vendor Management

• Due diligence assessment of all Sub-processors before engagement
• Contractual data protection obligations in all Sub-processor agreements
• Regular review of Sub-processor compliance and security posture
• Requirement for Sub-processors to maintain SOC 2 or equivalent certification

8. Employee Measures

• Background checks for personnel with access to Personal Data
• Non-disclosure agreements (NDAs) for all employees and contractors
• Regular data protection and security awareness training
• Clear desk and clear screen policies
• Immediate access revocation and device retrieval upon departure

9. Physical Security

• All infrastructure hosted in cloud data centers (Supabase, Vercel) with SOC 2 certified physical security
• No Personal Data stored on local devices or removable media
• Sub-processor facilities comply with ISO 27001 physical security requirements

10. Incident Response

• Documented incident response procedure with defined roles and responsibilities
• Designated incident response team with 24/7 availability for critical incidents
• Defined escalation procedures and communication protocols
• Post-incident review process with root cause analysis and corrective actions
• Regular tabletop exercises to test incident response readiness

Annex III: Sub-processor List

The following Sub-processors are authorized to process Personal Data on behalf of the Controller as of the effective date of this DPA:

This list is updated as Sub-processors are added or removed. The Controller will be notified at least 30 days in advance of any changes in accordance with Section 5.2 of this DPA.

Annex IV: Standard Contractual Clauses Reference

Applicable SCCs

The parties incorporate by reference the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

Module

Module 2 (Controller to Processor) applies to transfers of Personal Data from the Controller (data exporter) to Zelfium (data importer) for processing on behalf of the Controller.

Clause-Specific Elections

Annexes to the SCCs

The information required for Annexes I.A (List of parties), I.B (Description of transfer), I.C (Competent supervisory authority), and II (Technical and organisational measures) of the SCCs is provided in Annex I and Annex II of this DPA.

UK International Data Transfer Addendum

For transfers of Personal Data subject to the UK GDPR, the parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022) issued by the UK Information Commissioner under S.119A(1) of the Data Protection Act 2018 applies to the SCCs as specified in this Annex.

Swiss Data Protection

For transfers of Personal Data subject to the Swiss Federal Act on Data Protection (FADP), the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner (FDPIC), including that references to the GDPR are understood as references to the FADP.

Contact

Questions or requests related to this Data Processing Agreement should be directed to:

Zelfium Inc.
1-22-11 Ginza, Chuo-ku, Tokyo, Japan
Email: contact@zelfium.com