This DPA applies to any Personal Data processed under or in connection with the Agreement for as long as the Merchant uses the MOR platform and services.

Once the commercial relationship ends, the obligations relating to confidentiality, data retention, and deletion shall remain in effect for as long as either party holds Personal Data obtained during the partnership.

Personal Data is processed only for purposes that are directly related to the provision of services under the Agreement. This includes processing necessary to complete payment transactions and prevent fraud, verify customer identity, and manage billing activities.

We also process Personal Data to calculate and remit applicable taxes, comply with regulatory requirements, and ensure the lawful delivery of digital goods or services to Buyers. In addition, Personal Data may be used to facilitate customer communication, provide technical or billing support, and conduct ongoing Merchant management, compliance, and risk monitoring.

The categories of Personal Data processed under this DPA may include Buyer contact details, billing and payment information, transaction records, and technical or device identifiers that are used for the purposes of security monitoring and fraud detection.

Each party undertakes to process Personal Data in a lawful, fair, and transparent manner, in accordance with applicable data-protection laws. Both parties must implement appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of the Personal Data they process.

Processing shall be limited strictly to what is necessary for the purposes defined in this DPA, and no additional or incompatible processing shall take place. Each party must maintain accurate and up-to-date written records of its processing activities, as required under Article 30 of the GDPR and equivalent provisions of other applicable privacy laws.

All employees, contractors, or other individuals who have access to Personal Data must be subject to enforceable confidentiality obligations and may process such data only under the instructions and supervision of the relevant party.

If either party engages sub-processors to carry out services that involve the processing of Personal Data, that party must ensure that appropriate data-protection standards are maintained at all times. Each party may only use sub-processors that can provide documented assurances of compliance with applicable data-protection laws and that have implemented adequate technical and organizational measures to safeguard Personal Data.

Before granting a sub-processor access to any Personal Data, the engaging party must enter into a written agreement with that sub-processor imposing data-protection obligations that are at least equivalent to those set out in this DPA. The engaging party remains fully responsible for the actions and omissions of any sub-processors it appoints.

Upon reasonable request, each party will provide the other with an up-to-date list of all authorized sub-processors involved in the processing of Personal Data under this DPA.

If Personal Data is transferred outside the European Economic Area (EEA), the United Kingdom, or another jurisdiction with adequate data protection, the transferring party must ensure that such transfers are conducted in compliance with Chapter V of the GDPR.

This may include the use of Standard Contractual Clauses (SCCs) or another lawful transfer mechanism recognized by the European Commission.

Each party is responsible for responding to Data Subject requests it receives under Applicable Data Protection Laws.

Where a request relates to processing activities under the other party’s control, the receiving party must promptly forward the request to the appropriate Controller to ensure timely compliance.

Both parties shall maintain appropriate administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or alteration.

Such measures include access control, encryption, network security, and regular system audits.

Each party shall notify the other without undue delay after becoming aware of a Personal Data Breach that is likely to affect the other party.

The notification shall include relevant details, including the nature of the breach, affected data categories, and measures taken to mitigate the impact.

Personal Data shall be retained only as long as necessary to fulfill the purposes described in this DPA or as required by law.

Upon termination of the Agreement, each party must securely delete or anonymize Personal Data unless retention is required for legal, tax, or regulatory purposes.

Upon reasonable notice, each party has the right to request evidence demonstrating the other’s compliance with this DPA.

Any audit shall be conducted in a manner that minimizes disruption and protects confidentiality and security obligations.

Each party is responsible for any loss or damage arising from its own failure to comply with Applicable Data Protection Laws or this DPA.

Neither party shall be liable for indirect or consequential losses arising out of lawful data processing conducted in accordance with this Addendum.

This DPA remains in force for the duration of the Agreement.

Termination of the Agreement automatically terminates this DPA, except for provisions that must survive for compliance or legal purposes (e.g., data deletion, confidentiality).

For the Merchant of Record: Flint^{n TM}

Address: Nicosia, Cyprus