Data Processing Agreement

Parties

1. LoveNotFear, LLC incorporated and registered in the state of Delaware, USA, whose registered office is at 1603 Capitol Ave Ste 413A No 2932 Cheyenne, WY 82001 (Processor)

2. You and/or your company/companies (Controller)

1. Agreed Terms

In this Agreement the following terms shall have the following meanings:

1.1 "Agreed Purpose" means the performance of each party's obligations under the Services Agreement.

1.2 "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purpose of this Agreement, the Controller is the Customer.

1.3 "Data Protection Laws" means all applicable data protection and privacy legislation in force from time to time including the General Data Protection Regulation ((EU) 2016/679) (GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC), the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) and the California Consumer Privacy Act (CCPA), and all other applicable laws and regulations relating to the processing of personal data and privacy.

1.4 "Data Subject" means the identified or identifiable natural person to whom the personal data relates.

1.5 "Personal Data" means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.6 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.7 "Processing, processes and process" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.8 "Processor" means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For the purpose of this Agreement, the Processor is LoveNotFear, LLC.

1.9 "Services Agreement" means the agreement(s) between the Controller and the Processor for the Processor to provide services to the Controller, as described in our Terms of Service.

1.10 "Sub-Processor" means any third party appointed by the Processor to process personal data on behalf of the Controller in connection with this Agreement.

1.11 "Supervisory Authority" means an independent public authority which is established by a member state pursuant to the GDPR, or any equivalent regulatory authority responsible for data protection matters.

2. Scope of Processing

2.1 The Processor and its employees shall process Personal Data only to the extent, and in such a manner, as is necessary for the Agreed Purpose in accordance with the Controller's written instructions, and shall not process Personal Data for any other purpose.

2.2 The Controller is responsible for ensuring that the processing of Personal Data under this Agreement is lawful, fair and transparent.

2.3 The Processor shall promptly comply with any request from the Controller requiring the Processor to amend, transfer, delete or otherwise process Personal Data, or to stop, mitigate or remedy any unauthorized processing.

2.4 The Controller is responsible for ensuring it has all necessary consents and lawful bases in place to enable lawful transfer of Personal Data to the Processor for the duration and purposes of this Agreement.

2.5 The Processor shall maintain the confidentiality of all Personal Data processed on behalf of the Controller and shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.6 The Processor shall not transfer Personal Data outside of the European Economic Area (EEA) or the United States without the prior written consent of the Controller, unless required to do so by law. Where such a transfer takes place, the Processor shall ensure that there are appropriate safeguards in place, including Standard Contractual Clauses or other mechanisms approved by the relevant Supervisory Authority.

2.7 The Processor shall assist the Controller in ensuring compliance with the Controller's obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with Supervisory Authorities.

2.8 The Processor shall notify the Controller without undue delay upon becoming aware of any Personal Data Breach affecting the Controller's data.

2.9 The Processor shall, at the written direction of the Controller, delete or return Personal Data and copies thereof to the Controller on termination of this Agreement unless required by applicable law to store the Personal Data. Specifically:

2.9.1 The Processor shall delete all Personal Data processed on behalf of the Controller within 30 days of termination of the Services Agreement, unless otherwise agreed in writing.

2.9.2 The Controller may request a copy of all Personal Data held by the Processor prior to deletion.

2.9.3 The Processor shall provide the Controller with written certification of deletion upon request.

2.9.4 Any Personal Data that the Processor is required by law to retain shall be isolated from further processing and shall be protected in accordance with this Agreement.

2.9.5 The obligations set out in this clause shall survive termination of this Agreement.

2.10 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Agreement and allow for audits by the Controller or the Controller's designated auditor. Specifically:

2.10.1 The Controller or its designated auditor may conduct audits of the Processor's data processing activities upon reasonable notice, and the Processor shall cooperate fully with any such audit.

2.10.2 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and Data Protection Laws.

2.11 The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws. This includes, but is not limited to:

2.11.1 The right of access (the right to obtain confirmation as to whether or not Personal Data is being processed, and where that is the case, access to the Personal Data).

2.11.2 The right to rectification (the right to obtain rectification of inaccurate Personal Data).

2.11.3 The right to erasure (the right to obtain the erasure of Personal Data where there is no compelling reason for its continued processing).

2.11.4 The right to data portability (the right to receive Personal Data in a structured, commonly used and machine-readable format).

2.12 The Processor shall designate a data protection officer or a person responsible for data protection compliance where required by Data Protection Laws or where appropriate given the nature and scale of the processing activities.

3. Security Measures

3.1 The Processor shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction or damage, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

3.2 The Processor shall implement the security measures described in Schedule 2 to this Agreement.

3.3 The Processor shall regularly test, assess and evaluate the effectiveness of the technical and organizational measures implemented to ensure the security of processing.

3.4 The Controller acknowledges that security measures are subject to technical progress and development and that the Processor may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Personal Data being processed.

4. Notification of Any Breach

4.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data Breach affecting the Controller's Personal Data.

4.2 Such notification shall, at a minimum, include the following information:

• A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Processor's data protection officer or other contact point where more information can be obtained
• A description of the likely consequences of the Personal Data Breach
• A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects

4.3 The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

5. Sub-Processing

5.1 The Processor shall not appoint (or disclose any Personal Data to) a Sub-Processor unless required or authorized by the Controller. Where the Processor is authorized to use a Sub-Processor, the Processor shall:

• Enter into a written agreement with the Sub-Processor which imposes obligations on the Sub-Processor that are no less onerous than those imposed on the Processor under this Agreement
• Ensure that the Sub-Processor complies with all applicable Data Protection Laws
• Remain fully liable to the Controller for the acts and omissions of any Sub-Processor
• Inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes

5.2 The Processor shall maintain an up-to-date list of Sub-Processors and shall make this list available to the Controller upon request.

6. Warranties and Indemnities

6.1 The Processor warrants and represents that:

• It shall process Personal Data in compliance with all applicable Data Protection Laws
• It has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• It has no reason to believe that the legislation applicable to it prevents it from fulfilling the obligations under this Agreement
• It shall promptly inform the Controller if, in its opinion, an instruction from the Controller infringes Data Protection Laws

6.2 The Processor shall indemnify the Controller against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation, and all interest, penalties and legal and other professional costs and expenses) incurred by the Controller arising out of the Processor's breach of this Agreement or any Data Protection Laws.

6.3 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES, REGARDLESS OF WHETHER SUCH DAMAGES ARE BASED ON CONTRACT, TORT, STRICT LIABILITY OR ANY OTHER THEORY, EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE TOTAL AGGREGATE LIABILITY OF EITHER PARTY UNDER THIS AGREEMENT SHALL NOT EXCEED THE TOTAL FEES PAID BY THE CONTROLLER TO THE PROCESSOR UNDER THE SERVICES AGREEMENT IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. NOTHING IN THIS CLAUSE SHALL LIMIT LIABILITY FOR BREACHES OF DATA PROTECTION LAWS, FRAUD, OR WILLFUL MISCONDUCT.

7. Confidentiality

7.1 The Processor shall treat all Personal Data as confidential information and shall ensure that any employees, agents, or Sub-Processors who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.

7.2 The Processor shall not disclose Personal Data to any third party without the prior written consent of the Controller, except where disclosure is required by applicable law, in which case the Processor shall, to the extent permitted by law, notify the Controller of such requirement before making the disclosure.

8. Term and Termination

8.1 This Agreement shall come into force on the date of your sign-up with our services and shall continue in force until the termination of the Services Agreement, or until terminated by either party in accordance with this clause.

8.2 Either party may terminate this Agreement at any time by giving 30 days' written notice to the other party. Termination of this Agreement shall not affect the obligations of the parties under clause 2.9 (deletion or return of Personal Data) or clause 7 (confidentiality), which shall survive termination.

8.3 Upon termination of this Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete all existing copies unless applicable law requires storage of the Personal Data.

9. General

9.1 This Agreement constitutes the entire agreement between the parties in relation to the processing of Personal Data and supersedes all previous agreements, arrangements and understandings between the parties in respect of that subject matter. This Agreement is supplemental to and does not replace the Terms of Service.

9.2 This Agreement shall be governed by and construed in accordance with the laws of the State of Wyoming, United States of America. Any disputes arising under or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of the State of Wyoming.

9.3 If any provision of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions of this Agreement, which shall remain in full force and effect.

Schedule 1 — Services, Processing, Personal Data, and Data Subjects

1. Services

The Processor provides organizational development and personal development coaching services, event organizing services, workshops, digital tools, and related services as described in the Terms of Service.

2. Processing Activities and Personal Data

The Processor processes the following categories of Personal Data on behalf of the Controller:

• Name, email address, telephone number, and other contact details
• Job title, company name, and professional information
• Communication records (emails, messages, meeting notes)
• Usage data related to digital tools and services (assessment results, tool interactions)
• Payment and billing information (processed via third-party payment processors)
• Any other Personal Data provided by the Controller or Data Subjects in connection with the services

Processing activities include: collection, storage, organization, retrieval, use, disclosure by transmission, and erasure of Personal Data as necessary for the provision of services under the Services Agreement.

3. Data Subjects

The Data Subjects whose Personal Data may be processed under this Agreement include:

• The Controller's employees, contractors, and agents
• The Controller's customers, clients, and prospects
• Participants in workshops, coaching sessions, and events organized by the Processor on behalf of the Controller
• Users of digital tools and services provided by the Processor
• Any other individuals whose Personal Data is provided by the Controller to the Processor in connection with the services

Schedule 2 — Security Measures

The Processor shall implement and maintain the following technical and organizational security measures for the protection of Personal Data:

• Access Control: Access to Personal Data is restricted to authorized personnel only, using role-based access controls and unique user credentials. Multi-factor authentication is used where available.
• Encryption: Personal Data is encrypted in transit using TLS 1.2 or higher. Personal Data at rest is encrypted using industry-standard encryption algorithms.
• Network Security: Firewalls, intrusion detection/prevention systems, and regular vulnerability scanning are employed to protect systems that process Personal Data.
• Data Backup: Regular backups of Personal Data are performed and stored securely. Backup data is subject to the same security measures as primary data.
• Incident Response: A documented incident response plan is maintained and regularly tested to ensure prompt detection, investigation, and resolution of Personal Data Breaches.
• Employee Training: All employees with access to Personal Data receive regular training on data protection and information security.
• Physical Security: Physical access to facilities where Personal Data is processed or stored is restricted to authorized personnel through appropriate physical security measures.
• Vendor Management: Sub-Processors and third-party service providers are subject to due diligence and are required to maintain security measures consistent with this Agreement.
• Data Minimization: Personal Data is collected and processed only to the extent necessary for the Agreed Purpose. Personal Data that is no longer needed is securely deleted.
• Regular Review: Security measures are reviewed and updated at least annually, or more frequently as required by changes in the threat landscape or applicable Data Protection Laws.