Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between e-Business Group Ltd, trading as e-Business ERP ("e-Business", "Processor", "we"), and the customer ("Customer", "Controller", "you"). It applies where e-Business processes personal data on your behalf in connection with your use of the e-Business ERP platform (the "Service").

1. Scope and roles

For the personal data contained in Customer Data, you are the controller and e-Business is the processor. Where you are yourself processing on behalf of a third party, you act as that party's processor and e-Business acts as a sub-processor. This DPA applies to processing carried out by e-Business under the Terms.

2. Definitions

"Personal data", "processing", "controller", "processor" and "data subject" have the meanings given under applicable data-protection law. "Customer Data" means the data you and your users submit to the Service. "Sub-processor" means a third party engaged by e-Business to process personal data on your behalf.

3. Processing instructions

e-Business will process personal data only on your documented instructions, including as set out in the Terms, this DPA and your configuration and use of the Service, unless required to do otherwise by law (in which case we will inform you where legally permitted). The subject matter, duration, nature, purpose, data types and categories of data subjects are described in Annex A.

4. Confidentiality

e-Business ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations and access personal data only on a need-to-know basis to provide and support the Service.

5. Security measures

e-Business implements and maintains appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. A summary of these measures is set out in Annex B. We may update measures over time provided the overall level of protection is not reduced.

6. Sub-processors

You authorise e-Business to engage the sub-processors listed in Annex C to support the Service. e-Business imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance. If we intend to add or replace a sub-processor, we will update Annex C and, where required, give you a reasonable opportunity to object on reasonable data-protection grounds.

7. Assisting the Controller

Taking into account the nature of the processing, e-Business will provide reasonable assistance to help you: (a) respond to requests from data subjects exercising their rights; (b) ensure the security of processing; (c) notify and communicate personal data breaches; and (d) carry out data-protection impact assessments and prior consultations where applicable.

8. Personal data breaches

e-Business will notify you without undue delay after becoming aware of a personal data breach affecting your Customer Data, and will provide information reasonably available to help you meet any notification obligations you may have.

9. International transfers

e-Business and its sub-processors may process personal data in countries other than your own. Where personal data is transferred across borders, e-Business will ensure an appropriate transfer mechanism or safeguard is in place to the extent required by applicable law.

10. Return and deletion

On termination or expiry of the Service, e-Business will, at your choice and within a reasonable period, return and/or delete the personal data in Customer Data, except to the extent retention is required by law or for routine backup cycles that are overwritten in the ordinary course. While your account is active you may export your data at any time through the Service.

11. Audits

e-Business will make available, on reasonable written request and no more than once per year (unless required by a regulator or following a breach), information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality obligations and without compromising the security or privacy of other customers.

12. Liability and governing law

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms. This DPA is governed by the laws of the Republic of Fiji, consistent with the Terms.

Annex A — Details of processing

• Subject matter: provision of the e-Business ERP platform to the Customer.
• Duration: for the term of the Customer's subscription, plus any retention/archive period described in the Privacy Policy.
• Nature and purpose: hosting, storage, processing and transmission of Customer Data to operate the business-management features the Customer uses, and to provide support.
• Types of personal data: as determined by the Customer, which may include names, contact details, addresses, employment and payroll details, customer and supplier records, and transactional and financial information.
• Categories of data subjects: the Customer's own staff, customers, suppliers and other contacts whose information the Customer chooses to store in the Service.

Annex B — Technical and organisational security measures

• Encryption of data in transit using TLS;
• Storage of each customer's data in dedicated, logically separated databases;
• Role-based access controls and the principle of least privilege;
• Secure, one-way hashing of account passwords;
• Bearer-token authentication for application access;
• Network and edge protection, including DDoS mitigation and a web application firewall via Cloudflare;
• Bot and abuse protection on signup using reCAPTCHA;
• Regular, automated backups with periodic rotation;
• Logging and monitoring of administrative and operator actions; and
• Confidentiality obligations on personnel with access to personal data.

Annex C — Approved sub-processors

To request the current sub-processor list or to raise a question about this DPA, contact [email protected].