This Data Processing Agreement ("DPA") is entered into between CFEX, Inc. ("CFEX") and the customer ("Customer") that has entered into a main agreement with CFEX (the "Main Agreement"). This DPA sets forth the terms and conditions under which CFEX processes personal data on behalf of Customer.

CFEX is committed to complying with all applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

As a Data Processor, CFEX agrees to:

• Process personal data only on documented instructions from Customer, unless required to do so by applicable law.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Take all reasonable steps to ensure the reliability of any staff who have access to personal data.
• Assist Customer in fulfilling its obligations under applicable data protection laws, including responding to requests from data subjects.

CFEX implements the following technical and organizational measures to protect personal data:

• Encryption of personal data at rest and in transit
• Access control mechanisms, including multi-factor authentication
• Regular security assessments and penetration testing
• Security monitoring and incident response procedures
• Regular employee security awareness training
• Change management and system hardening

CFEX will assist Customer in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection laws, including:

• The right to access personal data
• The right to rectification of personal data
• The right to erasure of personal data
• The right to restrict processing of personal data
• The right to data portability
• The right to object to processing of personal data

In the event of a personal data breach, CFEX will:

• Notify Customer without undue delay after becoming aware of the breach
• Provide Customer with sufficient information to enable Customer to meet any obligations to report or notify affected data subjects
• Cooperate with Customer and take reasonable steps to mitigate the effects of the breach

CFEX may engage subprocessors to process personal data on behalf of Customer, provided that:

• CFEX enters into a written agreement with the subprocessor that imposes the same data protection obligations as set forth in this DPA
• CFEX remains responsible for the performance of the subprocessor's obligations
• CFEX maintains a list of subprocessors and provides access to this list upon Customer's request

This DPA shall remain in effect for the duration of the Main Agreement. Upon termination of the Main Agreement or upon Customer's request, CFEX shall:

• Return or delete all personal data processed on behalf of Customer
• Provide written confirmation that all personal data has been returned or deleted
• Continue to comply with the security obligations set forth in this DPA for any personal data that CFEX is required to retain by law

This DPA shall be governed by and construed in accordance with the laws of the State of California, United States of America, without regard to its conflict of law provisions.