1. Introduction and Parties

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Data Controller," "Customer," or "you") and ARK PLATFORMS, EUROPE LIMITED, operating as Bizly ("Data Processor," "Bizly," "we," "us," or "our") for the provision of company formation services, marketplace orders, and related services (the "Services"). This DPA governs the processing of personal data by Bizly on behalf of the Customer in connection with the Services. This DPA is designed to ensure compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018 (collectively, "Data Protection Laws"). By using our Services, you acknowledge and agree to the terms of this DPA.

2. Definitions

In this DPA, the following terms have the meanings set forth below: (a) "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Bizly on behalf of the Customer in connection with the Services; (b) "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction; (c) "Data Subject" means an identified or identifiable natural person whose Personal Data is processed; (d) "Sub-processor" means any third party engaged by Bizly to process Personal Data on behalf of the Customer; (e) "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the UK GDPR, EU GDPR, and Data Protection Act 2018; (f) "Supervisory Authority" means an independent public authority responsible for monitoring compliance with Data Protection Laws; (g) "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Scope and Nature of Processing

Bizly processes Personal Data on behalf of the Customer for the following purposes: (a) Providing company formation services, including preparing and submitting incorporation documents to government authorities; (b) Providing marketplace services, including document preparation, authentication, and delivery; (c) Verifying the identity of customers and beneficial owners for KYC/AML compliance; (d) Processing payments and managing billing; (e) Providing customer support and responding to inquiries; (f) Complying with legal and regulatory obligations; (g) Preventing fraud, money laundering, and other illegal activities; (h) Improving and optimizing our Services. The types of Personal Data processed may include: (i) Identification information (name, date of birth, nationality, passport/ID number); (ii) Contact information (email address, phone number, physical address); (iii) Financial information (payment details, bank account information); (iv) Business information (company name, business purpose, ownership structure); (v) Identity verification documents (passport copies, utility bills, proof of address); (vi) Transaction data and usage information. The duration of processing is for the term of the agreement between the Customer and Bizly, plus any retention period required by law or for legitimate business purposes.

4. Customer's Obligations as Data Controller

As the Data Controller, the Customer is responsible for: (a) Ensuring that all Personal Data provided to Bizly is collected and disclosed in compliance with Data Protection Laws; (b) Obtaining all necessary consents, authorizations, and legal bases for the collection and disclosure of Personal Data to Bizly; (c) Providing Data Subjects with all required privacy notices and information about the processing of their Personal Data; (d) Ensuring the accuracy and completeness of Personal Data provided to Bizly; (e) Responding to Data Subject requests (e.g., access, rectification, erasure) in accordance with Data Protection Laws; (f) Notifying Bizly promptly of any changes to Personal Data or any requests from Data Subjects; (g) Ensuring that the processing instructions given to Bizly comply with Data Protection Laws; (h) Conducting Data Protection Impact Assessments (DPIAs) where required; (i) Cooperating with Supervisory Authorities and complying with their decisions and orders. The Customer warrants that it has the legal right to disclose Personal Data to Bizly and to instruct Bizly to process such Personal Data in accordance with this DPA.

5. Bizly's Obligations as Data Processor

As the Data Processor, Bizly agrees to: (a) Process Personal Data only on documented instructions from the Customer, unless required to do so by law; (b) Ensure that persons authorized to process Personal Data are subject to confidentiality obligations; (c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk; (d) Engage Sub-processors only with the prior authorization of the Customer and under a written contract imposing the same data protection obligations; (e) Assist the Customer in responding to Data Subject requests; (f) Assist the Customer in ensuring compliance with security, breach notification, impact assessment, and consultation obligations; (g) Delete or return all Personal Data to the Customer at the end of the provision of Services, unless retention is required by law; (h) Make available to the Customer all information necessary to demonstrate compliance with this DPA and Data Protection Laws; (i) Allow for and contribute to audits and inspections conducted by the Customer or an authorized auditor. Bizly will notify the Customer immediately if it receives a request or instruction that it believes violates Data Protection Laws.

6. Processing Instructions

Bizly will process Personal Data only in accordance with the Customer's documented instructions, which are set forth in: (a) This DPA; (b) The Terms of Service and other agreements between the Customer and Bizly; (c) The Customer's use of the Services and any configurations or settings chosen by the Customer; (d) Any other written instructions provided by the Customer from time to time. The Customer's instructions must comply with Data Protection Laws. If Bizly believes that an instruction violates Data Protection Laws, it will inform the Customer and may refuse to carry out the instruction until the Customer confirms or modifies it. Bizly is not responsible for compliance with Data Protection Laws in relation to the Customer's use of the Services or the Customer's processing instructions, except as expressly set forth in this DPA.

7. Security Measures

Bizly implements appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. These measures include: (a) Access Controls: Restricting access to Personal Data to authorized personnel only, using role-based access controls and the principle of least privilege; (b) Encryption: Encrypting Personal Data in transit using TLS/SSL and encrypting sensitive data at rest; (c) Authentication: Requiring strong authentication for access to systems and data, including multi-factor authentication where appropriate; (d) Network Security: Implementing firewalls, intrusion detection systems, and other network security measures; (e) Physical Security: Ensuring physical security of data centers and facilities where Personal Data is stored; (f) Data Backup: Regularly backing up Personal Data to prevent loss and enable recovery; (g) Security Monitoring: Monitoring systems for security threats and vulnerabilities; (h) Incident Response: Maintaining an incident response plan to address security incidents and Data Breaches; (i) Employee Training: Providing regular security and data protection training to employees; (j) Vendor Management: Ensuring that Sub-processors and vendors implement appropriate security measures. Bizly reviews and updates its security measures regularly to address evolving threats and risks.

8. Sub-processors

The Customer authorizes Bizly to engage Sub-processors to process Personal Data on the Customer's behalf, subject to the following conditions: (a) Bizly will enter into a written contract with each Sub-processor imposing data protection obligations equivalent to those in this DPA; (b) Bizly will remain fully liable to the Customer for the performance of the Sub-processor's obligations; (c) Bizly will maintain a list of Sub-processors, which may be updated from time to time; (d) Bizly will notify the Customer of any intended changes to Sub-processors (additions or replacements) with reasonable notice; (e) The Customer may object to a new Sub-processor on reasonable data protection grounds within 30 days of notification; (f) If the Customer objects, Bizly will either not engage the Sub-processor or provide the Customer with the option to terminate the affected Services without penalty. Current Sub-processors may include: (i) Cloud hosting providers (e.g., AWS, Google Cloud, DigitalOcean); (ii) Payment processors (e.g., Stripe, PayPal); (iii) Email service providers (e.g., SendGrid, Mailgun); (iv) Customer support tools (e.g., Intercom, Zendesk); (v) Analytics providers (e.g., Google Analytics); (vi) Identity verification services; (vii) Other service providers necessary for the provision of the Services. A current list of Sub-processors is available upon request.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) and the United Kingdom, including the United States and other jurisdictions where our Sub-processors operate. When Personal Data is transferred to countries that do not provide an adequate level of data protection as determined by the European Commission or the UK government, Bizly will ensure that appropriate safeguards are in place, including: (a) Standard Contractual Clauses (SCCs): Entering into Standard Contractual Clauses approved by the European Commission or the UK government with Sub-processors in third countries; (b) Adequacy Decisions: Relying on adequacy decisions where the destination country has been deemed to provide adequate protection; (c) Binding Corporate Rules: Relying on Binding Corporate Rules where applicable; (d) Supplementary Measures: Implementing supplementary technical and organizational measures to ensure the protection of Personal Data; (e) Transfer Impact Assessments: Conducting transfer impact assessments to evaluate the risks of international transfers and the effectiveness of safeguards. Bizly will provide copies of the relevant safeguards upon request and will cooperate with the Customer in assessing the risks of international transfers.

10. Data Subject Rights

Data Subjects have certain rights under Data Protection Laws, including the right to access, rectify, erase, restrict processing, object to processing, and data portability. Bizly will assist the Customer in fulfilling its obligations to respond to Data Subject requests by: (a) Providing the Customer with access to Personal Data in Bizly's possession; (b) Implementing technical measures to enable the Customer to respond to requests (e.g., data export functionality); (c) Rectifying or erasing Personal Data upon the Customer's instruction; (d) Restricting processing of Personal Data upon the Customer's instruction; (e) Providing Personal Data in a structured, commonly used, and machine-readable format for data portability requests; (f) Notifying the Customer promptly if Bizly receives a Data Subject request directly. The Customer is responsible for responding to Data Subject requests and for determining whether to comply with such requests. Bizly will charge a reasonable fee for assistance with Data Subject requests that require significant time or resources, unless such assistance is required under Data Protection Laws.

11. Data Breach Notification

In the event of a Data Breach, Bizly will: (a) Notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the Data Breach; (b) Provide the Customer with sufficient information to enable the Customer to comply with its own breach notification obligations under Data Protection Laws; (c) Provide information about the nature of the Data Breach, the categories and approximate number of Data Subjects and Personal Data records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach; (d) Cooperate with the Customer in investigating the Data Breach and mitigating its effects; (e) Take reasonable steps to remediate the Data Breach and prevent future breaches; (f) Document the Data Breach and the response measures taken. The Customer is responsible for determining whether to notify Supervisory Authorities and Data Subjects of the Data Breach in accordance with Data Protection Laws. Bizly will provide reasonable assistance to the Customer in making this determination and in preparing any required notifications.

12. Data Protection Impact Assessments and Consultations

If the Customer is required to conduct a Data Protection Impact Assessment (DPIA) or to consult with a Supervisory Authority regarding high-risk processing activities, Bizly will provide reasonable assistance, including: (a) Providing information about the processing activities, security measures, and risks associated with the processing; (b) Cooperating with the Customer in conducting the DPIA; (c) Providing information necessary for consultations with Supervisory Authorities; (d) Implementing additional measures or safeguards recommended by the DPIA or required by Supervisory Authorities. The Customer is responsible for determining whether a DPIA is required and for conducting the DPIA. Bizly may charge a reasonable fee for assistance with DPIAs that require significant time or resources.

13. Audits and Inspections

The Customer has the right to audit Bizly's compliance with this DPA and Data Protection Laws, subject to the following conditions: (a) The Customer must provide Bizly with at least 30 days' prior written notice of any audit or inspection; (b) Audits must be conducted during normal business hours and in a manner that does not unreasonably interfere with Bizly's operations; (c) The Customer may conduct audits directly or through an independent third-party auditor; (d) The auditor must be bound by confidentiality obligations; (e) Audits may not occur more than once per year, unless required by a Supervisory Authority or in response to a Data Breach; (f) Bizly may charge a reasonable fee to cover the costs of facilitating the audit; (g) Bizly may provide the Customer with audit reports, certifications, or other documentation (e.g., SOC 2 reports, ISO 27001 certifications) in lieu of an on-site audit, if such documentation is sufficient to demonstrate compliance. Bizly will cooperate with the Customer and provide access to relevant information, systems, and personnel as necessary for the audit.

14. Return and Deletion of Personal Data

Upon termination or expiration of the agreement between the Customer and Bizly, or upon the Customer's written request, Bizly will: (a) Return all Personal Data to the Customer in a structured, commonly used, and machine-readable format; or (b) Securely delete or destroy all Personal Data in Bizly's possession or control; or (c) A combination of return and deletion as instructed by the Customer. The Customer must make its election within 30 days of termination or expiration. If the Customer does not provide instructions, Bizly will delete all Personal Data. Bizly may retain Personal Data to the extent required by applicable law or for legitimate business purposes (e.g., compliance with legal obligations, resolution of disputes, enforcement of agreements), and such retained Personal Data will continue to be subject to this DPA. Bizly will certify in writing that it has complied with the Customer's instructions regarding return or deletion of Personal Data.

15. Confidentiality

Bizly will ensure that all personnel who have access to Personal Data are subject to confidentiality obligations, either through contractual agreements or statutory obligations. Bizly will take appropriate measures to ensure that personnel understand their confidentiality obligations and the importance of protecting Personal Data. Bizly will not disclose Personal Data to third parties except: (a) As necessary to provide the Services; (b) To Sub-processors in accordance with this DPA; (c) As required by law or by a court order, regulatory authority, or law enforcement agency; (d) With the Customer's prior written consent. If Bizly is required to disclose Personal Data by law, it will notify the Customer in advance (unless prohibited by law) and will disclose only the minimum amount of Personal Data necessary to comply with the legal requirement.

16. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service. Bizly will indemnify and hold harmless the Customer from and against any claims, damages, losses, or expenses (including reasonable legal fees) arising from Bizly's breach of this DPA or Data Protection Laws, except to the extent caused by the Customer's instructions or the Customer's breach of its obligations. The Customer will indemnify and hold harmless Bizly from and against any claims, damages, losses, or expenses arising from the Customer's breach of this DPA or Data Protection Laws, including the Customer's failure to obtain necessary consents or to provide required privacy notices to Data Subjects.

17. Term and Termination

This DPA will remain in effect for as long as Bizly processes Personal Data on behalf of the Customer. Upon termination of the agreement between the Customer and Bizly, this DPA will remain in effect until all Personal Data has been returned or deleted in accordance with Section 14. The provisions of this DPA that by their nature should survive termination (including confidentiality, liability, and indemnification provisions) will survive termination.

18. Amendments

Bizly may amend this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or business practices. Bizly will notify the Customer of any material changes to this DPA by posting the updated DPA on the website or by email. The Customer's continued use of the Services after the effective date of the amended DPA constitutes acceptance of the changes. If the Customer does not agree to the changes, the Customer may terminate the agreement in accordance with the Terms of Service.

19. Governing Law and Jurisdiction

This DPA is governed by the laws of England and Wales. Any disputes arising out of or relating to this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales, except as required by Data Protection Laws (e.g., Data Subjects may have the right to bring proceedings in the courts of their country of residence).

20. Contact Information

For questions or concerns about this DPA or data processing practices, please contact:

ARK PLATFORMS, EUROPE LIMITED
Attention: Data Protection Officer
OFFICE 12, INITIAL BUSINESS CENTRE
WILSON BUSINESS PARK
MANCHESTER, M40 8WN
United Kingdom

Email: info@arkplatforms.co.uk
Phone: +44 7308 506068