Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between GeFi Technologies Pte. Ltd. (“GeFi”, “Processor”) and the User or client (“Controller”). It sets out the rights and obligations regarding the processing of personal data under applicable data protection laws, including Singapore PDPA and other relevant regulations.

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable individual.
• “Processing” means any operation performed on Personal Data, including collection, storage, analysis, transfer, or deletion.
• “Services” refers to GeFi’s SaaS, Marketplace, Community, and blockchain-related services.
• “Sub-Processor” means any third-party engaged by GeFi to perform processing on behalf of the Controller.
• “Data Subject” means the individual whose Personal Data is being processed.

2. Roles and Responsibilities

The parties agree that:

• The Controller determines the purposes and means of processing Personal Data.
• GeFi, as Processor, processes Personal Data only on documented instructions from the Controller.
• GeFi shall not use Personal Data for its own purposes or disclose it except as permitted in this DPA or by law.

3. Categories of Personal Data & Processing Purposes

GeFi may process the following categories of Personal Data:

• Account and registration information (name, email, profile details)
• Transaction and blockchain data (addresses, transaction logs)
• Usage and analytics data (IP address, device information, navigation behavior)
• Communications (support requests, forum posts, messages)

The purposes of processing include:

• Providing and maintaining Services
• Facilitating transactions and Marketplace interactions
• Compliance, auditing, and security monitoring
• Technical support and communications
• Analytics and service improvement

4. Data Subject Rights

GeFi shall assist the Controller in fulfilling obligations to respond to requests from Data Subjects regarding their Personal Data, including:

• Access and inspection of Personal Data
• Correction or updating of Personal Data
• Deletion or anonymization of Personal Data
• Objection to processing or restriction of processing

5. Security Measures

GeFi shall implement appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of sensitive data
• Access control and authentication mechanisms
• Regular monitoring and auditing of systems
• Incident response and breach mitigation procedures

All measures are designed to maintain confidentiality, integrity, and availability of Personal Data.

6. Sub-Processors

GeFi may engage Sub-Processors to perform specific processing activities. Sub-Processors shall be bound by equivalent data protection obligations. The Controller shall be notified of any new Sub-Processors, and consent may be required where applicable.

7. Data Breach Notification

In the event of a Personal Data breach, GeFi shall notify the Controller without undue delay and provide sufficient information to enable the Controller to meet legal obligations regarding the breach.

8. International Data Transfers

If Personal Data is transferred outside Singapore, GeFi will ensure that appropriate safeguards are in place, including contractual clauses or equivalent mechanisms to maintain data protection compliance.

9. Termination & Data Deletion

Upon termination of the Services or expiration of this DPA, GeFi shall, at the Controller’s choice, delete or return all Personal Data processed on behalf of the Controller unless retention is required by law. GeFi shall certify completion of such actions upon request.

10. Governing Law & Jurisdiction

This DPA shall be governed by the laws of Singapore. Any disputes shall be resolved exclusively through arbitration in Singapore under SIAC rules.

11. Contact Information

For questions or requests regarding this DPA, please contact:

Email: legal(a)gefi.io