Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller", "Customer") and Webvana Inc. ("Processor", "BitEasy", "we", "us") for the provision of the BitEasy platform.

By using BitEasy, you agree to this DPA. If you have a separate written agreement with us that conflicts with this DPA, the separate agreement controls.

This DPA is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable data protection laws.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by BitEasy on your behalf.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, transfer, and deletion.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Subprocessor" means a third party engaged by BitEasy to process Personal Data on your behalf.
  • "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including GDPR, UK GDPR, PIPEDA, and any other relevant legislation.

2. Scope and Roles

You are the Controller — you determine the purposes and means of processing Personal Data through the BitEasy platform.

BitEasy is the Processor — we process Personal Data only on your documented instructions and solely to provide the BitEasy service.

3. Details of Processing

Detail Description
Subject matter Provision of the BitEasy referral tracking, attribution, and payout platform
Duration For the duration of the service agreement between you and BitEasy
Nature and purpose Referral link management, install attribution, revenue share calculation, payout processing via Stripe Connect
Categories of Data Subjects Your partners, affiliates, and collaborators who participate in your referral programs
Types of Personal Data Name, email address, Stripe account identifiers, payout amounts, referral activity data, IP addresses, device/browser metadata

4. Controller Obligations

You are responsible for:

  • ensuring you have a lawful basis to provide Personal Data to BitEasy,
  • providing any required notices to Data Subjects about the processing,
  • obtaining any required consents from Data Subjects,
  • ensuring your instructions to us comply with Data Protection Laws.

5. Processor Obligations

BitEasy shall:

  • process Personal Data only on your documented instructions, unless required by law (in which case we will notify you, unless prohibited),
  • ensure that persons authorized to process Personal Data are bound by confidentiality obligations,
  • implement appropriate technical and organizational security measures (described in Section 8),
  • assist you in responding to Data Subject requests (described in Section 7),
  • assist you with data protection impact assessments and prior consultations with supervisory authorities, where required,
  • delete or return all Personal Data upon termination of the service, at your choice, unless retention is required by law,
  • make available to you all information reasonably necessary to demonstrate compliance with this DPA.

6. Subprocessors

BitEasy uses third-party Subprocessors to deliver the service. A current list of Subprocessors is maintained at our Subprocessors page, available on this website.

Authorization

You provide general written authorization for BitEasy to engage Subprocessors. We will:

  • notify you of any new Subprocessors or changes to existing Subprocessors by updating our Subprocessors page,
  • give you a reasonable opportunity (at least 14 days) to object to a new Subprocessor before the change takes effect.

Objection

If you object to a new Subprocessor on reasonable data protection grounds, we will make commercially reasonable efforts to provide an alternative or workaround. If no resolution is possible, either party may terminate the affected portion of the service.

Subprocessor Liability

BitEasy remains liable for the acts and omissions of its Subprocessors to the same extent as if we performed the processing directly.

7. Data Subject Rights

If we receive a request from a Data Subject to exercise their rights under Data Protection Laws (access, rectification, erasure, portability, restriction, or objection), we will:

  • promptly notify you of the request,
  • assist you in fulfilling the request through appropriate technical and organizational measures,
  • not respond to the Data Subject directly unless instructed by you or required by law.

8. Security Measures

BitEasy implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption in transit — all data transmitted over HTTPS/TLS
  • Access controls — role-based access, principle of least privilege
  • Infrastructure security — hosting on Cloudflare Workers with built-in DDoS protection, edge isolation, and no persistent server access
  • Secret management — API keys and credentials stored in encrypted, access-controlled secret storage; never logged or stored in plaintext
  • Data minimization — we collect and retain only what is necessary to provide the service
  • Vendor security — Subprocessors are selected based on their security posture and compliance certifications (Stripe is PCI DSS Level 1; Cloudflare maintains SOC 2, ISO 27001)

9. Data Breach Notification

In the event of a Personal Data breach, BitEasy will:

  • notify you without undue delay and in any event within 72 hours of becoming aware of the breach,
  • provide you with sufficient information to meet your own breach notification obligations, including:
    • the nature of the breach,
    • the categories and approximate number of Data Subjects affected,
    • the likely consequences,
    • the measures taken or proposed to mitigate the breach,
  • cooperate with you and take reasonable steps to assist in the investigation and mitigation of the breach.

Notification of a breach is not an admission of fault or liability.

10. International Data Transfers

BitEasy is operated by Webvana Inc., based in Alberta, Canada. The European Commission recognizes Canada as providing an adequate level of data protection under GDPR Article 45.

Where Personal Data is transferred to Subprocessors located in countries without an adequacy decision (including the United States), BitEasy ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, or
  • other legally recognized transfer mechanisms under applicable Data Protection Laws.

Our Subprocessors page lists the location of each Subprocessor.

11. Audits

You may audit our compliance with this DPA by:

  • requesting that we provide written responses to reasonable compliance questions,
  • reviewing our security documentation and certifications,
  • where the above measures are insufficient, conducting or commissioning an audit (at your expense, with reasonable advance notice, during business hours, and subject to confidentiality obligations).

BitEasy will cooperate with reasonable audit requests. Audits shall not unreasonably interfere with our business operations.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. This DPA does not create any additional or independent liability beyond what is established in the Terms of Service.

13. Term and Termination

This DPA takes effect when you begin using the BitEasy platform and remains in effect for the duration of your use of the service.

Upon termination:

  • BitEasy will delete or return all Personal Data within 30 days, at your choice, unless retention is required by law.
  • Obligations under this DPA that by their nature should survive termination (including confidentiality, data breach notification, and cooperation) shall survive.

14. Contact

For questions about this DPA or to exercise rights under it:

Webvana Inc. legal@biteasy.co