Data Processing Agreement (DPA)

Last updated: 28 August 2025Effective date: 28 August 2025

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Hazelbit SRLStr. Fântânilor 43, Bl. B14, Ap. B39, Iași, Romania, CUI 50078499, J22/1676/2024 (the "Processor")
and
The contracting entitythat purchases Services from Hazelbit and determines the purposes of processing (the "Controller")
Together, the Parties.

2. Purpose

The Processor agrees to process personal data on behalf of the Controller in connection with the Services described in the Master Agreement / Terms of Service. The Parties agree to comply with Art. 28 GDPR and other applicable data protection laws.

3. Subject matter and duration

Subject matter:Processing of personal data necessary to deliver Hazelbit Services (certificates, NFTs, hosted wallets, communications).
Duration:This DPA applies as long as the Controller uses Hazelbit Services. Upon termination, Processor will delete or return personal data (see §11).

4. Nature and purpose of processing

The Processor will process personal data solely for:

• Provision of Hazelbit certificates and NFT Services.

• Customer account creation, authentication, wallet access.

• Transaction processing and blockchain notarization.

• Communication and customer support.

• Security, anti-fraud and compliance (incl. AML/KYC if required).

No other processing is permitted unless documented by the Controller.

5. Categories of data subjects

• Customers (individuals purchasing trees/NFTs).

• Employees or representatives of corporate customers.

• Website and app users.

6. Categories of personal data

Identity and contact details(name, email, phone, address).
Payment details(billing address, transaction IDs; card/bank data processed by third-party PSPs).
Blockchain identifiers(wallet addresses, transaction hashes).
KYC/AML data(identity document, tax number, residence country, if required).
Usage data(IP, device, cookies, activity logs).

Note: Special categories of data (sensitive data) are not expected to be processed.

7. Processor obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller.

• Ensure confidentiality by binding staff with data protection obligations.

• Implement appropriate technical and organizational security measures.

• Assist the Controller with data subject requests (access, deletion, portability).

• Assist the Controller with DPIAs and consultations with authorities if required.

• Notify the Controller of any personal data breach without undue delay.

• Maintain records of processing activities.

• Make available information to demonstrate compliance.

8. Controller obligations

The Controller shall:

• Ensure that the processing instructions comply with applicable law.

• Provide lawful basis for processing under GDPR (Art. 6).

• Inform and obtain valid consents from data subjects where necessary.

• Not instruct the Processor to process special categories of data unless explicitly agreed.

9. Sub-processors

The Processor may engage sub-processors for hosting, storage, payments, analytics, blockchain and related services. Current sub-processors include:

Amazon Web Services

Hosting, EU region

Cloudflare

CDN, security

Stripe / PayPal

Payments

Commercio.network Spa

Blockchain notarization

Hubspot / Mailchimp

Email CRM

The Processor will notify the Controller of any intended changes to sub-processors and give the Controller the right to object.

10. International transfers

Where data is transferred outside the EEA, Processor will ensure safeguards:

• Adequacy decision (e.g., UK, Switzerland).

• Standard Contractual Clauses (SCCs).

• Supplementary technical measures (encryption, access controls).

11. Deletion or return of data

Upon termination of the Services, the Processor shall, at Controller's choice:

• Return all personal data, or

• Delete personal data, except where retention is required by law.

Important: Blockchain data (transaction IDs, wallet addresses) may remain permanently recorded on chain and cannot be erased; this limitation will be disclosed to data subjects.

12. Audit rights

The Controller may audit Processor's compliance once per year, with reasonable notice and during business hours. The Processor may provide certifications or third-party audit reports (e.g., ISO, SOC 2) in lieu of onsite audit.

13. Liability

Each Party remains responsible for its own compliance under GDPR. Liability follows the terms of the Master Agreement.

14. Governing law and jurisdiction

This DPA is governed by Romanian law and applicable EU data protection law.

Disputes shall be subject to the competent courts of Iași, Romania, unless mandatory consumer/jurisdiction law applies.

15. Contact

Hazelbit SRL

Str. Fântânilor 43, Bl. B14, Ap. B39, Iași, Romania

Email:info@hazelbit.ro