Data Processing Agreement (DPA)

1. Parties & Purpose

This DPA forms part of the Terms of Service and applies where Friendium processes personal data as a data processor or service provider on behalf of another party (“Controller”). Nexa-Group acts as the operating entity responsible for platform infrastructure, governance, and compliance.

2. Definitions

• Applicable Law: GDPR, UK GDPR, CCPA/CPRA, and equivalent privacy laws.
• Personal Data: Any information relating to an identified or identifiable individual.
• Processing: Any operation performed on personal data.
• Controller: Entity determining purposes and means of processing.
• Processor: Entity processing data on behalf of a controller.

3. Scope of Processing

Friendium processes personal data strictly for purposes necessary to operate, secure, moderate, and support the Friendium platform, including:

• Account creation, authentication, and management.
• Content hosting, display, and moderation.
• Security, fraud prevention, and abuse detection.
• Analytics and platform improvement.
• Customer support and dispute resolution.

4. Categories of Data Subjects

• Registered users and visitors.
• Creators, influencers, and business accounts.
• Advertisers and partners.
• Customer support correspondents.

5. Categories of Personal Data

• Identifiers (name, username, email, IP address).
• Account credentials and authentication data.
• User-generated content and interactions.
• Transaction and billing metadata (if applicable).
• Technical logs and device information.

6. Processor Obligations

Friendium commits to:

• Process personal data only on documented instructions from the Controller.
• Ensure confidentiality of all authorized personnel.
• Implement appropriate technical and organizational security measures.
• Assist Controllers in responding to data subject requests.
• Notify Controllers of personal data breaches without undue delay.

7. Security Measures

Friendium maintains enterprise-grade security controls, including:

• Encryption in transit and at rest.
• Access control, logging, and monitoring.
• Incident detection and response procedures.
• Regular security assessments and audits.

8. Subprocessors

Friendium may engage subprocessors for infrastructure, analytics, moderation tooling, or support services. All subprocessors are bound by written agreements imposing equivalent data protection obligations.

9. International Data Transfers

Where personal data is transferred outside the EEA or UK, Friendium relies on lawful transfer mechanisms, including:

• Standard Contractual Clauses (SCCs).
• Adequacy decisions.
• Supplementary technical and organizational safeguards.

10. Data Subject Rights Assistance

Friendium assists Controllers in fulfilling requests for access, rectification, erasure, restriction, portability, and objection.

11. Data Retention & Deletion

Personal data is retained only as long as necessary for the purposes outlined in this DPA or as required by law. Upon termination of services, data will be deleted or returned unless retention is legally required.

12. Audits & Compliance

Friendium makes relevant compliance information available and may permit audits by Controllers or independent auditors under reasonable conditions.

13. Liability & Indemnification

Each party remains responsible for compliance with its respective obligations under applicable data protection laws.

14. Governing Law

This DPA is governed by the laws applicable to the Nexa-Group operating entity, without prejudice to mandatory data protection regulations.

15. Contact Information

Data Protection Officer: dpo@friendium.com
Privacy Office: privacy@friendium.com
Legal: legal@friendium.com