Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the Reseller ("Controller") and Guest Networks Inc., trading as MyWiFi Networks, with registered offices at 100 King Street West, Toronto, Ontario, M5X 1C7, Canada ("Processor").

This DPA forms part of and is incorporated into the MyWiFi Networks Terms of Service. In the event of any conflict between this DPA and the Terms of Service on matters relating to data processing, this DPA shall prevail.

This DPA applies to all processing of personal data carried out by the Processor on behalf of the Controller in connection with the MyWiFi Networks platform, including guest captive portal data, guest profile data, analytics data, and any other personal data submitted to the platform.

"Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Supervisory Authority", and "Data Breach" have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR") or, where applicable, equivalent national data protection legislation.

"Guest Data" means personal data collected from end-venue guests through captive portals deployed by the Controller using the MyWiFi Networks platform, including but not limited to email addresses, phone numbers, device identifiers, connection timestamps, and behavioral data.

"Sub-processor" means any third party engaged by MyWiFi Networks to process personal data on behalf of the Controller in connection with the Service.

Subject matter: Provision of the MyWiFi Networks white-label guest WiFi management platform, including captive portal services, guest data collection, marketing automation, analytics reporting, and related technical services. Duration: For the duration of the Controller's active subscription to the Service, and for 30 days thereafter to permit data export, unless longer retention is required by applicable law. Nature of processing: Collection, storage, retrieval, organization, structuring, disclosure, and deletion of personal data as required to provide the Service. Purpose: Enabling the Controller to capture guest WiFi authentication, build guest profiles, run marketing campaigns, analyze foot traffic and dwell patterns, and manage captive portal deployments.

Types of personal data processed: Email addresses; phone numbers; authentication identifiers (oAuth provider, WhatsApp); device MAC addresses; device type, operating system, and browser; WiFi connection timestamps and session durations; location identifiers; marketing campaign engagement data (email opens, clicks); and any additional fields configured by the Controller within the platform.

Categories of data subjects: End-venue guests (members of the public) who authenticate through captive portals deployed by the Controller at customer locations. Data subjects are typically adults, though the platform supports age-gating configurations for venues where minors may be present.

MyWiFi Networks shall: process personal data only on documented instructions from the Controller (including as set out in the Terms of Service and this DPA); ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations; implement the security measures described in Section 9 of this DPA; assist the Controller in fulfilling data subject rights requests and other GDPR obligations; delete or return all personal data at the Controller's request or upon termination of the Service; and make available all information necessary to demonstrate compliance with this DPA.

MyWiFi Networks shall promptly notify the Controller if it receives a data subject rights request directly. MyWiFi Networks shall not respond to data subject rights requests on behalf of the Controller without the Controller's prior authorization, except where required by applicable law.

MyWiFi Networks shall not transfer Guest Data to countries outside the EEA without appropriate safeguards in place. Where transfers are necessary, MyWiFi Networks will rely on Standard Contractual Clauses or other appropriate transfer mechanisms as recognized under applicable data protection law.

MyWiFi Networks uses sub-processors to assist in delivering the Service. The Controller authorizes MyWiFi Networks to engage sub-processors for the purposes described in this DPA, subject to the conditions set out herein. Current sub-processors include: Amazon Web Services (cloud infrastructure), Stripe (payment processing), SendGrid (transactional email), Twilio (SMS), and Cloudflare (CDN and DDoS protection).

MyWiFi Networks shall impose data protection obligations on all sub-processors that are equivalent to those set out in this DPA. MyWiFi Networks shall remain fully liable to the Controller for the sub-processor's performance of its data protection obligations.

MyWiFi Networks will notify the Controller of any intended changes to sub-processors (additions or replacements) with at least 14 days notice. The Controller may object to a new sub-processor within 14 days of notice. If the parties cannot resolve a reasonable objection within 30 days, either party may terminate the Service on written notice.

The Controller is responsible for responding to data subject rights requests (access, erasure, rectification, portability, restriction, objection) from end-venue guests. MyWiFi Networks will provide technical assistance to the Controller to facilitate the fulfillment of such requests within the platform.

MyWiFi Networks provides tools within the platform enabling Controllers to: search guest records by email or phone number; export individual guest profiles in machine-readable format; delete individual guest records or bulk delete by location or date range; and modify guest profile attributes.

Where data subject requests cannot be fulfilled through the platform interface, the Controller should contact support@mywifinetworks.com. MyWiFi Networks will respond to such requests within 5 business days and complete the required processing action within 30 calendar days.

MyWiFi Networks implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: encryption of personal data at rest (AES-256) and in transit (TLS 1.2+); pseudonymization of guest device identifiers where feasible; ongoing confidentiality, integrity, availability, and resilience of processing systems; regular penetration testing and vulnerability assessments; and procedures for regularly testing and evaluating the effectiveness of security measures.

Access to personal data within MyWiFi Networks is restricted to authorized personnel on a need-to-know basis. All staff with access to personal data undergo data protection training annually. Privileged access is subject to multi-factor authentication and audit logging.

MyWiFi Networks maintains ISO 27001-aligned information security policies. Detailed technical security specifications are available to Controllers on request under a non-disclosure agreement.

MyWiFi Networks shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Guest Data processed under this DPA. Initial notification will be provided to the Controller's registered account email address and, for affected Enterprise accounts, via direct contact to the designated security contact.

The breach notification will include, to the extent available at the time: a description of the nature of the breach, the categories and approximate number of data subjects concerned, the approximate number of personal data records concerned, likely consequences of the breach, and measures taken or proposed to address the breach.

MyWiFi Networks will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any breach. The Controller is responsible for notifying the relevant Supervisory Authority and affected data subjects in accordance with applicable law.

Upon termination or expiry of the Service, MyWiFi Networks shall, at the Controller's election, either return all Guest Data in a machine-readable format (JSON or CSV) or securely delete all Guest Data from its systems. The Controller must make this election within 30 days of termination. Absent instruction, MyWiFi Networks will delete all Guest Data after 30 days.

Deletion is carried out by cryptographic erasure of encryption keys combined with secure overwriting of storage media. Deletion certificates are available on request for Enterprise accounts.

Notwithstanding the above, MyWiFi Networks may retain personal data where required to do so by applicable EU, EEA Member State, or Canadian law, or where retention is necessary for legal proceedings or regulatory compliance. MyWiFi Networks will inform the Controller of any such retention obligation to the extent permitted by law.

MyWiFi Networks shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller. Controllers wishing to exercise audit rights must provide at least 30 days written notice.

To minimize disruption, audits shall be conducted during normal business hours, with reasonable advance scheduling. The frequency of audits is limited to once per calendar year unless the Controller has reasonable grounds to suspect a material compliance failure.

Controllers may satisfy audit requirements through review of MyWiFi Networks' current third-party audit reports (SOC 2 Type II, where applicable) and responses to the Controller's information security questionnaire, in lieu of conducting an on-site inspection.