PRIVACY POLICY – Shittest me LTD

DATA PROCESSING AGREEMENT (DPA)

Between:
Shittest me LTD ("Processor")
and
Client ("Controller")

Together referred to as "Parties".

1. Subject of the Agreement

The Processor provides payment testing, PSP testing, UX/UI testing, KYC flow evaluation, localization checks, security evaluations and related QA services on behalf of the Controller.

This DPA governs the processing of personal data strictly for these purposes.

2. Duration

This DPA remains valid for the entire duration of the service relationship and until all data is deleted or returned to the Controller.

3. Nature and Purpose of Processing

The Processor may process personal data for:

• Account creation
• Payment, PSP, KYC and UX/UI testing
• Security and fraud evaluation
• Providing screenshots, videos and analytical reports
• Confirming test results
• Client support and communication
• Compliance with legal obligations including AML/KYC

No processing occurs outside the Controller's documented instructions.

4. Categories of Data Subjects

May include:

• Client employees
• Client customers (only where explicitly required for testing)
• Testers
• Business partners
• Technical contacts

5. Types of Personal Data

Depending on the test scenario, this may include:

• Name / alias
• Email address
• IP address
• Device information
• Payment method identifiers (non-sensitive)
• KYC/POI/POR documents (if explicitly required)
• Videos and screenshots of platform interactions
• Transaction details (non-financial)
• Geo-location indicators

The Processor never stores full credit card numbers, PINs, passwords or online banking access data.

6. Obligations of the Controller

The Controller must:

• Ensure all provided personal data is lawful and compliant
• Obtain all necessary consents and authorizations
• Provide accurate and lawful testing instructions
• Ensure that all test requests follow legal and PSP regulations
• Not request any illegal or fraudulent testing scenarios

7. Obligations of the Processor

The Processor shall:

• Process data only on documented instruction from the Controller
• Implement strong technical and organizational measures (TOMs)
• Ensure confidentiality of personnel and testers
• Protect data using encryption, access control and secure storage
• Not subcontract processing without written permission
• Notify the Controller of any relevant data breach
• Assist with data subject requests when applicable
• Delete or return data upon request or termination

8. Technical & Organizational Measures (TOMs)

The Processor implements:

• Encrypted storage (AES-256)
• Encrypted transmission (TLS 1.2 or higher)
• Role-based access control
• Minimal data collection principles
• Secure deletion routines
• Internal confidentiality agreements
• Fraud and abuse monitoring
• No storage of sensitive financial credentials

9. Sub-Processors

The Processor may use secure sub-processors for:

• Hosting
• Data storage
• Analytics
• AML/KYC verification
• Internal tester workflows

A list is available upon request.
All sub-processors are bound by equivalent GDPR obligations.

10. International Transfers

Data may be transferred globally due to international testing flows.
All transfers follow one of:

• Standard Contractual Clauses (SCC)
• Adequacy decisions
• Encryption and strict access limitation

11. Confidentiality

All personal data and business information received from the Controller is confidential.
The Processor shall ensure that all employees, testers and subcontractors sign confidentiality agreements.

12. Data Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay, including:

• Nature of breach
• Categories of affected data
• Number of affected subjects
• Mitigation measures taken

13. Return or Deletion of Data

After termination of services, the Processor shall:

• Delete all personal data, or
• Return all personal data to the Controller

unless legal retention requirements apply (e.g., AML/CTF).

14. Liability

Each Party is liable for breaches of their respective obligations under this DPA.
The Processor is not liable for unlawful or non-compliant instructions issued by the Controller.