Data Processing Agreement

Last Updated: [December 15, 2025]

CGD Vibes – Create, Grow, Dream

INTRODUCTION

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you and CGD Vibes Inc., a corporation incorporated under the laws of Quebec, Canada, with its principal place of business in Montréal, Quebec.

This DPA governs the processing of personal data in connection with the CGD Vibes platform and services, ensuring compliance with applicable data protection laws including:

• Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
• General Data Protection Regulation (GDPR) – European Union
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – United States
• Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information)
• Other applicable data protection and privacy laws

By using CGD Vibes, you acknowledge that you have read, understood, and agree to this DPA.

IMPORTANT NOTICES

Plain Language Summary (Non-Binding)

This summary is for convenience only. The full DPA below is legally binding.

• Dual Role: CGD Vibes acts as both Data Controller (for platform operations) and Data Processor (for Seller data)
• Your Rights: Access, correction, deletion, portability, and objection to processing
• Data Retention: Specific schedules apply based on data type and legal requirements
• Sub-Processors: We use trusted third parties (Stripe, hosting providers) with appropriate safeguards
• Security: Industry-standard measures to protect your data
• Breach Notification: We will notify you within 72 hours of discovering a breach
• International Transfers: Appropriate safeguards in place for cross-border data transfers

TABLE OF CONTENTS

1. Definitions
2. Scope and Application
3. Roles and Responsibilities
4. Data Processing Purposes and Legal Bases
5. Data Subject Rights
6. Data Security and Confidentiality
7. Sub-Processors
8. International Data Transfers
9. Data Breach Notification
10. Data Retention and Deletion
11. Audits and Compliance
12. Seller Obligations as Data Controllers
13. Liability and Indemnification
14. Term and Termination
15. Contact Information for Data Protection

1. DEFINITIONS

For purposes of this DPA, the following definitions apply:

"Controller" or "Data Controller" – The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Data Subject" – An identified or identifiable natural person whose personal data is processed. On CGD Vibes, this includes Buyers, Sellers, and any other users.

"Personal Data" or "Personal Information" – Any information relating to an identified or identifiable natural person, including but not limited to: name, email address, mailing address, phone number, payment information, IP address, device identifiers, purchase history, and any other information that can directly or indirectly identify an individual.

"Processing" – Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, restriction, erasure, or destruction.

"Processor" or "Data Processor" – A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.

"Sub-Processor" – A third-party data processor engaged by CGD Vibes (the Processor) to process personal data on behalf of the Controller.

"Applicable Data Protection Laws" – All applicable laws, regulations, and regulatory guidance relating to the processing of personal data and privacy, including PIPEDA, GDPR, CCPA/CPRA, Quebec Law 25, and any other applicable federal, provincial, state, or international data protection laws.

"Sensitive Personal Data" or "Special Categories of Data" – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, and any other data classified as sensitive under applicable laws.

2. SCOPE AND APPLICATION

2.1 Application of this DPA

This DPA applies to all processing of personal data in connection with the CGD Vibes platform, including:

• Account creation and management
• Payment processing and transaction management
• Content hosting and delivery
• Communications between users and with CGD Vibes
• Customer support and dispute resolution
• Analytics, reporting, and platform improvement
• Marketing and promotional activities (with consent where required)

2.2 Incorporation into Terms of Service

This DPA is incorporated by reference into the CGD Vibes Terms of Service. In the event of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail to the extent necessary to comply with applicable data protection laws.

2.3 Relationship with Privacy Policy

This DPA complements and works in conjunction with the CGD Vibes Privacy Policy. The Privacy Policy provides detailed information about data collection, use, and sharing practices. This DPA establishes the legal framework and contractual obligations for data processing activities.

3. ROLES AND RESPONSIBILITIES

3.1 CGD Vibes as Data Controller

CGD Vibes acts as Data Controller for the following categories of personal data and processing activities:

Platform Operations Data:

• All user account information (registration, profile data, authentication credentials)
• Transaction data as Merchant of Record (payment information, purchase history, receipts)
• Platform usage data (analytics, feature usage, system logs)
• Customer support communications and ticket data
• Marketing and promotional data (with user consent)
• Security and fraud prevention data (IP addresses, device fingerprints, behavioral analysis)

As Data Controller, CGD Vibes:

• Determines the purposes and means of processing this data
• Ensures compliance with all applicable data protection laws
• Responds to data subject rights requests for platform operations data
• Implements appropriate technical and organizational security measures
• Maintains records of processing activities

3.2 CGD Vibes as Data Processor

CGD Vibes acts as Data Processor on behalf of Sellers (who act as Data Controllers) for the following:

Seller Customer Data:

• Buyer contact information related to specific Seller products (email addresses of customers who purchased a specific Seller's course or product)
• Purchase history specific to individual Seller products
• Communications between Sellers and their customers facilitated through the platform
• User-generated content submitted by customers to Sellers (course assignments, community posts, forum contributions)
• Progress and engagement data for Seller-specific courses or content

As Data Processor, CGD Vibes:

• Processes this data only on documented instructions from Sellers (as Controllers)
• Does not process Seller customer data for CGD Vibes' own purposes (except as required by law or to provide platform services)
• Assists Sellers in responding to data subject rights requests related to Seller customer data
• Implements technical and organizational measures to secure Seller customer data
• Notifies Sellers of data breaches affecting their customer data

3.3 Shared Data and Joint Controllership

For certain categories of data, CGD Vibes and Sellers may be Joint Controllers, meaning both parties determine the purposes and means of processing. This applies to:

• Transaction and payment data (CGD Vibes processes payments as Merchant of Record; Sellers fulfill orders and deliver products)
• Customer support data related to Seller products (both parties may communicate with customers to resolve issues)
• Refund and dispute data (CGD Vibes manages refunds as MoR; Sellers are involved in dispute resolution)

Joint Controller Responsibilities:

• CGD Vibes Responsibilities: Payment processing, tax compliance, refund management, platform security, initial data subject rights request handling
• Seller Responsibilities: Product/service delivery, customer relationship management, product-specific communications, cooperation with data subject rights requests
• Shared Responsibilities: Both parties must ensure appropriate security measures, respond to data subject requests within legal timeframes, and notify each other of relevant data breaches

3.4 Sellers as Independent Data Controllers

Sellers are independent Data Controllers for any personal data they collect and process outside the CGD Vibes platform, including:

• Email lists or CRM systems maintained independently by Sellers
• Customer data collected through Seller-owned websites or marketing channels
• Personal data shared directly between Sellers and customers outside the platform
• Any processing activities not facilitated by CGD Vibes

Important: CGD Vibes is not responsible for Sellers' independent data processing activities. Sellers must comply with all applicable data protection laws for data they control independently. See Section 12 for detailed Seller obligations.

4. DATA PROCESSING PURPOSES AND LEGAL BASES

4.1 Lawful Bases for Processing

CGD Vibes processes personal data based on the following lawful bases under applicable data protection laws:

PROCESSING PURPOSE: Account creation and authentication

LEGAL BASIS: Contractual necessity (performance of Terms of Service)

DATA CATEGORIES: Name, email address, password, phone number

PROCESSING PURPOSE: Payment processing and transaction management

LEGAL BASIS: Contractual necessity; Legal obligation (tax compliance, AML/KYC)

DATA CATEGORIES: Payment card data, bank account information, billing address, tax identification numbers, transaction history

PROCESSING PURPOSE: Content hosting and delivery

LEGAL BASIS: Contractual necessity

DATA CATEGORIES: User-uploaded content, course materials, digital products, community posts

PROCESSING PURPOSE: Customer support and dispute resolution

LEGAL BASIS: Contractual necessity; Legitimate interests (resolving issues, improving service)

DATA CATEGORIES: Support tickets, communications, order history, issue descriptions

PROCESSING PURPOSE: Fraud prevention and security

LEGAL BASIS: Legitimate interests (protecting the platform and users); Legal obligation (AML / fraud prevention)

DATA CATEGORIES: IP addresses, device information, login history, behavioral data, transaction patterns

PROCESSING PURPOSE: Platform analytics and improvement

LEGAL BASIS: Legitimate interests (improving platform functionality and user experience)

DATA CATEGORIES: Usage data, feature engagement, performance metrics, aggregated analytics

PROCESSING PURPOSE: Marketing and promotional communications

LEGAL BASIS: Consent (where required); Legitimate interests (existing customer marketing, where permitted)

DATA CATEGORIES: Email address, name, purchase history, interests, engagement data

PROCESSING PURPOSE: Legal compliance and regulatory requirements

LEGAL BASIS: Legal obligation

DATA CATEGORIES: Tax records, transaction data, identity verification documents, regulatory reports

4.2 Consent-Based Processing

Where processing is based on consent, CGD Vibes ensures that:

• Consent is freely given, specific, informed, and unambiguous
• Users can withdraw consent at any time through account settings or by contacting support
• Consent is documented and records are maintained
• Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal
• Users are clearly informed about the consequences of withdrawing consent

4.3 Legitimate Interests Assessment

Where processing is based on legitimate interests, CGD Vibes has conducted balancing tests to ensure that:

• The legitimate interest pursued is clearly identified and documented
• The processing is necessary to achieve that interest
• The interests, rights, and freedoms of data subjects are balanced against CGD Vibes' interests
• Data subjects' rights do not override the legitimate interest

5. DATA SUBJECT RIGHTS

CGD Vibes respects and facilitates the exercise of data subject rights under applicable data protection laws. These rights may vary depending on your jurisdiction, but generally include:

5.1 Right of Access

You have the right to:

• Request confirmation of whether we process your personal data
• Obtain a copy of your personal data
• Receive information about the processing activities (purposes, categories of data, recipients, retention periods)
• Access this information through account settings or by submitting a request to [email protected]

Response Timeline: CGD Vibes will respond to access requests within 30 days (45 days for complex requests, with notice of extension).

5.2 Right to Rectification

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data
• Update information through account settings or by contacting support

Implementation: CGD Vibes will make corrections within 15 business days and notify relevant third parties if required.

5.3 Right to Erasure (Right to Be Forgotten)

You have the right to request deletion of your personal data under certain circumstances:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Legal obligation requires erasure

Exceptions: CGD Vibes may retain data where necessary for:

• Compliance with legal obligations (tax records, transaction data for 7 years)
• Establishment, exercise, or defense of legal claims
• Fraud prevention and security (limited to fraud indicators, not full records)
• Fulfillment of contractual obligations to other users (e.g., Seller payout records, purchased content access)

5.4 Right to Data Portability

You have the right to:

• Receive your personal data in a structured, commonly used, and machine-readable format (CSV, JSON)
• Transmit your data to another controller (where technically feasible)
• Request portability of data you provided to CGD Vibes (not derived or inferred data)

Scope: Portability applies to data processed by automated means based on consent or contract (account data, purchase history, content you uploaded).

5.5 Right to Restriction of Processing

You have the right to request restriction (not deletion) of processing in the following cases:

• You contest the accuracy of personal data (restriction during verification period)
• Processing is unlawful but you prefer restriction over erasure
• CGD Vibes no longer needs the data but you need it for legal claims
• You have objected to processing and verification of legitimate grounds is pending

Effect: During restriction, CGD Vibes will store the data but not further process it (except with your consent, for legal claims, or to protect other persons' rights).

5.6 Right to Object

You have the right to object to processing of your personal data where:

• Processing is based on legitimate interests (CGD Vibes must demonstrate compelling legitimate grounds that override your interests)
• Processing is for direct marketing purposes (you can opt out at any time with no justification needed)
• Processing is for research or statistical purposes (unless necessary for public interest)

Direct Marketing Opt-Out: You can unsubscribe from marketing emails using the link in any marketing message or through account settings. CGD Vibes will process opt-outs within 5 business days.

5.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to Withdraw: Use the same method by which consent was given (unsubscribe links, account settings, or contact [email protected]).

5.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

Supervisory Authorities:

• Canada: Office of the Privacy Commissioner of Canada (www.priv.gc.ca)
• Quebec: Commission d'accès à l'information du Québec (www.cai.gouv.qc.ca)
• EU/EEA: Your local data protection authority (list available at edpb.europa.eu)
• California: California Attorney General (oag.ca.gov/privacy)

5.9 Exercising Your Rights

To exercise any of these rights, you may:

• Email: [email protected] with subject line "Data Subject Rights Request"
• Account Settings: Use self-service tools for access, rectification, and deletion where available
• Mail: 

N.W. Marketing Inc.  

c/o CGD Vibes  

204 rue du Saint-Sacrement, Espace 300  

Montréal, Québec, Canada  

H2Y 1W8

Verification: CGD Vibes may request additional information to verify your identity before processing requests. This protects against fraudulent requests and unauthorized access.

Response Timeline: CGD Vibes will respond to requests within 30 days (extendable to 45 days for complex requests, with notice). If we cannot fulfill a request, we will explain the reasons.

No Fee: Requests are processed free of charge. CGD Vibes may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

6. DATA SECURITY AND CONFIDENTIALITY

6.1 Security Measures

CGD Vibes implements appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage, including:

Technical Measures:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for staff, principle of least privilege
• Network Security: Firewalls, intrusion detection systems (IDS), regular vulnerability scanning
• Secure Authentication: Password hashing (bcrypt), secure session management, automatic logout
• Logging and Monitoring: Comprehensive audit logs, real-time security monitoring, anomaly detection
• Data Backup: Automated daily backups with encryption, tested disaster recovery procedures

Organizational Measures:

• Staff Training: Regular data protection and security training for all employees and contractors
• Confidentiality Agreements: All staff and contractors sign confidentiality and data protection agreements
• Incident Response: Documented incident response plan, designated security team, regular drills
• Vendor Management: Due diligence and contractual security requirements for all sub-processors
• Security Reviews: Annual security assessments, penetration testing, and compliance audits

6.2 Payment Security

CGD Vibes uses Stripe for payment processing and does not directly store or process full payment card data. Stripe is PCI-DSS Level 1 certified (the highest level of certification).

• CGD Vibes complies with PCI-DSS requirements applicable to merchants
• Payment card data is tokenized and handled securely by Stripe
• CGD Vibes stores only tokenized payment references, not full card numbers

6.3 Confidentiality Obligations

CGD Vibes and its personnel must:

• Treat all personal data as confidential
• Process data only as authorized by this DPA and applicable instructions
• Not access or disclose personal data except as necessary for their authorized duties
• Maintain confidentiality obligations even after employment or contract termination

6.4 Security Testing and Audits

CGD Vibes conducts regular security assessments:

• Annual: Third-party penetration testing, security audits, compliance reviews
• Quarterly: Vulnerability scanning, access reviews, security policy updates
• Continuous: Automated security monitoring, log analysis, intrusion detection
• Ad-Hoc: Security assessments after significant platform changes or incidents

7. SUB-PROCESSORS

7.1 Authorized Sub-Processors

CGD Vibes engages the following categories of sub-processors to provide platform services:

• Payment Processing: Stripe (payment processing, fraud prevention, payout management)
• Payment Processing: Paystack (alternative payment checkout, transaction processing)
• Cloud Infrastructure: Hosting providers for platform infrastructure, data storage, and content delivery
• Email Services: Transactional email delivery, marketing communications
• Analytics: Platform analytics, user behavior analysis
• Customer Support: Support ticket management, live chat services
• Security Services: Fraud detection, security monitoring, vulnerability scanning
• Security Services: hCaptcha (bot detection and human verification)
• Video / Content: YouTube (embedded video player for course content, viewing behavior tracking)
• Error Monitoring: Bugsnag via EzyCourse (platform error detection and reporting)
• Consent Management: Cookiebot by Usercentrics (cookie consent banner and preference management)
• Social / Sharing: ShareThis (social sharing functionality and cookie testing)
• Chat Support: b.chatconnect.cloud (live chat support widget, language preference)

7.2 Sub-Processor Requirements

CGD Vibes ensures that all sub-processors:

• Provide sufficient guarantees of technical and organizational security measures
• Enter into written contracts imposing data protection obligations equivalent to this DPA
• Process personal data only on documented instructions
• Maintain appropriate confidentiality commitments
• Comply with applicable data protection laws

Liability: CGD Vibes remains fully liable to you for the performance of sub-processors' obligations under this DPA.

7.3 Changes to Sub-Processors

CGD Vibes will provide at least 30 days' advance notice of any intended changes concerning the addition or replacement of sub-processors.

Notification Method:

• Email notification to registered users
• Update to sub-processor list on CGD Vibes website
• Platform notification for logged-in users

Right to Object:

If you have legitimate grounds to object to the use of a new sub-processor, you may:

• Submit a written objection within 30 days of notice to [email protected]
• CGD Vibes will either: (a) not use the new sub-processor for your data, or (b) work with you to find a mutually acceptable solution
• If no solution can be found, you may terminate your account without penalty and request data export

8. INTERNATIONAL DATA TRANSFERS

8.1 Cross-Border Transfers

CGD Vibes may transfer personal data internationally as part of providing platform services. This may include transfers:

• From Canada to other jurisdictions
• From the European Economic Area (EEA) to third countries
• Between jurisdictions where sub-processors are located
• To facilitate global platform operations and service delivery

8.2 Transfer Mechanisms

CGD Vibes ensures that all international data transfers are conducted using appropriate safeguards:

For EEA/UK Data:

• Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate data protection (e.g., Canada for commercial organizations under PIPEDA)
• Standard Contractual Clauses (SCCs): EU-approved Standard Contractual Clauses (2021 version) for transfers to countries without adequacy decisions
• Supplementary Measures: Additional technical measures (encryption, pseudonymization) to ensure data protection equivalent to EEA standards

For Canadian Data:

• PIPEDA Requirements: Contractual provisions ensuring foreign sub-processors provide comparable protection to Canadian standards
• Notice: Users informed of foreign processing through Privacy Policy and this DPA
• Safeguards: Contractual commitments from foreign processors regarding security and legal access

For U.S. Data:

• CCPA/CPRA Compliance: Service provider agreements limiting use and disclosure of California resident data
• State Laws: Compliance with applicable state privacy laws for data transfers

8.3 Government Access Disclosure

CGD Vibes acknowledges that personal data transferred outside your jurisdiction may be subject to lawful access by government authorities, law enforcement, or national security agencies in the destination country.

Commitments:

• CGD Vibes will notify you of government data requests where legally permitted
• CGD Vibes will challenge overbroad or unlawful requests where appropriate
• CGD Vibes will provide only the minimum data necessary to comply with legal obligations
• CGD Vibes maintains a transparency report (published annually) disclosing aggregate data on government requests

8.4 Transfer Impact Assessment

CGD Vibes has conducted transfer impact assessments (TIAs) to evaluate the legal framework in destination countries and ensure that, in practice, an essentially equivalent level of protection as in the origin country is guaranteed. These assessments consider:

• Legal framework for government access to data in destination countries
• Practical application of laws and precedents
• Technical and organizational measures to mitigate risks
• Supplementary measures necessary to ensure adequate protection

9. DATA BREACH NOTIFICATION

This section supplements the Data Breach Notification provisions in Section 12.7 of the Terms of Service and provides additional detail on CGD Vibes' breach response procedures under this DPA.

9.1 Definition of Personal Data Breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

9.2 Notification to Data Subjects (Users)

Timing: CGD Vibes will notify affected users within 72 hours of discovering a personal data breach (consistent with Section 12.7 of the Terms of Service).

Notification Content: User notifications will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of personal data records affected
• Contact information for CGD Vibes' data protection point of contact
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects
• Recommended actions users can take to protect themselves

9.3 Notification to Supervisory Authorities

Where required by applicable law, CGD Vibes will notify relevant supervisory authorities within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Jurisdictional Requirements:

• GDPR (EU/EEA): Notification to lead supervisory authority within 72 hours
• PIPEDA (Canada): Notification to Privacy Commissioner if breach poses real risk of significant harm
• Quebec Law 25: Notification to Commission d'accès à l'information if serious injury risk
• CCPA/CPRA (California): Notification to Attorney General if breach affects >500 California residents

9.4 Notification to Sellers (as Data Controllers)

Where a breach affects Seller customer data (for which Sellers are Data Controllers and CGD Vibes is the Processor), CGD Vibes will:

• Immediate Notification: Notify affected Sellers within 24 hours of discovering the breach
• Detailed Information: Provide all information necessary for Sellers to fulfill their own notification obligations
• Cooperation: Assist Sellers in assessing the impact and responding to the breach
• Documentation: Provide written records of the breach for Sellers' compliance purposes

9.5 Breach Documentation

CGD Vibes will document all personal data breaches, including:

• Facts relating to the breach
• Effects of the breach
• Remedial action taken

Documentation will be maintained for at least 7 years and made available to supervisory authorities upon request.

10. DATA RETENTION AND DELETION

This section supplements Section 12.7 of the Terms of Service, which provides detailed retention schedules. This DPA section focuses on the legal framework and data protection principles governing retention.

10.1 Retention Principles

CGD Vibes retains personal data only for as long as necessary to fulfill the purposes for which it was collected, subject to:

• Purpose Limitation: Data is retained only while it serves the original collection purpose
• Legal Obligations: Extended retention where required by law (e.g., tax records for 7 years)
• Legitimate Interests: Retention for fraud prevention, security, or legal claims defense (limited to what is necessary)
• User Rights: Deletion upon request unless retention is legally required

10.2 Retention Schedules by Data Category

See Section 12.7 of the Terms of Service for complete retention schedules. Key categories:

• Transaction & Financial Data: 7 years (tax and legal compliance)
• Account Data (Active): Duration of account + applicable post-closure periods
• Communications: 1-3 years depending on type (support tickets, emails, messages)
• Fraud/Security Data: 10 years (industry standard for fraud prevention)
• Marketing Data: Until opt-out + 30 days

10.3 Secure Deletion Methods

When personal data is deleted, CGD Vibes uses secure deletion methods:

• Active Data: Overwriting or secure deletion from production databases
• Backup Data: Excluded from restoration; backups recycled according to retention policy
• Physical Media: Cryptographic erasure or physical destruction before disposal
• Anonymization: Where permitted, anonymization for analytics purposes (irreversible removal of identifiers)

10.4 Legal Hold and Litigation Preservation

CGD Vibes may suspend deletion where:

• Litigation or legal proceedings are pending or reasonably anticipated
• Regulatory investigation or audit is ongoing
• Court order or legal hold notice has been received
• Data is necessary for defense of legal claims

Users will be notified if a deletion request cannot be fulfilled due to legal hold, with an explanation of the legal basis and expected duration.

11. AUDITS AND COMPLIANCE

11.1 CGD Vibes' Audit Rights

CGD Vibes conducts regular internal audits to ensure compliance with this DPA and applicable data protection laws:

• Annual Compliance Audit: Comprehensive review of data processing activities, security measures, and policy adherence
• Quarterly Security Review: Assessment of technical and organizational security measures
• Continuous Monitoring: Automated compliance monitoring and alerting systems

11.2 User Audit Rights (For Sellers Acting as Controllers)

Sellers acting as Data Controllers (for whom CGD Vibes processes customer data) have the right to audit CGD Vibes' compliance with this DPA, subject to the following conditions:

Audit Request Requirements:

• Written request submitted at least 60 days in advance to [email protected]
• Reasonable scope (focused on Seller's customer data processing, not entire platform)
• Maximum of one audit per year (unless breach or significant compliance issue)
• Conducted during business hours with minimal disruption to operations

Alternative to On-Site Audit:

In lieu of an on-site audit, CGD Vibes may provide:

• Existing third-party audit reports or certifications (SOC 2, ISO 27001, etc.)
• Detailed questionnaire responses regarding data protection practices
• Documentation of security measures and compliance procedures
• Virtual audit conducted via secure video conference and document review

Audit Costs:

• Seller bears costs of its own auditors/representatives
• CGD Vibes provides reasonable cooperation at no charge for standard audits
• Excessive or disruptive audit requests may be subject to reasonable cost recovery

11.3 Supervisory Authority Audits

CGD Vibes will cooperate fully with supervisory authorities in connection with:

• Compliance audits and investigations
• Information requests and inquiries
• Data breach investigations
• Complaints filed by data subjects

CGD Vibes will provide requested information and documentation within legally required timeframes and facilitate access to relevant personnel, systems, and records as necessary.

11.4 Records of Processing Activities

CGD Vibes maintains comprehensive records of processing activities as required by applicable data protection laws, including:

• Name and contact details of the controller/processor
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• International data transfers and safeguards
• Retention periods
• Security measures

12. SELLER OBLIGATIONS AS DATA CONTROLLERS

This section sets forth the obligations of Sellers who act as Data Controllers for personal data they collect or control independently, or for customer data processed by CGD Vibes on their behalf.

12.1 Compliance with Data Protection Laws

Sellers acting as Data Controllers must:

• Comply with all applicable data protection laws in their jurisdiction and their customers' jurisdictions
• Determine the purposes and means of processing for their customer data
• Ensure they have a lawful basis for processing (consent, contract, legitimate interest, etc.)
• Implement appropriate technical and organizational security measures
• Maintain records of their processing activities

12.2 Privacy Notices and Transparency

Sellers must provide clear privacy notices to their customers that:

• Identify the Seller as the Data Controller
• Identify CGD Vibes as a Data Processor providing platform services
• Explain what personal data is collected and why
• Describe how data will be used, shared, and protected
• Inform customers of their data subject rights
• Provide contact information for privacy inquiries

Recommended Language for Seller Privacy Notices:

"Your personal data is collected and processed by [Seller Name]. We use CGD Vibes as our platform provider to host content, process payments, and deliver our products and services to you. CGD Vibes processes your data on our behalf as a Data Processor. For more information about how CGD Vibes handles data, please see the CGD Vibes Privacy Policy at www.cgdvibes.com/privacy-policy."

12.3 Obtaining Valid Consent

Where processing is based on consent, Sellers must ensure that:

• Consent is freely given, specific, informed, and unambiguous
• Consent requests are clearly distinguishable from other matters
• Consent is documented and records are maintained
• Customers can withdraw consent easily
• Pre-ticked boxes or other invalid consent mechanisms are not used

12.4 Responding to Data Subject Rights Requests

Sellers are responsible for responding to data subject rights requests related to their customer data:

• Request Handling: Sellers must respond to requests within legal timeframes (typically 30 days)
• CGD Vibes Assistance: CGD Vibes will assist Sellers by providing access to customer data stored on the platform
• Coordination: If a request is submitted to CGD Vibes, we will forward it to the relevant Seller for response
• Seller Responsibility: Sellers remain responsible for fulfilling requests even if CGD Vibes provides data access tools

12.5 Data Minimization and Purpose Limitation

Sellers must:

• Collect only personal data that is adequate, relevant, and necessary for specified purposes
• Not process customer data for purposes incompatible with the original collection purpose
• Not collect excessive or unnecessary personal data
• Regularly review data collection practices to ensure continued necessity

12.6 Independent Data Processing Activities

For any data processing activities conducted independently outside the CGD Vibes platform, Sellers are solely responsible for:

• Implementing appropriate security measures
• Handling data breaches and notification obligations
• Ensuring compliance with data protection laws
• Selecting and managing their own sub-processors or service providers
• Maintaining records of processing activities

Examples of Independent Processing:

• Email marketing lists maintained in third-party CRM systems
• Customer databases stored on Seller-owned servers
• Communications conducted through Seller's own email or messaging systems
• Customer information shared with Seller's own service providers

12.7 Prohibited Processing Activities

Sellers must NOT:

• Process sensitive personal data (health data, biometric data, racial/ethnic origin, etc.) without explicit consent and appropriate safeguards
• Collect or process personal data of children under 13 (or applicable age of consent) without verifiable parental consent
• Sell or rent customer personal data to third parties
• Use customer data for purposes incompatible with the original collection purpose without new consent
• Process data in ways that violate CGD Vibes Terms of Service or applicable laws

12.8 Seller Breach Notification Obligations

If a Seller experiences a data breach affecting customer data they control independently:

• Notify CGD Vibes: Within 24 hours if the breach may affect data processed through CGD Vibes
• Notify Affected Customers: As required by applicable law (typically within 72 hours)
• Notify Authorities: As required by applicable data protection laws
• Cooperate with CGD Vibes: In assessing impact and mitigating harm

13. LIABILITY AND INDEMNIFICATION

13.1 Allocation of Liability

Liability for data protection violations is allocated based on roles and responsibilities:

CGD Vibes Liability (as Data Controller):

• Platform operations data processing (account management, payment processing, platform analytics)
• Security of platform infrastructure and services
• Compliance with data protection laws for CGD Vibes' own processing activities
• Sub-processor selection and management

CGD Vibes Liability (as Data Processor):

• Processing Seller customer data according to documented instructions
• Implementing appropriate security measures for Seller customer data
• Assisting Sellers with data subject rights requests and breach notifications
• Limiting: Only liable for violations within CGD Vibes' control as Processor

Seller Liability (as Data Controller):

• Determining purposes and means of processing for their customer data
• Ensuring lawful basis for processing (obtaining consent, etc.)
• Providing adequate privacy notices to customers
• Responding to data subject rights requests
• Independent data processing activities outside CGD Vibes platform
• Compliance with data protection laws for their own processing activities

13.2 Limitation of Liability

Subject to Section 15 of the Terms of Service and applicable mandatory law, the following limitations apply to data protection liabilities:

General Limitation:

To the maximum extent permitted by law, CGD Vibes' total liability for data protection violations under this DPA is subject to the liability caps set forth in Section 15.1 of the Terms of Service.

Exceptions:

These limitations do NOT apply to:

• Liability that cannot be limited under applicable data protection laws (e.g., GDPR Article 82 liability for damages)
• Regulatory fines or penalties imposed by supervisory authorities
• Damages arising from CGD Vibes' gross negligence, willful misconduct, or fraud
• Mandatory compensation rights under consumer protection laws

13.3 Indemnification for Data Protection Violations

This section supplements the indemnification provisions in Section 16 of the Terms of Service specifically for data protection matters.

Seller Indemnification of CGD Vibes:

Sellers agree to indemnify CGD Vibes for claims arising from:

• Seller's failure to obtain valid consent or establish lawful basis for processing
• Seller's inadequate or misleading privacy notices
• Seller's failure to respond to data subject rights requests
• Seller's independent data processing activities outside CGD Vibes platform
• Seller's processing of personal data in violation of this DPA or applicable laws
• Seller's data breaches affecting data they control independently

Subject to Caps: Seller indemnification is subject to the caps set forth in Section 16.1 of the Terms of Service.

13.4 Regulatory Fines and Penalties

Allocation of Regulatory Fines:

• CGD Vibes Responsible: Fines for violations within CGD Vibes' control as Controller or Processor
• Seller Responsible: Fines for violations within Seller's control as Controller
• Shared Responsibility: Where both parties contributed to violation, fines allocated proportionally based on fault

Important: Neither party shall take actions that increase the other party's exposure to regulatory fines. Both parties agree to cooperate in good faith to minimize regulatory risks.

14. TERM AND TERMINATION

14.1 Term

This DPA comes into effect when you first use CGD Vibes and remains in effect for as long as CGD Vibes processes personal data on your behalf or for which you are a data subject.

14.2 Termination

This DPA will terminate:

• Upon termination of your account and completion of all data retention obligations
• Upon termination of the Terms of Service
• By mutual written agreement of the parties

14.3 Effect of Termination

Upon termination of this DPA:

For Buyers and General Users:

• CGD Vibes will delete or anonymize your personal data in accordance with the retention schedules in Section 12.7 of the Terms of Service
• Data subject to legal retention requirements will be retained for required periods
• You may request data export before termination (subject to technical feasibility)

For Sellers:

• CGD Vibes will return or delete Seller customer data upon request (subject to legal retention requirements)
• Sellers have 60 days from account closure to request data export
• CGD Vibes will certify deletion of Seller customer data upon request (within 90 days of completing retention obligations)
• Sellers remain responsible for purchased content access obligations to their customers

14.4 Survival

The following provisions survive termination of this DPA:

• Data retention and deletion obligations (Section 10)
• Confidentiality obligations (Section 6.3)
• Liability and indemnification (Section 13)
• Audit rights (for periods during which DPA was in effect)
• Any other provisions that by their nature should survive

15. CONTACT INFORMATION FOR DATA PROTECTION

15.1 Data Protection Officer / Privacy Contact

For all data protection inquiries, requests, or concerns, please contact:

Email: [email protected]

Subject Line: Please include specific subject lines for faster routing:

• "Data Subject Rights Request" – For access, deletion, rectification, portability requests
• "Data Breach Notification" – For reporting potential data breaches
• "DPA Inquiry" – For questions about this Data Processing Agreement
• "Seller Data Controller Issue" – For Sellers seeking assistance with their Controller obligations
• "Privacy Policy Question" – For general privacy inquiries

Mailing Address:

N.W. Marketing Inc.  

Attn: Data Protection / Privacy

c/o CGD Vibes  

204 rue du Saint-Sacrement, Espace 300  

Montréal, Québec, Canada  

H2Y 1W8

15.2 Response Timelines

CGD Vibes is committed to responding promptly to data protection inquiries:

• General Inquiries: Within 5 business days
• Data Subject Rights Requests: Within 30 days (extendable to 45 days for complex requests, with notice)
• Data Breach Reports: Immediate acknowledgment within 24 hours
• Urgent Issues: Same business day for critical security or privacy concerns

15.3 Supervisory Authority Contact Information

If you are not satisfied with CGD Vibes' handling of your data protection concerns, you have the right to lodge a complaint with your local supervisory authority:

Canada (Federal):

Office of the Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376

Quebec:
Commission d'accès à l'information du Québec
Website: www.cai.gouv.qc.ca
Phone: 1-888-528-7741

European Union / EEA:
Your local Data Protection Authority
List available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

California, USA:
California Attorney General's Office
Website: https://oag.ca.gov/privacy
Phone: 916-210-6276

ACKNOWLEDGMENT & ACCEPTANCE

BY USING CGD VIBES, YOU ACKNOWLEDGE THAT:

• You have read and understood this Data Processing Agreement in its entirety
• You agree to the processing of personal data as described in this DPA
• You understand your rights as a data subject under applicable data protection laws
• If you are a Seller, you acknowledge your obligations as a Data Controller
• You understand how to exercise your data subject rights and contact CGD Vibes with privacy concerns
• You consent to international data transfers as described in Section 8

IF YOU DO NOT AGREE TO THIS DATA PROCESSING AGREEMENT, YOU MAY NOT USE CGD VIBES.

UPDATES AND MODIFICATIONS

CGD Vibes may update this DPA from time to time to reflect changes in data protection laws, business practices, or platform features. Material changes will be communicated to users at least 60 days in advance via email and platform notification, consistent with the update procedures in Section 19.15 of the Terms of Service.

Continued use of CGD Vibes after the effective date of changes constitutes acceptance of the updated DPA.

---END OF DATA PROCESSING AGREEMENT---

For questions about this DPA, please contact [email protected]