Data Processing Agreement (DPA)

1. Definitions

For the purposes of this DPA:

• Personal Data means any information relating to an identified or identifiable individual processed through the Services.
• Controller means the Customer who determines the purposes and means of processing Personal Data.
• Processor means Whip, which processes Personal Data on behalf of the Controller.
• Applicable Data Protection Laws means all applicable privacy and data protection regulations, including but not limited to the Malaysia Personal Data Protection Act (PDPA), and where applicable, GDPR or similar regulations.

2. Scope of Processing

Whip processes Personal Data solely for the purpose of providing the Services under the main service agreement.

Nature of Processing

Processing may include:

• Collection
• Storage
• Organisation
• Retrieval
• Transmission
• Deletion

Categories of Data Subjects

May include:

• Customer's employees and staff
• Customer's end customers
• Business owners or authorised users

Types of Personal Data

May include:

• Names
• Contact information
• Login credentials
• Transaction records
• Attendance and operational data

Whip does not determine the purpose of the data, the Customer remains the Controller at all times.

3. Obligations of the Customer (Controller)

The Customer agrees that:

• It has obtained all necessary consents or legal bases to collect and process Personal Data.
• It complies with all applicable data protection laws.
• It will not instruct Whip to process Personal Data in violation of applicable laws.

The Customer remains responsible for the accuracy, quality, and legality of Personal Data entered into the platform.

4. Obligations of Whip (Processor)

Whip agrees to:

• Process Personal Data only on documented instructions from the Customer.
• Implement appropriate technical and organisational security measures.
• Ensure personnel authorised to process Personal Data are bound by confidentiality obligations.
• Not sell or use Personal Data for its own independent purposes.
• Assist the Customer in fulfilling data protection obligations where reasonably required.

5. Security Measures

Whip maintains reasonable security measures designed to protect Personal Data against unauthorised access, disclosure, alteration, or destruction.

Security measures may include:

• Encrypted data transmission
• Access controls and role-based permissions
• Secure hosting infrastructure
• Regular system maintenance and updates
• Data backups

Security practices are reviewed periodically to align with industry standards.

6. Sub-Processors

The Customer authorises Whip to engage third-party service providers ("Sub-Processors") where necessary to operate the Services, such as:

• Cloud infrastructure providers
• Payment processors
• Communication service providers

Whip will ensure that Sub-Processors are subject to appropriate data protection obligations.

A list of Sub-Processors may be provided upon request.

7. Data Breach Notification

In the event of a confirmed Personal Data breach affecting Customer data, Whip will:

• Notify the Customer without undue delay
• Provide relevant information reasonably necessary to assess the impact
• Take appropriate steps to mitigate and resolve the breach

Whip's obligation is limited to incidents within its control and infrastructure.

8. Data Retention & Deletion

Upon termination of the Services:

• Customer data will be retained for a limited period for backup, compliance, or legal purposes.
• After such period, data may be securely deleted.
• Customers are responsible for exporting required data prior to account termination.

9. International Data Transfers

Where Personal Data is transferred outside the Customer's jurisdiction, Whip will ensure that appropriate safeguards are in place in accordance with applicable data protection laws.

10. Audit & Compliance

Upon reasonable written request, Whip may provide information necessary to demonstrate compliance with this DPA.

Formal audits may be subject to reasonable notice, scope limitations, and confidentiality obligations.

11. Limitation of Liability

Liability under this DPA shall be subject to the limitations of liability set out in the main service agreement.