Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service ("Terms") between enowX Labs ("Processor," "we," "us") and the entity or individual agreeing to these terms ("Controller," "you," "your").

This DPA applies where enowX Labs processes Personal Data on behalf of the Controller in connection with the provision of our software distribution and licensing Services. It sets out the parties' obligations regarding the protection of Personal Data in accordance with applicable data protection laws.

In the event of a conflict between this DPA and the Terms, this DPA shall prevail with respect to data processing matters.

For the purposes of this DPA, the following terms have the meanings set out below:

• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Processor" means the entity that processes Personal Data on behalf of the Controller. In the context of this DPA, enowX Labs acts as the Processor.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data" means any information relating to a Data Subject that can be used, directly or indirectly, to identify that person.
• "Processing" means any operation performed on Personal Data, whether automated or manual, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

This DPA applies to all Processing of Personal Data that enowX Labs performs on behalf of the Controller in connection with the Services described in the Terms. The purpose of Processing is limited to providing, maintaining, and improving the Services as instructed by the Controller.

enowX Labs will process Personal Data only in accordance with the Controller's documented instructions, unless required to do otherwise by applicable law. If such a legal requirement arises, we will inform the Controller before Processing (unless prohibited by law from doing so).

Types of Personal Data. The following categories of Personal Data may be processed under this DPA:

• Identity data: names, email addresses, display names, profile information from OAuth providers.
• Technical data: IP addresses, hardware identifiers (HWID), device information, operating system details, browser type.
• Usage data: license activation records, download history, feature usage, session timestamps.
• Transaction data: order IDs, purchase history, subscription status, billing addresses (as provided by Paddle).

Categories of Data Subjects. Data Subjects include the Controller's end users, customers, employees, and contractors who access or use the Services.

Purpose of Processing. Personal Data is processed for the purposes of account management, license activation and verification, software delivery, payment processing, customer support, and platform analytics.

Duration of Processing. Processing continues for the duration of the agreement between the parties, plus any retention period required by applicable law or as described in our Privacy Policy.

enowX Labs, as Processor, shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of Personal Data, the ability to ensure ongoing confidentiality and integrity of processing systems, the ability to restore availability of Personal Data in a timely manner, and a process for regularly testing and evaluating the effectiveness of security measures.
• Assist the Controller in fulfilling its obligations to respond to Data Subject requests for exercising their rights.
• Assist the Controller in ensuring compliance with its obligations regarding security of processing, notification of Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities.
• At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

The Controller provides general authorization for enowX Labs to engage Sub-processors. We currently use the following Sub-processors:

• Paddle.com Market Limited. Payment processing, invoicing, tax compliance, and subscription management. Paddle processes transaction data, billing addresses, and payment method information as merchant of record.
• Hosting Infrastructure Provider. Server hosting, data storage, and network services. Processes all data stored on our platform as part of infrastructure operations.

We will notify the Controller of any intended changes to Sub-processors at least 14 days before the change takes effect, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, the parties will work together in good faith to find an alternative solution. If no resolution is reached, the Controller may terminate the affected Services.

enowX Labs ensures that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

enowX Labs will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.

If enowX Labs receives a request directly from a Data Subject, we will promptly redirect the request to the Controller, unless we are legally required to respond directly. We will not respond to Data Subject requests on the Controller's behalf without prior written authorization, except to confirm that the request relates to the Controller.

In the event of a Data Breach affecting Personal Data processed under this DPA, enowX Labs will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach.

The notification will include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected.
• The name and contact details of the point of contact for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

enowX Labs will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

enowX Labs is based in Indonesia. Personal Data may be transferred to and processed in jurisdictions outside the Controller's country of establishment.

Where Personal Data is transferred internationally, enowX Labs ensures that appropriate safeguards are in place, which may include:

• Standard contractual clauses approved by relevant data protection authorities.
• Binding corporate rules where applicable.
• Transfers to countries recognized as providing an adequate level of data protection.
• Other lawful transfer mechanisms as permitted by applicable data protection laws.

The Controller may request information about the specific safeguards applied to any international transfer of their Personal Data.

enowX Labs will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

Audit requests must be submitted in writing with at least 30 days' notice. Audits shall be conducted during normal business hours, no more than once per year (unless required by a supervisory authority or following a Data Breach), and in a manner that minimizes disruption to our operations.

The Controller shall bear the costs of any audit it initiates. If an audit reveals non-compliance, enowX Labs will promptly take corrective action at its own expense.

This DPA takes effect when the Controller begins using our Services and remains in force for as long as enowX Labs processes Personal Data on behalf of the Controller.

Upon termination of the Services or this DPA, enowX Labs will, at the Controller's written request, either return all Personal Data to the Controller in a commonly used, machine-readable format, or securely delete all Personal Data within 30 days. We will confirm deletion in writing upon request.

enowX Labs may retain Personal Data to the extent required by applicable law, provided that such data is processed only for the purposes permitted by that law and remains subject to the confidentiality and security obligations of this DPA.

For questions about this Data Processing Agreement or to submit a DPA-related request:

enowX Labs
Semarang, Indonesia
Email: dpa@enowxlabs.com