Data Processing Agreement for the gro.now Platform (b2b)

1.1.

1.2. - 1.5.

2.1. - 2.17.

• 2.1. Platform – the gro.now hardware and software complex, including web interfaces, mobile applications (app), backend services, AI-based analytics modules, data connectors, SDKs, and (if available) APIs, as well as related documentation.
• 2.2. Operator / Controller – the Client, who independently determines the purposes and/or content of personal data processing and provides the Processor with instructions for their processing within the framework of the Main Agreement.
• 2.3. Processor – Pwron LLP, the owner of the Platform, which processes personal data according to the instructions of the Operator (Controller) and in its interests.
• 2.4. Sub-processor – a third party engaged by the Processor to perform specific personal data processing operations on behalf of the Processor and under conditions that ensure a level of protection no lower than that provided for in this Agreement.
• 2.5. Personal Data (PD) – any information relating to a directly or indirectly identified natural person (Data Subject), including, but not limited to: identification data, contact data, service usage data, technical identifiers, respondent answers, and other categories described in Appendix 1.
• 2.6. Processing - any action (operation) or set of actions with PD, including collection, recording, systematization, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction.
• 2.7. Data Subject – a natural person to whom the PD relates (including employees and representatives of the Client, respondents, users of integrations, and other persons as specified in Appendix 1).
• 2.8. Activity – any scenario of respondent participation on the gro.now platform, conducted on behalf of the Operator or by the Processor independently, including, but not limited to: research, tests, contests, prize draws, games, referral mechanics, and other forms of interaction.
• 2.9. Respondent – a natural person participating in an Activity and providing their personal data in the course of participation.
• 2.10. Operator's Instructions – documented (including electronic) instructions from the Operator to the Processor regarding the purposes, categories of PD, processing operations, retention periods, transfer, deletion, and other parameters. Instructions may be contained in the Main Agreement, account/project settings in gro.now, support requests, integration specifications, and other written communications.
• 2.11. Security Incident (Personal Data Breach) — an event that has led or may lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, PD processed by the Processor.
• 2.12. Technical and Organizational Measures (TOMs) – a set of PD protection measures applied by the Processor and listed in Appendix 2 or in a separate agreement with the Operator.
• 2.13. Cross-Border Transfer — the transfer of PD to the territory of a foreign state, to servers or third parties located outside the jurisdiction defined by the Main Agreement, as well as remote access to PD from such a jurisdiction.
• 2.14. Applicable Law — the legislation applicable to the relationship between the Parties under this Agreement, as defined in Section 1 and the User Agreement, including the local requirements of the Republic of Kazakhstan and other mandatory norms for cross-border processing.
• 2.15. Confidential Information – any information of a Party, clearly designated as confidential or considered as such by its nature (including PD), disclosed to the other Party in connection with this Agreement.
• 2.16. Aggregated/Anonymized Data — data processed in such a way that the Data Subject is not identified and is not identifiable, provided that anonymization procedures are followed; such data is not considered PD.
• 2.17. Roles and Their Demarcation. a) The Processor acts exclusively as a processor with respect to PD processed according to the Operator's Instructions; b) With respect to PD that the Processor processes for its own purposes (e.g., accounting, infrastructure security, anti-fraud), the Processor acts as an independent operator/controller – such processing is governed by the Privacy Policy and is not covered by this Agreement. c) With respect to data received from external sources and integrations (e.g., SSO accounts, calendar slots, trackers), the Processor's role is determined by the Operator's Instructions and the description in Appendix 1; if integration providers have their own purposes, the latter act as independent operators.

3.1. - 3.2.

• 3.1. This Agreement defines the terms and procedure for the Processor's processing of personal data transferred to it by the Operator or collected by the Processor on behalf of the Operator in the course of providing the Platform's services, including conducting and supporting Activities.
• 3.2. Processing is carried out exclusively to the extent and for the purposes determined by the Operator and documented in: (i) the User Agreement and its appendices; (ii) account/project settings, configurations of Activities and forms on the gro.now platform; (iii) technical specifications of integrations and APIs; (iv) written/electronic Instructions from the Operator transmitted through the platform's interface or official communication channels.

3.3. - 3.8.

5.1. Operator's Responsibility.

5.2. Informing Data Subjects.

5.3. - 5.12.

• 5.3. Consents (where applicable). If the legal basis is consent, the Operator: a) obtains free, specific, informed, and unambiguous consent; b) documents the fact of obtaining and the possibility of withdrawal; c) ensures that the text of the consent is consistent with the Respondents' Personal Data Processing Policy and the terms of the specific Activity.
• 5.4. Special Categories and 'Sensitive' Data. The transfer of special categories of data to the Processor (e.g., health data, biometrics) is permitted only with a corresponding basis and prior written agreement with the Processor. The Operator undertakes not to transfer such data by default.
• 5.5. Minors. If an Activity involves the participation of minors, the Operator confirms the existence of the necessary legal bases and additional notifications/consents from legal representatives, as well as correct age verification (age-gating), if required.
• 5.6. Integrations and Third-Party Sources. When connecting integrations (e.g., SSO providers, calendar/communication services, CRM, analytics), the Operator ensures the existence of a legal basis for transferring data to gro.now and proper notification of subjects about such transfers and recipients.
• 5.7. Cross-Border Transfer. The Operator confirms the legality of the cross-border transfer of PD (including placement/access outside the Operator's jurisdiction) and, if necessary, the application of appropriate legal mechanisms (contractual clauses/standard provisions/other instruments), taking into account the requirements of applicable law.
• 5.8. Minimization and Accuracy. The Operator undertakes to transfer to the Processor only the minimum necessary volume of PD, to ensure their accuracy and relevance, and to eliminate redundant or erroneous data.
• 5.9. Legality of Activity Content. The Operator is responsible for the legality of the content of Activities, formulas, and questions, as well as for preventing the request of excessive or prohibited categories of data from Respondents.
• 5.10. Documentation and DPIA. The Operator maintains the necessary records of processing, conducts a data protection impact assessment (DPIA) if necessary, and ensures the fulfillment of other controller obligations under applicable law.
• 5.11. Requests from Subjects and Authorities. The Operator receives and validates initial requests from subjects and state authorities and sends to the Processor only valid and relevant instructions necessary for the execution of such requests with respect to the Processor's part.
• 5.12. No Shifting of Responsibilities. Nothing in this Agreement shall be construed as transferring the Operator's responsibilities for choosing a legal basis, providing information, obtaining consents, assessing the lawfulness of Activities, or the content of requests to Respondents to the Processor.

6.1. Places of Processing.

6.2. Remote Access.

6.3. - 6.10.

7.1. - 7.12.

• 7.1. General Principle. The Processor applies a set of technical and organizational protection measures (hereinafter – TOMs) to ensure the confidentiality, integrity, availability, and resilience of personal data processed on the Platform, in accordance with the risks and scale of processing.
• 7.2. Standards and Security Management. a) The Processor's PD protection system is built taking into account international and national standards (including ISO/IEC 27001, ISO/IEC 27018, NIST SP 800-53, and recommendations of the authorized bodies of the Republic of Kazakhstan). b) The Processor implements an information security policy that includes role segregation, access control, incident management, data backup and recovery. c) TOMs apply to its own infrastructure, as well as to all Sub-processors engaged to perform processing operations.
• 7.3. Access Control. a) Access for the Processor's employees and contractors is granted strictly on a 'need-to-know' basis. b) Multi-factor authentication (MFA) is used for all administrative accounts. c) All access is logged, and user actions are recorded in event logs stored in a secure environment. d) Access rights are reviewed regularly, and are immediately revoked upon termination of employment or change of role.
• 7.4. Environment Separation and Change Management. a) The production environment is physically and logically isolated from the testing and development environments. b) All changes to code, infrastructure, and configurations undergo an internal approval and testing procedure, including a security analysis. c) Versioning, rollback, and change logging mechanisms are used.
• 7.5. Monitoring and Incident Detection. a) The gro.now infrastructure is monitored for failures, unauthorized access attempts, and anomalous activity. b) An automatic alert system sends notifications to responsible specialists upon detection of critical events. c) All incidents are classified by their impact level and are documented in accordance with the response procedure (Section 9).
• 7.6. Backup and Recovery. a) Periodic backups are performed at a set frequency, ensuring data recovery in case of accidents or loss. b) Backups are stored in encrypted form on separate media/in cloud environments with an equivalent level of protection. c) Recovery procedures are tested at least once a year.
• 7.7. Minimization and Storage Limitation. a) The Processor ensures the minimization of the volume of processed data and storage periods in accordance with the Operator's Instructions. b) Upon expiration of the storage period, data is deleted or anonymized, including copies in backup storage (where technically possible), with the fact of deletion being documented.
• 7.8. Physical Security. a) The data centers used by the Processor and Sub-processors are certified and equipped with access control systems, video surveillance, fire protection, and backup power supply. b) Physical access is permitted only to authorized personnel.
• 7.9. Vulnerability Management and Security Testing. a) The Processor regularly performs vulnerability scans and conducts internal penetration tests. b) Discovered vulnerabilities are remediated within a reasonable time depending on their criticality. c) The Operator may request summarized information on the tests conducted and the measures implemented (without disclosing confidential architectural details).
• 7.10. Personnel Training. Employees authorized to process PD undergo mandatory training on information security and confidentiality, including rules for handling data, responding to incidents, and complying with DPA procedures.
• 7.11. Certificates and Audits. a) The Processor may confirm compliance with security measures through internal or external audits. b) Upon the Operator's request, the Processor shall provide current certificates and/or confirmations of independent reviews within reasonable limits.
• 7.12. Description of Measures. A detailed list of the applied TOMs is provided in Appendix 2 to this Agreement or in a separate agreement with the Operator.

8. Sub-processors

• 8.1. General Rule. The Processor may engage third parties (Sub-processors) to perform specific personal data processing operations on behalf of the Operator, provided that such persons ensure a level of personal data protection no lower than that established in this Agreement.
• 8.2. Conditions for Engagement. Before engaging a Sub-processor, the Processor: a) conducts an assessment of its reliability and compliance with security and confidentiality requirements; b) enters into a contract with it containing provisions equivalent to the Processor's obligations under this DPA; c) ensures that such persons are included in the current list of Sub-processors (Annex III).
• 8.3. Categories of Sub-processors. The Processor may engage Sub-processors for the following categories of services: a) hosting and cloud infrastructure (data centers, CDN, backup); b) analytics, monitoring, and event logging; c) authorization, authentication, and security systems (including SSO and MFA); d) notification, mailing, and communication services; e) technical support and disaster recovery; f) large language models; g) integrations used on behalf of the Operator (e.g., CRM, analytics, marketing).
• 8.4. Dynamic List Update. 8.4.1. The list of current Sub-processors is posted by the Processor on the website or in the gro.now administrative panel and is updated as changes occur. The Processor shall notify the Operator in advance, at least 5 calendar days before engaging a new Sub-processor, except in the following situations where immediate (without prior) or expedited notification is permitted: a) to prevent or contain a Security Incident, or to remediate a critical vulnerability; b) to ensure service continuity/DR (disaster recovery, failover) in the event of the sudden unavailability of the previous provider; c) an equivalent replacement of a Sub-processor with another with comparable functions without expanding the purposes, scope, or territory of processing; d) to comply with mandatory requirements of law/regulator; e) the Operator's inclusion of an optional function/integration in the administrative panel, if such a function knowingly requires the engagement of a specific Sub-processor. 8.4.2. In cases a-d, notification shall be sent as soon as possible, but no later than 72 hours from the moment of actual engagement. In case e, notification is deemed to have been given at the moment the function/integration is activated by the Operator (the interface indicates the Sub-processor).
• 8.5. Right to Object. 8.5.1. The Operator has the right to send a reasoned objection to a new Sub-processor: (i) in the ordinary course of business – within 5 calendar days from the moment of notification; (ii) in the cases provided for in para. 8.4 (expedited/immediate engagement) – within 72 hours from the moment of notification. 8.5.2. The Parties shall make a good faith effort to resolve the objection, including: a) proposing an alternative Sub-processor; b) temporarily disabling the affected function/integration for the Operator; c) restricting/localizing the processing by territory or data categories. 8.5.3. If a resolution is not possible, the Operator has the right to terminate the Main Agreement with respect to the relevant processing or to choose a plan/configuration without the disputed Sub-processor (if available).
• 8.6. Processor's Liability. The Processor is fully liable to the Operator for the acts and omissions of the Sub-processors it engages to process PD, as for its own, including compliance with security and confidentiality requirements.
• 8.7. Operator's Sub-processors. If the Operator independently connects third-party integrations or services (e.g., CRM, SSO, advertising platforms) through the gro.now interface, such persons are not considered Sub-processors of the Processor. In these cases, the Operator is responsible for complying with legal requirements and obtaining the consent of subjects for the transfer of data to such services.
• 8.8. Sub-processing Outside the Jurisdiction. If a Sub-processor is located outside the Republic of Kazakhstan, the Processor guarantees that the transfer of PD to it is carried out with the appropriate legal bases and contractual guarantees (Section 6).
• 8.9. Notifications and Transparency. Upon the Operator's request, the Processor shall provide summarized information about Sub-processors, including their name, country of location, category of services, and a link to their privacy policy.
• 8.10. Current List. The current list of Sub-processors engaged by the Processor and the notification procedure are provided in Appendix 3 to this Agreement.