Ezily Data Processing Agreement (DPA)

Effective Date: 18 November, 2025
Last Updated: 26 December, 2025

1. Purpose and Scope
   This Data Processing Agreement (“DPA”) forms part of the Service Agreement (“Agreement”) between Ezily Co., Ltd. (“Ezily” or “Processor”) and the Client (“Controller”). Ezily processes Client Data (as defined below), including but not limited to Personal Data, solely on behalf of Client in connection with the services described in the Agreement.
   
   Client is the Data Controller and Ezily is the Data Processor as defined under Taiwan’s PDPA and, where applicable, the GDPR.

2. Definitions

   Client Data: all data, content, or information submitted, transmitted, or made available by Client or its users, including but not limited to Personal Data but excluding internal system metadata, logs, or diagnostic information generated by Ezily.
   Personal Data: information relating to an identified or identifiable natural person.
   Processing: any operation performed on Client Data.
   Subprocessor: a third party engaged by Ezily to process Client Data.
   Aggregated Data: anonymized output derived from Client Data that cannot be used to identify Client or any Data Subject. Ezily may use such data for analytics, benchmarking, and future product improvements.

3. Controller Obligations
   Client represents and warrants that its instructions to Ezily comply with applicable laws and that Client is responsible for providing lawful notices and obtaining all required consents.

4. Processor Obligations
   Ezily shall:

   • Process Client Data only on documented instructions from Client;

   • Implement and maintain appropriate technical and organizational measures, and shall not materially reduce the overall level of protection;

   • Ensure confidentiality obligations for personnel with access to Client Data;

   • Notify Client without undue delay of any Personal Data breach and, in any case, no later than 72 hours;

   • Provide reasonable assistance to Client for compliance with applicable data protection laws, including responding to Data Subject Rights requests;

   Ezily will not be liable for any claim arising from (a) Ezily’s compliance with Client instructions, or (b) Client’s failure to comply with its obligations under applicable laws. Ezily may suspend processing if Client’s instructions are unlawful or violate LINE’s policies.

   
   

5. Subprocessors
   Client authorizes Ezily to use Subprocessors for hosting, infrastructure, and related services. Ezily shall:

   • Maintain a current list of Subprocessors upon request;

   • Notify Client of any intended changes;

   • Remain responsible for Subprocessor compliance.

   Client may object only on reasonable, lawful grounds. If Client objects to a new Subprocessor and the objection is not resolved within thirty (30) days, either Party may terminate the affected Services upon written notice.

   
   

6. International Transfers
   Ezily may perform international transfers as needed to provide the services, provided such transfers comply with PDPA and, where applicable, GDPR safeguards (e.g., contractual clauses or equivalent measures).
   
   Ezily shall not transfer Personal Data to jurisdictions prohibited by Taiwan authorities.
   
   

7. Data Subject Rights
   If Ezily receives a Data Subject Request directly, it will forward the request to Client without delay. Ezily shall provide reasonable assistance, at Client’s cost if applicable.
   
   

8. Security Measures

   Ezily shall implement appropriate security measures including:

   • Access controls and least-privilege principles

   • Encryption in transit and at rest (where applicable)

   • Regular backups and recovery mechanisms

   • Internal security and data protection policies and training

   
   

9. Retention and Deletion
   Upon termination of the Agreement, Client may request return of Client Data within 30 days. After this period, Ezily will delete or anonymize the data unless retention is required by law. Encrypted backups may be retained up to 90 days.
   
   

10. Aggregated Data
    Ezily may generate and retain Aggregated Data for analytics, benchmarking, and service improvement, provided such data cannot identify Client or any Data Subject.
    
    

11. Audit Rights

    Ezily will provide documentation necessary to demonstrate compliance with this DPA. Any audit initiated by Client must:

    • Be limited in scope and frequency, and conducted only as necessary to verify compliance;

    • Provide at least thirty (30) days’ prior written notice to Ezily,

    • Be conducted at Client’s sole cost and expense,

    • Occur during Ezily’s normal business hours, and

    • Not unreasonably disrupt Ezily’s operations or require access to systems or information unrelated to the Services.

    
    

12. Liability
    Each Party’s liability under this DPA is subject to the limitations in the Agreement.
    
    

13. Governing Law and Priority
    This DPA is governed by the laws specified in the Agreement. In case of conflict, this DPA prevails with respect to data protection matters.
    
    

14. Language
    This document is provided in both English and Chinese. In case of inconsistency, the English version controls.