Ezily Data Processing Agreement (DPA)
Effective Date: 18 November, 2025
Last Updated: 18 November, 2025
Purpose and Scope
This Data Processing Agreement (“DPA”) forms part of the Service Agreement (“Agreement”) between Ezily Co., Ltd. (“Ezily” or “Processor”) and the Client (“Controller”). Ezily processes Personal Data solely on behalf of Client in connection with the services described in the Agreement.
Client is the Data Controller and Ezily is the Data Processor as defined under Taiwan’s PDPA and, where applicable, the GDPR.
Definitions
Personal Data: information relating to an identified or identifiable natural person.
Processing: any operation performed on Personal Data.
Subprocessor: a third party engaged by Ezily to process Personal Data.
Aggregated Data: de-identified or anonymized data that cannot identify Client or any Data Subject.
Controller Obligations
Client represents and warrants that its instructions to Ezily comply with applicable laws and that Client is responsible for providing lawful notices and obtaining all required consents.
Processor Obligations
Ezily shall:Process Personal Data only on documented instructions from Client;
Implement and maintain appropriate technical and organizational measures, and shall not materially reduce the overall level of protection;
Ensure confidentiality obligations for personnel with access to Personal Data;
Notify Client without undue delay of any Personal Data breach (where feasible, within 72 hours);
Provide reasonable assistance to Client for compliance with applicable data protection laws, including responding to Data Subject Rights requests;
Ezily may suspend processing if Client’s instructions are unlawful or violate LINE’s policies.
Subprocessors
Client authorizes Ezily to use Subprocessors for hosting, infrastructure, and related services. Ezily shall:Maintain a current list of Subprocessors upon request;
Notify Client of any intended changes;
Remain responsible for Subprocessor compliance.
Client may object only on reasonable, lawful grounds.
International Transfers
Ezily may perform international transfers as needed to provide the services, provided such transfers comply with PDPA and, where applicable, GDPR safeguards (e.g., contractual clauses or equivalent measures).
Ezily shall not transfer Personal Data to jurisdictions prohibited by Taiwan authorities.Data Subject Rights
If Ezily receives a Data Subject Request directly, it will forward the request to Client without delay. Ezily shall provide reasonable assistance, at Client’s cost if applicable.Security Measures
Ezily shall implement appropriate security measures including:
Access controls and least-privilege principles
Encryption in transit and at rest (where applicable)
Regular backups and recovery mechanisms
Internal security and data protection policies and training
Retention and Deletion
Upon termination of the Agreement, Client may request return of Personal Data within 30 days. After this period, Ezily will delete or anonymize the data unless retention is required by law. Encrypted backups may be retained up to 90 days.Aggregated Data
Ezily may generate and retain Aggregated Data for analytics, benchmarking, and service improvement, provided such data cannot identify Client or any Data Subject.Audit Rights
Ezily will provide documentation necessary to demonstrate compliance. Any audit must:
Be limited in scope and frequency,
Provide at least 30 days’ advance notice,
Occur during normal business hours, and
Not unreasonably disrupt Ezily’s operations.
Liability
Each Party’s liability under this DPA is subject to the limitations in the Agreement.Governing Law and Priority
This DPA is governed by the laws specified in the Agreement. In case of conflict, this DPA prevails with respect to data protection matters.Language
This document is provided in both English and Chinese. In case of inconsistency, the English version controls.