Data Processing Agreement

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1) and LGPD Article 5(I).
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
• "Controller" means the entity that determines the purposes and means of Processing Personal Data (the subscribing organization).
• "Processor" means Play2sell Tecnologia LTDA, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

The Processor shall process Personal Data only to the extent necessary to provide the SalesOS platform services, including:

• User account management and authentication
• Sales workflow execution and automation
• Gamification scoring, missions, and leaderboard computation
• Financial reward calculation and disbursement tracking
• CRM data management (leads, contacts, opportunities)
• Analytics and reporting
• Communication delivery (notifications, alerts)

Categories of Data Subjects include: sales representatives, team managers, administrators, leads, and contacts managed within the Platform.

Types of Personal Data processed: name, email address, phone number, company affiliation, job title, location data, performance metrics, and engagement data.

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with obligations relating to security, breach notification, and data protection impact assessments
• At the Controller's choice, delete or return all Personal Data upon termination of services
• Make available all information necessary to demonstrate compliance and allow for audits

The Processor implements and maintains the following technical and organizational security measures:

4.1 Technical Measures

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Row-level security (RLS) for multi-tenant data isolation
• Role-based access control (RBAC) with capability-level permissions
• Multi-factor authentication for administrative and privileged access
• Automated vulnerability scanning and penetration testing
• Encrypted database backups with point-in-time recovery capabilities
• Network segmentation and firewall protections
• Intrusion detection and prevention systems

4.2 Organizational Measures

• Information security policies and procedures
• Employee security awareness training
• Incident response plan with defined escalation procedures
• Regular access reviews and least-privilege principle enforcement
• Vendor and sub-processor security assessments

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under GDPR and LGPD, including:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure of Personal Data ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

The Processor shall notify the Controller without undue delay upon receiving a request from a Data Subject. The Processor shall not respond to such requests directly unless authorized by the Controller.

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach.

The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall:

• Maintain a current list of Sub-processors and make it available to the Controller upon request
• Notify the Controller of any intended changes to Sub-processors at least 30 days in advance
• Ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA
• Remain fully liable for the acts and omissions of its Sub-processors

Current Sub-processors:

• Supabase (AWS) -- Database hosting, authentication, and serverless functions (US/EU)
• Vercel -- Application hosting and CDN (Global)
• Auth0 (Okta) -- Identity and authentication services (US/EU)
• Temporal.io -- Workflow orchestration (US)

Personal Data may be transferred to and processed in countries outside the Controller's jurisdiction. The Processor ensures that all international transfers comply with applicable data protection laws by relying on:

• Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR transfers)
• Adequacy decisions, where applicable
• Binding Corporate Rules, where applicable
• Compliance with LGPD Chapter V regarding international data transfers

The Processor shall implement supplementary measures where necessary to ensure that the level of protection afforded to Personal Data is not undermined by the transfer.

This DPA shall remain in effect for the duration of the Processor's provision of Services to the Controller. Upon termination:

• The Processor shall, at the Controller's election, delete or return all Personal Data within 90 days
• The Processor shall provide certification of deletion upon request
• Obligations relating to confidentiality and security shall survive termination

For questions or to execute this DPA, please contact:

Play2sell Tecnologia LTDA
Data Protection Officer
Email: dpo@play2sell.com
Website: https://play2sell.com