Data Processing Addendum (DPA)

1. Introduction and Scope

1.1 Purpose

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller," or "you") and PANARCHIA LLC ("Processor," "we," "us," or "our") and governs the processing of Personal Data in connection with the Song Vitals service.

1.2 Applicability

This DPA applies when Song Vitals processes Personal Data on behalf of the Customer, particularly when the Customer is subject to data protection laws such as:

• European Union General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• UK Data Protection Act 2018
• Other applicable data protection and privacy laws

1.3 Definitions

Capitalized terms not defined in this DPA have the meanings given in the GDPR or applicable data protection laws:

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion
• "Data Subject" means the individual to whom Personal Data relates
• "Sub-processor" means any third party engaged by the Processor to process Personal Data
• "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection

2. Roles and Responsibilities

2.1 Data Controller

The Customer acts as the Data Controller and is responsible for:

• Determining the purposes and means of processing Personal Data
• Ensuring lawful basis for processing exists
• Providing required notices to Data Subjects
• Obtaining necessary consents from Data Subjects
• Ensuring Personal Data provided to Song Vitals is accurate and lawfully collected
• Complying with Data Subject rights requests

2.2 Data Processor

PANARCHIA LLC acts as the Data Processor and will:

• Process Personal Data only on documented instructions from the Customer
• Implement appropriate technical and organizational security measures
• Assist the Customer in fulfilling Data Subject rights requests
• Assist the Customer in meeting data protection compliance obligations
• Delete or return Personal Data upon termination of services
• Maintain records of processing activities

3. Data Processing Details

3.1 Nature and Purpose of Processing

PANARCHIA LLC processes Personal Data to provide the Song Vitals service, which includes:

• Analyzing audio files, lyrics, and creative content
• Processing social media profile data and public content
• Generating insights reports and analytics
• Storing and managing user accounts
• Processing payments and billing information
• Providing customer support
• Improving our algorithms and services through internal research

3.2 Types of Personal Data

The Personal Data processed may include:

• Account Data: Name, email address, username, password (hashed)
• Profile Data: Artist name, bio, profile images, social media handles
• Content Data: Audio files, lyrics, images, videos, annotations
• Social Media Data: Public profile information, posts, engagement metrics
• Usage Data: IP address, device information, browsing behavior, feature usage
• Payment Data: Billing address (payment card details are processed by third-party payment processors)
• Communications Data: Support messages, feedback, inquiries

3.3 Categories of Data Subjects

Data Subjects may include:

• Individual music creators and artists
• Employees or representatives of business customers
• Collaborators and team members
• Individuals featured in uploaded content

3.4 Duration of Processing

Personal Data will be processed for the duration of the service agreement and retained according to our data retention policies as outlined in our Privacy Policy, unless longer retention is required by law.

4. Customer Instructions

4.1 Processing Instructions

PANARCHIA LLC will process Personal Data only in accordance with the Customer's documented instructions, which include:

• The Terms of Service and this DPA
• The Customer's use of the Song Vitals platform and features
• Any other written instructions provided by the Customer that are accepted by PANARCHIA LLC

4.2 Unlawful Instructions

If PANARCHIA LLC believes that any instruction from the Customer would violate applicable Data Protection Laws, we will promptly inform the Customer and may refuse to carry out the instruction.

5. Security Measures

5.1 Technical and Organizational Measures

PANARCHIA LLC implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:

• Encryption of data in transit using TLS/SSL protocols
• Encryption of data at rest using AES-256 encryption
• Secure authentication mechanisms and password hashing
• Regular security testing and vulnerability assessments
• Intrusion detection and prevention systems
• Secure backup and disaster recovery procedures
• Network security controls and firewalls

Organizational Measures:

• Access controls limiting personnel access to Personal Data on a need-to-know basis
• Confidentiality agreements with employees and contractors
• Employee training on data protection and security
• Incident response and breach notification procedures
• Regular review and update of security measures
• Vendor management and due diligence for Sub-processors

5.2 Security Documentation

Upon reasonable request and subject to confidentiality obligations, PANARCHIA LLC will provide information about our security measures to demonstrate compliance with this DPA.

6. Sub-processors

6.1 Authorized Sub-processors

The Customer authorizes PANARCHIA LLC to engage Sub-processors to process Personal Data. Current Sub-processors include:

6.2 Sub-processor Obligations

PANARCHIA LLC will:

• Enter into written agreements with Sub-processors imposing data protection obligations equivalent to those in this DPA
• Ensure Sub-processors implement appropriate security measures
• Remain fully liable to the Customer for the performance of Sub-processors
• Conduct due diligence on Sub-processors before engagement

6.3 Changes to Sub-processors

PANARCHIA LLC will provide at least 30 days' notice before adding or replacing Sub-processors by:

• Updating our Sub-processor list at https://songvitals.com/legal/subprocessors
• Sending email notification to customers who have subscribed to updates

If the Customer objects to a new Sub-processor on reasonable data protection grounds, the Customer may terminate the affected services by providing written notice within 30 days.

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

PANARCHIA LLC will, to the extent legally permitted, promptly notify the Customer if we receive a request from a Data Subject to exercise their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection).

7.2 Customer Responsibility

The Customer is responsible for responding to Data Subject requests. PANARCHIA LLC will provide reasonable assistance to help the Customer fulfill such requests, including:

• Providing tools for the Customer to access, export, and delete Personal Data
• Responding to reasonable requests for information about our processing activities
• Implementing technical measures to facilitate Data Subject rights

7.3 Fees for Assistance

If assistance requires significant additional effort beyond our standard platform features, PANARCHIA LLC may charge reasonable fees based on our then-current professional services rates.

8. Data Breach Notification

8.1 Notification Obligation

PANARCHIA LLC will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting the Customer's data.

8.2 Breach Information

The notification will include, to the extent known:

• Nature of the breach, including categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate harm
• Contact point for further information

8.3 Cooperation

PANARCHIA LLC will cooperate with the Customer and provide reasonable assistance in investigating and remediating the breach, and in fulfilling any obligations to notify Data Subjects or regulatory authorities.

9. Data Protection Impact Assessments and Audits

9.1 DPIA Assistance

PANARCHIA LLC will provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) when required by Data Protection Laws, including providing information about our processing activities and security measures.

9.2 Audit Rights

PANARCHIA LLC will make available to the Customer information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Customer or an independent auditor mandated by the Customer, subject to:

• Reasonable advance notice (at least 30 days)
• Execution of a confidentiality agreement
• Conducting audits during normal business hours
• Not disrupting our operations or other customers
• Limiting audits to once per year unless required by law or following a breach

9.3 Audit Costs

The Customer is responsible for all costs associated with audits. PANARCHIA LLC may charge reasonable fees for time and resources required to facilitate audits beyond providing standard documentation.

10. International Data Transfers

10.1 Transfer Mechanisms

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) or the Customer's jurisdiction. PANARCHIA LLC ensures such transfers comply with Data Protection Laws through appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission or other regulatory authorities
• Other legally recognized transfer mechanisms

10.2 Standard Contractual Clauses

To the extent required by Data Protection Laws, the parties agree to execute the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 (available at https://songvitals.com/legal/scc).

10.3 Additional Safeguards

PANARCHIA LLC implements supplementary measures to ensure adequate protection for international transfers, including encryption, access controls, and contractual protections with Sub-processors.

11. Data Retention and Deletion

11.1 Retention Period

PANARCHIA LLC will retain Personal Data only for as long as necessary to provide the Service and fulfill the purposes described in our Privacy Policy, unless a longer retention period is required or permitted by law.

11.2 Deletion Upon Termination

Upon termination of the service agreement, PANARCHIA LLC will, at the Customer's choice:

• Delete all Personal Data within 90 days, or
• Return Personal Data to the Customer in a commonly used format within 30 days

Exceptions: We may retain Personal Data to the extent required by applicable law or for legitimate business purposes (e.g., dispute resolution, legal compliance, fraud prevention).

11.3 Certification of Deletion

Upon request, PANARCHIA LLC will provide written certification that Personal Data has been deleted in accordance with this DPA.

12. Confidentiality

PANARCHIA LLC ensures that all personnel authorized to process Personal Data:

• Are subject to confidentiality obligations (contractual or statutory)
• Receive appropriate training on data protection
• Access Personal Data only on a need-to-know basis
• Are aware of the sensitive nature of Personal Data and their obligations

13. Limitation of Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for:

• Violations of Data Protection Laws
• Gross negligence or willful misconduct
• Fraud or fraudulent misrepresentation
• Matters that cannot be limited by applicable law

14. Term and Termination

14.1 Term

This DPA takes effect on the effective date and continues for as long as PANARCHIA LLC processes Personal Data on behalf of the Customer.

14.2 Survival

Sections relating to confidentiality, data deletion, limitation of liability, and dispute resolution survive termination of this DPA.

15. Governing Law and Jurisdiction

This DPA is governed by the same law and jurisdiction provisions as the Terms of Service. For customers subject to GDPR, this DPA is also governed by the data protection laws of the European Union.

16. Amendments

PANARCHIA LLC may update this DPA from time to time to reflect changes in Data Protection Laws or our processing activities. Material changes will be communicated to customers with at least 30 days' notice. Continued use of the Service after changes take effect constitutes acceptance of the updated DPA.

17. Order of Precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters. In the event of conflict between this DPA and Standard Contractual Clauses, the Standard Contractual Clauses prevail.

18. Contact Information

For questions about this DPA or data processing practices, please contact: