Data Processing Agreement

Last Updated: 02\05\2025

1. Introduction

1.1. Purpose of the Agreement
 This Data Processing Agreement ("Agreement") sets forth the terms and conditions under which TrekGuider Inc. ("Platform") processes personal data on behalf of its users (the "Data Controller"). The purpose of this Agreement is to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and all other applicable data protection laws and regulations worldwide.

1.2. Scope and Applicability
 This Agreement applies to all personal data that the Platform processes on behalf of users (Data Controllers), including but not limited to buyers, sellers, and other individuals whose data is processed in connection with the use of the TrekGuider Marketplace. It outlines the obligations, rights, and responsibilities related to data processing and protection.

2. Definitions

For the purpose of this Agreement, the following definitions apply:

2.1. Personal Data

Any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.

2.2. Data Controller

The entity that determines the purposes and means of processing personal data. In the context of this Agreement, the Data Controller is the user of the Platform who is responsible for the personal data they provide to be processed by the Data Processor.

2.3. Data Processor

The entity that processes personal data on behalf of the Data Controller. In the context of this Agreement, the Data Processor is TrekGuider Inc. ("Platform").

2.4. Data Subject

An identified or identifiable natural person whose personal data is processed. This includes, but is not limited to, buyers, sellers, and website visitors of the Marketplace.

2.5. Processing

Any operation or set of operations performed on personal data, including collection, storage, retrieval, transmission, or destruction.

2.6. Sub-Processor

A third party authorized by the Data Processor to process personal data on behalf of the Data Controller.

2.7. Supervisory Authority

An independent public authority which is established by a Member State pursuant to Article 51 of the GDPR; responsible for monitoring the application of data protection laws. For the purposes of this Agreement, this term refers to the competent data protection authority as defined under applicable data protection laws, such as the relevant authority under the GDPR or the CCPA/CPRA.

2.8. Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. This definition aligns with the definition of "personal data breach" as set forth in Article 4(12) of the GDPR and similar definitions in other applicable data protection laws.

3. Roles and Responsibilities

3.1. Data Controller's Responsibilities

 The Data Controller is responsible for:

·        Ensuring that personal data shared with the Platform is legally collected and processed in compliance with all applicable data protection laws.

·        Providing clear and informed consent from Data Subjects for the processing of their personal data, where applicable and required by law.

·        Determining the purposes and legal basis for which personal data is processed.

·        Responding to Data Subject requests related to their rights under applicable data protection laws, within the legally mandated timeframes.

·        Providing the Data Processor with all necessary information and documented instructions for processing personal data in accordance with applicable data protection laws and the terms of this Agreement.

·        Ensuring the lawfulness of the transfer of personal data to the Data Processor, including compliance with cross-border data transfer requirements.

3.2. Data Processor's Responsibilities

 The Platform, as the Data Processor, is responsible for:

·        Processing personal data only on documented instructions provided by the Data Controller and in accordance with this Agreement. If the Data Processor is required by Union or Member State law to act without such instructions, the Data Processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

·        Implementing and maintaining appropriate technical and organizational measures to ensure the security and confidentiality of personal data, as described in Section 5 of this Agreement.

·        Assisting the Data Controller in fulfilling its obligations under applicable data protection laws, including but not limited to:

o   Assisting with Data Subject access requests, rectification, erasure, restriction of processing, data portability, and objection to processing.

o   Assisting with data protection impact assessments (DPIAs), if required under applicable law.

o   Assisting with data breach notifications to supervisory authorities and Data Subjects, as required by applicable law.

o   Assisting with consultations with supervisory authorities, if required.

·        Ensuring that any Sub-Processors engaged are bound by written contractual obligations that are at least as protective as those set out in this Agreement, in accordance with Article 28(3) GDPR.

·        Maintaining records of processing activities as required by Article 30 GDPR (if GDPR is applicable to the processing).

·        Cooperating with supervisory authorities in audits and investigations related to the processing of personal data under this Agreement.

4. Data Processing

4.1. Purpose of Data Processing

 The Platform processes personal data on behalf of the Data Controller for the following purposes: providing the TrekGuider Marketplace services, facilitating transactions between buyers and sellers, personalizing user experience, providing customer support, sending administrative and service-related communications, and complying with legal obligations. These purposes are further described in detail in the Privacy Policy of the Marketplace.

4.2. Types of Personal Data Processed

 The types of personal data processed by the Platform under this Agreement may include, but are not limited to:
·        Contact information (e.g., name, email address, phone number, billing address, shipping address).
·        Transaction details (e.g., purchase history, payment data, product details, purchase dates).
·        User account data (e.g., username, password, profile details, communication preferences).
·        Usage data (e.g., IP address, browser type, device information, location data, website activity logs).

4.3. Categories of Data Subjects

 The personal data processed by the Platform concerns the following categories of Data Subjects:
·        Buyers (individuals purchasing digital products on the Marketplace).
·        Sellers (individuals and entities offering products for sale on the Marketplace).
·        Website visitors (individuals browsing the Marketplace website).

5. Data Security and Confidentiality

5.1. Security Measures

 The Platform shall implement and maintain appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. These measures shall be appropriate to the risk, having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, but are not limited to:
·        Data Encryption: Implementation of encryption in transit (SSL/TLS) to protect personal data during transmission between the Data Controller and the Platform, and encryption at rest (AES-256 or similar industry-standard encryption) for personal data stored on the Platform's servers and databases.
·        Secure Access Controls: Implementation of role-based access control (RBAC) to restrict access to personal data to authorized personnel based on their job responsibilities. Use of multi-factor authentication (MFA) for privileged access to systems containing personal data. Enforcement of regular password changes and complexity requirements. Maintenance of comprehensive access logging and monitoring systems to detect and prevent unauthorized access attempts.
·        Regular Security Audits and Vulnerability Assessments: Conducting routine security audits, including independent penetration testing and vulnerability scanning, at least annually, to assess the effectiveness of security measures and identify potential vulnerabilities. Performing regular security assessments by internal and external security experts to ensure alignment with industry best practices and compliance standards.
·        Data Minimization and Pseudonymization: Adherence to the principle of data minimization by collecting and processing only the personal data that is strictly necessary for the specified purposes. Implementation of pseudonymization techniques where appropriate to process personal data in a manner that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
·        Physical Security: Maintaining physically secure data centers and server infrastructure with restricted access, surveillance systems, and environmental controls.
·        Incident Response Plan: Maintaining a documented security incident management and breach response plan in place and regularly tested to effectively address and mitigate any data security incidents or breaches, including procedures for data breach notification as outlined in Section 8 of this Agreement.
·        Data Backup and Disaster Recovery: Regularly backing up personal data to ensure data integrity and availability in case of system failures or disasters. Maintaining a disaster recovery plan to ensure business continuity and data restoration capabilities.
·        Security Awareness Training: Providing regular security awareness training to all personnel with access to personal data to ensure they are aware of data protection obligations and security best practices. Data Controller Responsibilities: Data Controller is responsible for maintaining the confidentiality and security of their own account credentials and for using strong passwords. Data Controller agrees to notify the Data Processor immediately of any unauthorized access to or use of their account.
Users acknowledge that while these measures are designed to provide a high level of security, no security measures are completely impenetrable, and the Marketplace does not guarantee absolute and unqualified protection against all potential data breaches or security incidents.

5.2. Confidentiality Obligations

 The Platform will ensure that all personnel authorized to process personal data, including employees, agents, and Sub-Processors, are bound by legally enforceable confidentiality obligations. These obligations will continue even after the termination of their employment, engagement, or this Agreement. The Platform will ensure that access to personal data is limited to those personnel who need access to perform the processing services under this Agreement. No personal data will be shared with unauthorized third parties without the Data Controller's explicit prior written consent, unless legally compelled by Union or Member State law to which the Data Processor is subject; in such a case, the Data Processor shall, to the extent permitted by that law, inform the Data Controller of that legal requirement before processing.

6. Sub-Processors

6.1. Use of Sub-Processors

 The Data Controller provides general authorization to the Data Processor to engage Sub-Processors to assist with the processing of personal data, subject to the conditions outlined in this Section 6. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Data Controller the opportunity to object to such changes.

6.2. List of Sub-Processors

 When engaging any Sub-Processor, the Data Processor shall:

·        Ensure that the Sub-Processor is capable of providing the level of data protection required by this Agreement and applicable data protection laws.

·        Enter into a written contract with the Sub-Processor that imposes on the Sub-Processor data protection obligations that are at least as protective as those incumbent on the Data Processor under this Agreement, in accordance with Article 28(3) GDPR.

·        Remain fully liable to the Data Controller for the performance of the Sub-Processor's obligations under its contract with the Data Processor.

6.3. List of Sub-Processors and Notification of Changes

The Platform engages third-party service providers (Sub-Processors) to support its operations, including payment processing, tax reporting, advertising, hosting, security, AI services, and social media integrations. Below is a list of current Sub-Processors used by the Platform, along with the services they provide and their locations:

Sub-Processor | Service Provided | Location
Google LLC | Advertising (Google Ads), AI services (including Gemini), reCAPTCHA security, Analytics, Google Maps API, Perspective API (Content Moderation) | USA
Stripe, Inc. | Payment processing | USA
Cloudflare, Inc. | Security, CDN, DDoS protection | USA
Hostinger International, Ltd. | Hosting and infrastructure services | Lithuania
OpenAI, Inc. | AI-based services and automation | USA
Meta Platforms, Inc. (Facebook, Instagram, WhatsApp) | Social media integrations (login, advertising, tracking) | USA
Twitter, Inc. (X Corp.) | Social media integrations (login, advertising, tracking) | USA
LinkedIn Corporation | Social media integrations (login, advertising) | USA

7. Data Subject Rights

7.1. Assistance with Data Subject Requests

 To the extent technically feasible and legally permissible, the Data Processor shall provide reasonable and timely assistance to the Data Controller in fulfilling its obligations to respond to Data Subjects' requests to exercise their rights under applicable data protection laws, including:
·        Right to Access: Data Processor will provide Data Controller with access to relevant personal data and processing logs in a structured, commonly used and machine-readable format upon request to facilitate Data Controller's response to Data Subject access requests.
·        Right to Rectification: Data Processor will implement necessary technical and organizational measures to allow Data Controller to rectify inaccurate or incomplete personal data directly within the Platform's systems or through designated support channels.
·        Right to Erasure ("Right to be Forgotten"): Data Processor will provide mechanisms for Data Controller to initiate the secure deletion of personal data within the Platform, subject to Data Processor's standard data retention policies and any overriding legal obligations to retain the data.
·        Right to Restriction of Processing: Data Processor will provide functionalities to enable Data Controller to restrict the processing of personal data in accordance with Data Subject requests, such as by suspending data processing activities for specific data subjects or purposes.
·        Right to Data Portability: Data Processor will, upon request, provide personal data to the Data Controller in a structured, commonly used and machine-readable format to enable Data Controller to transmit that data to another controller, where technically feasible and applicable under data protection law.
·        Right to Object: Data Processor will implement mechanisms to facilitate Data Subjects' rights to object to processing, such as by providing clear opt-out options for marketing communications and ensuring that Data Controller can effectively manage and respect Data Subjects' objections to certain processing activities.

7.2. Data Subject Requests Process

 Data Controllers are responsible for managing and responding to Data Subject requests directly. The Data Processor will provide reasonable cooperation and assistance to the Data Controller in fulfilling these requests in a timely manner and within the timeframes required by applicable law. The Data Controller shall be responsible for verifying the identity of Data Subjects making requests and for ensuring the lawfulness of any data processing restrictions or deletions implemented in response to Data Subject requests.

8. Data Breach Notification

8.1. Notification Obligations

 In the event of a Data Breach, the Platform shall notify the Data Controller without undue delay after becoming aware of the Data Breach. The notification shall be provided within 72 hours of the Data Processor becoming aware of the Data Breach, where feasible.

8.2. Cooperation with Data Controller

 The Data Breach notification shall include, at a minimum, to the extent such information is available to the Data Processor:
·        Description of the nature of the Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned.
·        The likely consequences of the Data Breach.
·        A description of the measures taken or proposed to be taken by the Data Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
·        The name and contact details of the data protection officer or other contact point where more information can be obtained.

9. Data Retention

9.1. Retention Period

 The Platform will process personal data for the duration of the Agreement and will retain personal data only for as long as necessary to fulfill the documented processing purposes outlined in Section 4 of this Agreement and the Privacy Policy, or for such longer period as may be expressly required by applicable law.

9.2. Data Return or Deletion Procedure

Upon termination or expiration of this Agreement, or at the Data Controller’s documented written request, the Data Processor will, at the Data Controller’s documented choice, securely delete or return to the Data Controller all personal data in its possession, including all existing copies, within 60 days of the termination, expiration, or Data Controller’s request, unless Union or Member State law requires storage of the personal data. The return or deletion of data will be performed in a mutually agreed format, ensuring secure and complete data transfer or erasure. The Data Processor shall provide written confirmation to the Data Controller that the data deletion or return has been completed in accordance with this Section.

10. International Data Transfers

10.1. Transfers Outside of the EEA

If the Data Processor transfers personal data originating from the European Economic Area (EEA) to countries outside the EEA that have not been recognized as providing an adequate level of data protection under applicable data protection laws, the Data Processor will ensure that such transfers are made in compliance with applicable data protection laws. To ensure adequate safeguards for international data transfers, the Data Processor will rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to third countries, Binding Corporate Rules (BCRs).

10.2. Transfers to the U.S.

The Platform may transfer personal data to servers and Sub-Processors located in the United States and other countries outside the EEA. Where data is transferred to the United States, the Data Processor will implement appropriate safeguards to protect personal data in compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other applicable laws, including by utilizing Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms.

11. Amendments and Updates

11.1. Amendments and Updates

·        Marketplace Right to Amend: TrekGuider Inc. explicitly reserves the unilateral right to amend, revise, modify, or update this Policy, in whole or in part, at any time, for any reason, and at its sole and absolute discretion. This right includes, but is not limited to, the right to add, remove, or modify provisions, clauses, sections, or subsections of this Policy, and to introduce new policies, guidelines, or procedures at any time.
·        Immediate Effectiveness and Posting of Updated Policy: Any and all amendments, revisions, modifications, or updates to this Policy shall become effective immediately upon their posting on the TrekGuider Marketplace website, unless a specific future effective date is explicitly designated by the Marketplace in the updated Policy. The most current and controlling version of this Policy will always be the version posted on the Marketplace website.
·        User Notification of Significant Changes: While the Marketplace reserves the right to amend this Policy without prior notice, for substantive, material, or significant changes that, in the Marketplace’s sole discretion, may materially affect users' rights or obligations under this Policy, the Marketplace will endeavor to provide reasonable advance notification to users. Such notification may be provided via prominent posting of a notice on the Marketplace website, email communication to registered users, in-platform notifications, or other commercially reasonable means of communication, at the Marketplace’s sole discretion. However, the Marketplace provides no guarantee that users will receive actual or timely notice of all Policy amendments, and users remain solely responsible for periodically reviewing the Policy for updates.

11.2. Policy Review and Periodic Updates Schedule

To ensure the enduring currency, continued operational effectiveness, and unwavering legal compliance of this Policy, and to proactively reflect the dynamic evolution of applicable legal and regulatory mandates, as well as ongoing adaptations in the TrekGuider Marketplace's business operations, technological infrastructure, and prevailing industry best practices, this Policy shall be subject to a formalized, meticulously structured, and consistently implemented program of periodic review and updates, conducted according to the following comprehensive schedule and rigorously defined process:
·        Pre-Defined Triggers for Mandatory Policy Review: This Policy shall be automatically triggered for mandatory review and potential update on a pre-defined, recurring basis, and also on an ad-hoc, event-driven basis, specifically and immediately upon the occurrence of any of the following triggering events:
o   Material Amendments to Governing Laws and Regulations: Any substantive amendments, significant revisions, comprehensive overhauls, or superseding enactments of controlling international, federal, state, or local laws, statutes, ordinances, regulations, administrative rules, or legally binding judicial precedents, decrees, or governmental directives that may, in any demonstrable manner, materially impact the substantive content, legal interpretation, practical enforcement, or overall legal defensibility of this Policy, or that may impose new, modified, or expanded legal or regulatory obligations, liabilities, or compliance requirements upon the TrekGuider Marketplace, shall automatically trigger an immediate, prioritized, and comprehensive review of this Policy to ensure continued, unimpeachable legal compliance and alignment with the most current legal and regulatory landscape.
o   Substantial and Strategic Modifications to Core Business Model or Operational Practices: Any fundamental, strategic, or transformative changes, significant alterations, material expansions, or substantial evolutions in the TrekGuider Marketplace’s core business model, fundamental operational practices, primary service offerings, core technological infrastructure, principal data processing activities, key strategic partnerships, or other demonstrably material aspects of the Marketplace’s overarching operations, strategic direction, or business focus that may, in any reasonably foreseeable manner, necessitate substantive revisions, critical updates, or comprehensive re-evaluations of this Policy to ensure its continued accuracy, ongoing relevance, sustained operational effectiveness, and demonstrable alignment with the Marketplace’s current business practices, strategic imperatives, and evolving operational realities, shall automatically trigger a timely, thorough, and meticulously documented review of this Policy to guarantee its continued fitness for purpose and sustained practical applicability in the context of the Marketplace’s dynamically evolving operational environment.
·        Rigorous and Multi-Party Policy Review and Update Process: The comprehensive review and any subsequent updates, revisions, or amendments to this Policy shall be conducted through a formalized, multi-party, and demonstrably rigorous process, collaboratively led and jointly executed by the TrekGuider Inc. Founder, serving as the ultimate business and operational authority for the Marketplace platform, and qualified, experienced, and duly authorized legal counsel, possessing specialized expertise in internet law, e-commerce regulation, data privacy compliance, and online marketplace legal frameworks, thereby ensuring a demonstrably comprehensive, demonstrably legally informed, and demonstrably operationally pragmatic assessment of the Policy’s continued adequacy, sustained legal defensibility, and ongoing practical effectiveness. This meticulously structured and rigorously implemented Policy review and update process shall systematically encompass, without limitation, the following essential procedural components and substantive analytical elements:
o   Exhaustive Legal Compliance Review: Duly authorized and qualified legal counsel shall conduct a demonstrably exhaustive, meticulously documented, and demonstrably legally rigorous review of the entirety of this Policy, systematically assessing each and every provision, clause, and section of the Policy against the most current and comprehensively updated corpus of applicable international, federal, state, and local laws, statutes, ordinances, regulations, administrative rules, and legally binding judicial precedents, decrees, and governmental directives, meticulously identifying any and all areas, aspects, or provisions of the Policy that may, in counsel’s expert legal judgment, require substantive updates, revisions, or amendments to ensure the Policy’s continued, unimpeachable, and demonstrably robust legal compliance, sustained legal defensibility, and ongoing alignment with prevailing legal standards, regulatory expectations, and jurisprudential best practices.
o   Comprehensive Operational and Business Alignment Review: The TrekGuider Inc. Founder, possessing ultimate operational authority and comprehensive strategic oversight for the Marketplace platform, shall conduct a demonstrably comprehensive, meticulously documented, and demonstrably operationally focused review of the entirety of this Policy, systematically evaluating each and every provision, clause, and section of the Policy against the Marketplace’s most current and strategically updated core business model, fundamental operational practices, primary service offerings, core technological infrastructure, principal data processing activities, key strategic partnerships, and other demonstrably material aspects of the Marketplace’s overarching operations, strategic direction, and business focus, meticulously identifying any and all areas, aspects, or provisions of the Policy that may, in the Founder’s expert operational and strategic judgment, require substantive updates, revisions, or amendments to ensure the Policy’s continued accuracy, ongoing relevance, sustained operational effectiveness, and demonstrable practical applicability in the dynamically evolving context of the Marketplace’s day-to-day operations, strategic imperatives, and evolving business realities.
o   Meticulous Documentation and Version Control of Policy Amendments: Any and all substantive amendments, material revisions, comprehensive updates, or minor grammatical or stylistic edits to this Policy, resulting from the aforementioned rigorous and multi-party review process, shall be meticulously documented, comprehensively recorded, clearly version-controlled, and formally incorporated into the official, master Policy document, ensuring a complete, transparent, and readily auditable historical record of all modifications, revisions, and updates implemented over time. Each updated, revised, or amended iteration of the Policy shall prominently display a revised “Last Updated” date, conspicuously reflecting the precise date of the most recent substantive changes, thereby providing users with a readily accessible and easily verifiable mechanism for ascertaining the currentness and effective date of the governing Policy document.

12. Governing Law and Jurisdiction

12.1 This Agreement, and any and all disputes

This Agreement, and any and all disputes, controversies, claims, causes of action, or matters of any kind or nature whatsoever arising under, in connection with, or in relation to this Agreement, the processing of personal data hereunder, or the relationship between the parties, shall be exclusively, definitively, and comprehensively governed by, construed, interpreted, and enforced in accordance with the internal laws of the United States of America and the State of Delaware, without regard to or application of any choice of law principles, conflict of laws rules, or private international law doctrines. To the extent that the General Data Protection Regulation (GDPR) is applicable to the processing of personal data under this Agreement, the provisions of the GDPR shall be applied and interpreted in accordance with the laws of the State of Delaware, as the governing law of this Agreement. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this Agreement and is hereby expressly, explicitly, unequivocally, and irrevocably disclaimed and excluded in its entirety.
Any disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of Delaware, USA, except where GDPR mandates that disputes related to data protection be handled in the jurisdiction of the data subject's place of residence within the European Economic Area (EEA).

12.2. Dispute Resolution

Any disputes arising from or in connection with this Agreement, including disputes relating to its interpretation, validity, or termination, shall be resolved in accordance with the dispute resolution provisions outlined in the Terms and Conditions of the Marketplace. To the extent that GDPR applies, Data Subjects also have the right to lodge a complaint with a supervisory authority in the Member State of their habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the processing of personal data relating to him or her infringes the GDPR. Subject to applicable law, the courts located in Delaware shall have exclusive jurisdiction to adjudicate any disputes arising out of or in connection with this Agreement that are not resolved through the dispute resolution process outlined in the Terms and Conditions.

13. Liability and Indemnification

13.1. Liability of Data Processor

The Data Processor's liability under this Agreement shall be limited to direct damages actually proven by the Data Controller and shall not exceed a fixed amount of $1,000 USD in the aggregate for all claims, incidents, or series of connected claims arising under or related to this Agreement. To the maximum extent permitted by applicable law, in no event shall the Data Processor be liable for any indirect, incidental, consequential, special, or punitive damages, or any loss of profits, revenue, data, or use, even if the Data Processor has been advised of the possibility of such damages, except to the extent that such exclusion or limitation of liability is not permitted by applicable law.

13.2. Indemnification by Data Controller

The Data Controller shall indemnify, defend, and hold harmless the Data Processor, its affiliates, officers, directors, employees, consultants, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to any breach by the Data Controller of its obligations under this Agreement, or any violation by the Data Controller of applicable data protection laws in connection with the processing of personal data under this Agreement, except to the extent that such claims, liabilities, damages, losses, costs, and expenses are directly caused by the Data Processor's breach of this Agreement.

13.3. Indemnification by Data Processor

The Data Processor shall indemnify, defend, and hold harmless the Data Controller, its affiliates, officers, directors, employees, consultants, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to any breach by the Data Processor of its obligations under this Agreement, or any violation by the Data Processor of applicable data protection laws in connection with the processing of personal data under this Agreement. The Data Processor's indemnification obligations under this Section 13.3 shall be limited to direct damages and shall not extend to indirect, incidental, consequential, special, or punitive damages, except to the extent that such limitation is not permitted by applicable law.

14. Contact Information

For any questions regarding this Data Processing Agreement or to exercise your rights under data protection laws, please contact:

• Email: legal@trekguider.com
• Website Contact Form: https://trekguider.com/contact/

By using the TrekGuider Marketplace, you acknowledge that you have read, understood, and agree to the terms of this Data Processing Agreement.