Data Processing Agreement

"Controller" means the entity that determines the purposes and means of Processing Personal Data — the Customer.

"Processor" means the entity that Processes Personal Data on behalf of the Controller — PeopleStar Enterprises, INC. (RunPayway™).

"Personal Data" means any information relating to an identified or identifiable natural person, as provided by the Customer through the RunPayway™ platform.

"Processing" means any operation performed on Personal Data, including collection, storage, use, scoring, and deletion.

"Sub-processor" means any third party engaged by the Processor to Process Personal Data.

RunPayway™ processes the following categories of Personal Data: assessment inputs (structural income dimensions), email addresses, assessment titles, and industry sector classifications.

Processing is performed solely for the purpose of generating the Income Stability Score™, full reports, and Dashboard functionality.

No financial account data, bank credentials, credit data, or transaction history is collected or processed.

All scoring is deterministic under Model RP-2.0. No Personal Data is used for model training, profiling, or automated decision-making beyond the assessment itself.

Process Personal Data only on documented instructions from the Controller, unless required by law.

Ensure that persons authorized to Process Personal Data have committed to confidentiality.

Implement appropriate technical and organizational security measures, including encrypted data transmission and secure processing.

Not engage another Processor without prior written authorization of the Controller.

Assist the Controller in responding to data subject access, rectification, erasure, and portability requests.

Delete or return all Personal Data at the end of the service relationship, at the Controller's choice.

Make available to the Controller all information necessary to demonstrate compliance.

RunPayway™ uses the following sub-processors: Stripe (payment processing), Resend (email delivery), Cloudflare (CDN and worker functions), GoDaddy (hosting).

The Controller is notified of any intended changes to sub-processors and may object within 30 days.

Each sub-processor is bound by data protection obligations no less protective than those in this agreement.

All data in transit is encrypted using TLS 1.2 or higher.

Assessment records include SHA-256 integrity hashes for tamper detection.

Access to Personal Data is limited to authorized personnel on a need-to-know basis.

The platform does not store passwords. Monitoring Portal authentication uses email and a hashed 4-digit PIN.

No Personal Data is sold, rented, or shared with third parties for marketing purposes.

Data subjects may request access to, rectification of, or deletion of their Personal Data at any time.

These rights include, where applicable under GDPR: access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and objection (Article 21).

Requests can be submitted through the RunPayway™ privacy request form or by email at privacy@peoplestar.com.

RunPayway™ will respond to data subject requests within 30 days.

Assessment records are retained for the duration of the service relationship plus 12 months, unless deletion is requested earlier.

Monitoring session data is retained for the duration of the subscription period plus 90 days.

Audit logs are retained for 24 months for compliance purposes.

Personal Data is processed and stored in the United States.

For transfers outside the United States, appropriate safeguards are implemented in accordance with applicable data protection laws.

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.

Notification will include the nature of the breach, categories of data affected, and measures taken to address the breach.

This Data Processing Agreement is governed by the laws of the State of California, United States.

For enterprise customers subject to GDPR, the Standard Contractual Clauses (SCCs) are incorporated by reference.

RunPayway™ security and data protection practices are designed to align with SOC 2 Type II Trust Services Criteria and the ISO 27001 Information Security Management System framework.

For enterprise customers subject to GDPR, this DPA is intended to satisfy the requirements of Article 28 (Processor obligations).

Framework alignment does not constitute formal certification. RunPayway™ will notify enterprise customers as formal audit milestones are achieved.