Data Processing Agreement

Last updated: April 2026

Overview

All Partners who integrate the Mega Rewards platform and in doing so process personal data of individuals located in the European Economic Area (EEA) or the United Kingdom are required to enter into a Data Processing Agreement (DPA) with Mega Rewards, LLC.

To request a DPA or ask questions about our data processing practices, contact us at privacy@trofeo.io.

The following is the standard Mega Rewards Data Processing Agreement. It is incorporated by reference into the applicable Insertion Order or Services Agreement between the parties.

Data Processing Agreement

Between: Mega Rewards, LLC, a New York limited liability company with offices at 10 Winthrop St., Rochester, New York 14607 ("Processor", "Mega Rewards")

And: The Partner identified in the applicable Insertion Order or Services Agreement ("Controller")

Together referred to as the "Parties".

1. Definitions

"Applicable Data Protection Law" means the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK GDPR, and any other applicable national data protection legislation, as amended from time to time.

"Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-Processor", and "Supervisory Authority" have the meanings given to them in the GDPR.

"Services" means the rewards and promotions platform services provided by Mega Rewards to the Controller pursuant to the applicable agreement.

"Sub-Processor List" means the list of sub-processors maintained at trofeo.io/privacy-policy, as updated from time to time.

2. Scope and roles

2.1 This DPA applies to the Processing of Personal Data by Mega Rewards on behalf of the Controller in connection with the provision of the Services.

2.2 The Controller is the Data Controller and Mega Rewards is the Data Processor in respect of Personal Data processed under this DPA.

2.3 The details of the Processing activities covered by this DPA are set out in Annex A.

3. Controller's obligations

3.1 The Controller warrants and represents that:

  • (a) It has a valid legal basis under Applicable Data Protection Law for each Processing activity described in Annex A;
  • (b) It has provided all required notices and obtained all required consents from Data Subjects where necessary;
  • (c) The instructions it gives to Mega Rewards comply with Applicable Data Protection Law;
  • (d) It will inform Mega Rewards promptly if it becomes aware of any change that would affect Mega Rewards' ability to comply with this DPA.

4. Processor's obligations

4.1 Mega Rewards shall:

  • (a) Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law;
  • (b) Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations;
  • (c) Implement appropriate technical and organisational measures as described in Annex B;
  • (d) Not engage any Sub-Processor without prior written authorisation from the Controller, except as set out in clause 6;
  • (e) Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures in fulfilling its obligations to respond to Data Subject requests;
  • (f) Assist the Controller in ensuring compliance with its obligations under Articles 32–36 GDPR (security, breach notification, data protection impact assessments);
  • (g) At the choice of the Controller, delete or return all Personal Data upon termination of the Services, and delete existing copies unless retention is required by law;
  • (h) Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.

5. International transfers

5.1 Mega Rewards processes Personal Data on infrastructure located in the United States (AWS us-east-1).

5.2 Transfers of Personal Data from the EEA or UK to the United States are made on the basis of:

  • (a) The EU-US Data Privacy Framework, to the extent AWS holds current certification; and
  • (b) The Standard Contractual Clauses (EU Commission Decision 2021/914, Module Two: Controller to Processor), which are incorporated into this DPA by reference and deemed executed by the Parties upon signing this DPA.

5.3 In the event that either transfer mechanism becomes invalid or unavailable, the Parties shall cooperate in good faith to implement an alternative lawful transfer mechanism without undue delay.

6. Sub-processors

6.1 The Controller provides general written authorisation for Mega Rewards to engage the sub-processors listed in the Sub-Processor List at trofeo.io/privacy-policy at the time of entering into this DPA.

6.2 Mega Rewards shall notify the Controller at least 30 days in advance of any intended changes to the Sub-Processor List (additions or replacements). The Controller may reasonably object to a new sub-processor within 14 days of such notice by sending a written objection to privacy@trofeo.io. If the Parties cannot resolve the objection within 30 days, either Party may terminate the relevant Services on written notice.

6.3 Where Mega Rewards engages sub-processors, it shall impose data protection obligations on them equivalent to those set out in this DPA, and shall remain fully liable to the Controller for any failure by a sub-processor to meet those obligations.

7. Security

7.1 Mega Rewards shall implement and maintain the technical and organisational measures set out in Annex B, which the Parties agree provide an appropriate level of security given the nature and risks of the Processing.

7.2 Mega Rewards may update its security measures from time to time, provided that any updates do not materially reduce the level of protection afforded to the Personal Data.

8. Personal data breaches

8.1 Mega Rewards shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting data processed under this DPA.

8.2 Such notification shall include, to the extent available at the time: the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

8.3 The Controller is responsible for notifying the relevant Supervisory Authority and affected Data Subjects in accordance with its obligations under Applicable Data Protection Law.

9. Data subject rights

9.1 Mega Rewards shall promptly forward to the Controller any Data Subject requests it receives relating to Personal Data processed under this DPA.

9.2 Mega Rewards shall not respond to Data Subject requests directly unless instructed to do so by the Controller or required by law.

9.3 Mega Rewards shall provide the Controller with reasonable assistance in responding to Data Subject requests, including technical assistance to locate, export, restrict, or delete Personal Data as requested.

10. Audits

10.1 Mega Rewards shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall permit and contribute to audits conducted by the Controller or its authorised auditor, provided that:

  • (a) The Controller gives reasonable prior notice (minimum 30 days);
  • (b) Audits take place during normal business hours and do not unreasonably disrupt Mega Rewards' operations;
  • (c) Audits are conducted at the Controller's expense;
  • (d) No more than one audit is conducted per 12-month period, unless required by a Supervisory Authority.

11. Term and termination

11.1 This DPA remains in force for the duration of the applicable Services agreement.

11.2 Upon termination or expiry of the Services agreement, Mega Rewards shall, at the Controller's election, delete or return all Personal Data within 60 days, except to the extent retention is required by applicable law.

12. Governing law

12.1 This DPA shall be governed by the laws of the State of New York, without prejudice to mandatory provisions of Applicable Data Protection Law (including the GDPR), which shall prevail in the event of conflict.

Annex A — Details of Processing

Subject matterProvision of the Mega Rewards rewards and promotions platform
DurationFor the term of the applicable Services agreement
Nature of processingCollection, storage, retrieval, use, transmission, and deletion of Personal Data to operate the platform
Purpose of processingGeo-targeting, reward eligibility determination, reward attribution, reporting, and billing
Categories of personal dataIP addresses; user identifiers (anonymised IDs, email addresses, or similar); demographic and profile data (as provided by the Partner); behavioural data (impressions, clicks, conversions); survey and preference responses
Categories of data subjectsEnd users of the Controller's applications and services
Special categoriesNone, unless separately agreed in writing

Annex B — Technical and Organisational Security Measures

Access control

  • Role-based access controls; principle of least privilege
  • Multi-factor authentication (MFA) required for access to production systems
  • Regular access review and formal offboarding process for departing personnel

Encryption

  • All data in transit encrypted via TLS 1.2 or higher
  • Data at rest encrypted via AWS-managed encryption (AES-256)

Infrastructure security

  • Production environment hosted on AWS with VPC isolation
  • Network access controls restrict access to production systems to authorised traffic only
  • Dependency vulnerability scanning integrated into development pipeline

Monitoring and incident response

  • Error monitoring and alerting via dedicated tooling
  • Defined incident response procedure including internal escalation and Controller notification within 48 hours of confirmed breach
  • Audit logs maintained for access to production systems

Organisational measures

  • Confidentiality obligations for all personnel with access to Personal Data
  • Documented data retention and deletion procedures
  • Regular review of security measures
For questions about this DPA or to initiate the signing process, contact privacy@trofeo.io.