Payout Rules

These rules (the “Payout Rules”), in addition to the Terms and Conditions found in https://pdax.ph/terms-and-conditions, and all rules and policies incorporated therein by reference, shall govern your relationship with PDAX when creating, accessing, and using your PDAX Account for Payout Services (as defined in these Payout Rules).

These Payout Rules are deemed an addition to, and incorporated into the Terms and Conditions. In case of conflict between the Terms and Conditions and these Payout Rules, these Payout Rules shall govern the activities and services considered as and related to the Payout Services.

I. PAYOUT SERVICES AGREEMENT

1. DEFINITIONS

The capitalized terms used herein which are defined in the Terms and Conditions, shall have the respective meanings assigned to them in the Terms and Conditions except as otherwise provided herein or unless the context otherwise requires. In addition to the definitions in the Terms and Conditions, the following definitions apply:

a. Authorized Person refers to a person who is authorized by the User to send instructions to PDAX, on its behalf, in relation to Payout Services..

b. Beneficiary refers to a specific recipient, as designated by the User or the Authorized Person, for whose benefit the User avails of the Payout Services under the Terms and Conditions and these Payout Rules.

c. Beneficiary Account refers to a Fiat Currency account owned or controlled by the Beneficiary, whether opened with PDAX or a third-party institution.

d. Beneficiary Wallet refers to a Digital Asset wallet, owned or controlled by the Beneficiary, whether opened with PDAX or a third-party institution.

e. Conversion refers to the conversion by PDAX of Digital Assets into Fiat Currency solely for the purpose of performing Payout Services.

f. Payout Services refers to the Service, other than Services related to Remittance Activities as defined in the Remittance Rules, made available through the PDAX Platform where the User or any Authorized Person requests PDAX to transfer from the User’s PDAX Account Fiat Currency to a Beneficiary Account or Digital Assets to a Beneficiary Wallet.

g. Remittance Rules refer to the rules found in https://pdax.ph/remittance-rules, or wherever it may be transferred in the future with due notice to the User.

h. User Instruction refers to the instructions from the User or the Authorized Person addressed to PDAX in relation to the Conversion, as applicable, and Payout Service, containing the relevant details and amounts.

2. GENERAL POLICY

These Payout Rules govern your and the Authorized Person’s access and usage of the PDAX Platform and the User’s PDAX Account for the Payout Service, including Conversion. PDAX may, at its sole and absolute discretion, give you the permission to use the PDAX Platform in relation to Payout Services offered by PDAX (“PDAX Permission”). PDAX Permission, if any, shall be duly communicated to you in writing (email is sufficient) and shall contain the permission duration, technical and operational controls and procedures (as may be necessary) and additional terms and conditions duly agreed upon by you and PDAX. If PDAX Permission is given, any and all provisions in the Terms and Conditions referring to PDAX Account amount limits and other limitations, and explicitly covered provisions hereunder shall hereby be superseded by these Payout Rules and the PDAX Permission. Unless otherwise stated in the PDAX Permission, the Fiat Currency covered by these Rules shall be in Philippine Pesos.

PDAX may promulgate operational guidelines to govern the Payout Service, including the Conversion and related activities, from time to time, which shall be deemed incorporated into, and shall form part of, these Payout Rules. Such additional technical and operational guidelines or any revisions to the PDAX Permission shall be governed by Section 3 (Amendments and Revisions) of the Terms and Conditions and any separate written amendments to the PDAX Permission.

3. PAYOUT SERVICES

To avail of the Payout Services, the User agrees to be fully and wholly bound by the PDAX Terms and Conditions, the Privacy Policy, these Payout Rules, and any applicable PDAX Platform Rules. In addition, the User represents and warrants that before any User Instruction is sent to PDAX (i) the relevant User PDAX Account has sufficient amount of Fiat Currency or Digital Assets to enable PDAX to perform the Conversion, as applicable, and the Payout Service, inclusive of all charges and fees (if already known to the User) and (ii) the Beneficiary Wallet or the Beneficiary Account is valid and operational, and without existing restrictions which may affect the Payout Service.

You understand that PDAX may, at its sole and absolute discretion without any notice obligation or liability to you or the Beneficiary, disallow the usage of the PDAX Platform or availment of Services, if such violates the PDAX Terms and Conditions, the Privacy Policy, these Payout Rules, applicable PDAX Platform Rules, and Applicable Laws and Rules.

3.1. Fiat Currency Payout

a. The User or its Authorized Person shall send a User Instruction, in a form approved by PDAX, through PDAX Access Channels or any official means of communication as approved by PDAX in writing (email is sufficient). The User Instruction shall contain all the relevant details relating to the Payout Services and, at the minimum, shall include:

• User’s PDAX username;
• Beneficiary’s Unique ID (if available);
• Beneficiary Account name;
• Beneficiary Account number;
• Name of the licensed bank, electronic money issuer, or other financial institution which hosts the Beneficiary Account;
• Beneficiary’s address; and
• amount of Fiat Currency to be credited to the Beneficiary Account.

Depending on the amount to be transferred to the Beneficiary Account, PDAX may require the User to submit additional information or documents, as may be necessary. The User understands that failure to disclose all the information required in this Section 3.1(a) may lead PDAX to disallow the Payout Service.

b. Once PDAX receives the User Instruction, PDAX shall implement the User Instructions to be the full and complete instruction of the User, and shall proceed with the Conversion and Payout as instructed.

c. When necessary, before proceeding with the actual transfer from the User’s PDAX Account to the Beneficiary Account, PDAX has the option to send a list of the transfers to be made (“Transaction List”) to the User or the Authorized Person for final confirmation.

If there are any errors or inaccurate details in the Transaction List, the User or the Authorized Person must not confirm the Transaction List. The User or the Authorized Person must raise such errors or inaccuracies to PDAX for rectification.

Once the User or the Authorized Person approves the Transaction List, PDAX shall consider the Transaction List (as supplemented by the User Instruction) to be the full and complete instruction of the User, and shall proceed with the Conversion and Payout.

d. The User shall be liable for all errors or inaccurate details in the User Instruction or approved Transaction List, and shall hold PDAX free and harmless from any and all claims, disputes, settlements, damages, losses, expenses and costs (including legal costs, and transfer costs and charges) caused by any untrue, incomplete, or inaccurate information, and data in the approved Transaction List.

e. Once the Fiat Currency has been transferred, PDAX shall send the details of the transactions with Fiat Currency amount transferred and a transaction identification to the User or the Authorized Person.

3.2. Digital Asset Payout

a. The User shall only be able to send Digital Assets to a Beneficiary Wallet created and maintained in the PDAX Platform.

b. The User or its Authorized Person shall send a User Instruction, in a form approved by PDAX through PDAX Access Channels or any official means of communication as approved by PDAX in writing (email is sufficient). The User Instruction shall contain all the relevant details relating to the Payout Services and, at the minimum, shall include:

• User’s PDAX Username;
• Beneficiary’s PDAX Username;
• Beneficiary Wallet details;
• amount and type of Digital Assets to be credited to the Beneficiary Wallet.

c. Once PDAX receives the User Instruction, PDAX shall implement the User Instructions to be the full and complete instruction of the User, and shall proceed with the Conversion and Payout as instructed.

d. When necessary, before proceeding with the actual transfer from the User’s PDAX Account to the Beneficiary Account, PDAX has the option to send a list of the transfers to be made (“Transaction List”) to the User or the Authorized Person for final confirmation.

If there are any errors or inaccurate details in the Transaction List, the User or the Authorized Person must not confirm the Transaction List. The User or the Authorized Person must raise such errors or inaccuracies to PDAX for rectification.

Once the User or the Authorized Person approves the Transaction List, PDAX shall consider the Transaction List (as supplemented by the User Instruction) to be the full and complete instruction of the User, and shall proceed with the Conversion and Payout.

e. The User shall be liable for all errors or inaccurate details in the User Instruction or approved Transaction List, and shall hold PDAX free and harmless from any and all claims, disputes, settlements, damages, losses, expenses and costs (including legal costs, and transfer costs and charges) caused by any untrue, incomplete, or inaccurate information, and data in the approved Transaction List.

f. Once the Digital Assets have been transferred, PDAX shall send the details of the transactions with the Digital Asset quantity transferred and a transaction identification to the User or the Authorized Person.

4. AUTHORIZED PERSONS AND OFFICIAL INSTRUCTIONS

a. The User may designate an Authorized Person authorized to transact with PDAX and send User Instruction on behalf of the User. If the User is a juridical entity, the Authorized Person must be an employee or an officer of the User. To designate an Authorized Person, the User must provide additional documents as may be required by PDAX including the Authorized Person’s official email address.

b. The User represents and warrants that the Authorized Person is duly authorized, through the appropriate authorization documents and actions, to act on behalf of the User in relation to Conversions, as applicable and Payout Service. An Authorized Person’s authority to act on behalf of a User shall be deemed continuing until PDAX is notified in writing that the authority granted by the User has been revoked or terminated. PDAX may refuse an Authorized Person, and may require the User to appoint another based on PDAX’s sole and reasonable determination.

c. The User shall be solely liable and responsible for the acts and omissions of the Authorized Person in any and all of the Authorized Person’s dealings and communications with PDAX, including the Authorized Person’s availment of the Payout Services and provision of User Instructions.

d. User Instructions and other communications from the Authorized Person are conclusively presumed to be made with full and complete authority, on behalf of the User, and are true, accurate and correct.

5. KNOW-YOUR-CUSTOMER (KYC) PROTOCOLS

The PDAX KYC Program and Procedures as contained in PDAX Terms and Conditions are equally applicable to these Payout Rules. To the extent allowed by Applicable Laws and Rules, PDAX may, at its sole and absolute discretion, opt to rely on the User to perform the required customer due diligence procedures as applicable to the Beneficiary. In this situation, PDAX may require the User to submit a sworn certification in a form to be provided by PDAX, and in addition, the User hereby undertakes and certifies that:

a. the User has conducted, is conducting, and will continue to conduct, the prescribed identification procedures for the Beneficiaries in accordance with the Applicable Laws and Rules, and the User’s Money Laundering and Terrorist Financing Prevention Program (if any), including face-to-face contact, personal interviews, and/or such Information Information and Communications Technology (“ICT”) methods permitting customer identification in a similar manner, to validate the existence and establish the identity of the ultimate Beneficiaries;

b. If the standards of the country where the User is operating has Beneficiaries’ identification process requirements which are less stringent than those of the Republic of the Philippines, the User shall follow the standards of the Republic of the Philippines, specifically with respect to customer due diligence, record keeping obligations, and the requirements prescribed in: (i) the AMLA and its Implementing Rules and Regulations; (ii) Part Nine of Q-Regulations (Anti-Money Laundering Regulations) of the MORNBFI, as may be amended from time to time; (iii) and related issuances of the BSP including but not limited to BSP Circular No. 706, as amended by BSP Circulars No. 950 and No. 1022 and as may be further amended from time to time (collectively, “Philippine AML/CTF laws”);

c. upon request, the User shall inform PDAX of: (i) the level of country risk, for all jurisdictions where it operates; (ii) the nature of its business and reputation; (iii) entities responsible for, and the quality of, its supervision, regulation, and monitoring; and (iv) any money-laundering or terrorist financing investigation or regulatory action which it may have been involved in;

d. the User has measures in place to conduct due diligence and record-keeping requirements in relation to the Beneficiary in accordance with all requirements of all regulations enforced by the regulatory bodies of all jurisdictions where it operates;

e. the User has conducted, and continues to conduct the required screening of its users or clients, including the Beneficiary, against established sanctions lists, i.e. the “Specially Designated Nationals and Blocked Persons” list maintained by the Sanctions Authorities, or any similar list maintained by, or public announcement of Sanctions designation made by them, including, the “Specially Designated Nationals and Blocked Persons” list maintained by the OFAC, the Consolidated List maintained by the UNSC, the Consolidated List of Financial Sanctions Targets and the Investment Ban List maintained by HMT, those designated by the ATC, or any similar list maintained by, or public announcement of Sanctions designation made by, any of the Sanctions Authorities;

f. the User has not, does not, and will not endorse or allow its users (including the Beneficiaries), who is a positive match to any Sanctions, to access the PDAX Platform or avail of any Service, including the Payout Service;

g. the User has not, at any time, been reprimanded or cited, or subjected to regulatory examination or other similar actions on account of unsatisfactory, insufficient, or inadequate Anti-Money Laundering/Counter-Terrorist Financing policies, procedures or practices;

h. upon request, the User undertakes to provide PDAX with the identification documents of all of the Beneficiary, including senders and receivers without delay. The User warrants that it has secured the consent of the Beneficiary to share such information;

i. the User permits PDAX to conduct periodic KYC reliance & MLPP (or equivalent MLPP procedures) account reviews as PDAX sees fit, and undertakes to provide additional documentation, without delay, as may be necessary to fully accomplish the review.

The User acknowledges that PDAX has full discretion to terminate its Services in case of fraud, misconduct, misrepresentation, or breach of the foregoing certifications; breach by the User or the Beneficiaries of Applicable Laws and Rules, including but not limited to the AMLA, or other related rules and regulations promulgated by the BSP; or to protect the legitimate interests of PDAX.

6. FEES

You may be charged additional fees for availing of this Service. Fees and additional costs shall be included in the PDAX Permission or any written communication.

7. CONFIDENTIALITY AND DISCLOSURE OF INFORMATION

All information which is disclosed by PDAX to the User or by the User to PDAX shall be protected hereunder and considered as Confidential Information.

a. Confidential Information. For the purposes of this Section, “Disclosing Party” shall refer to the party disclosing the Confidential Information and “Receiving Party” shall refer to the party receiving the Confidential Information. “Confidential Information” means all non-public, confidential or proprietary communications or data, in any form, whether tangible or intangible, which are disclosed or furnished through whichever medium by any director, officer, employee, agent, or consultant (collectively, the “Representatives”) of any department or business area of the Disclosing Party hereto, including their Affiliates, to the Receiving Party, its Affiliates, and their Representatives, and which are to be protected hereunder against unrestricted disclosure or competitive use by the Receiving Party. The following are also Confidential Information:

• Technical information, which refers to methods, processes, formulae, compositions, inventions, machines, computer programs, and research projects.
• Business information, which refers to customer lists; pricing data sources of supply; marketing, production, or merchandising systems or plans; and all information or material that has or could have commercial value or other utility in the business of the Disclosing Party.
• Personal Information, which refers to any information, whether recorded in a material form or not, from which the identity of an individual, including but not limited to the Disclosing Party’s applicants, agents, employees, officers, directors, consultants, clients, customers, suppliers, service providers, and partners, is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify such individual. This includes but is not limited to such individual’s name, race, ethnic origin, age, place and date of birth, citizenship, residence or office address, contact info (phone and/or email address), marital status, name of spouse and/or child/children/dependents, if any, name of parents, physical attributes or identifying marks, occupation, religious, philosophical or political affiliations, education, health, previous or current health records, criminal background or any proceeding for any offense or court sentences, social security numbers, PhilHealth number and details, Pag-Ibig number and details, Tax Identification No. and details, tax returns, licenses or its denials, suspension or revocation, or any similar information or data protected under the DPA and Applicable Laws and Rules.
• Information ought reasonably to be treated as proprietary, commercially sensitive or confidential considering the surrounding circumstance, including those that has been derived or created from any Confidential Information.

Confidential Information excludes:

• information that becomes generally available to the public other than as a result of the disclosure by the Receiving Party in violation of this Cash-In Rules;
• information available or made available to a Receiving Party on a non-confidential basis prior to disclosure by the Disclosing Party;
• only to such court, tribunal, regulatory authority or entity authorized to request for disclosure, information that is required to be disclosed by any court, tribunal, or regulatory authority or by any requirement of law, legal process, regulation, or governmental order, decree, or rule, or necessary or desirable for a Party to disclose in connection with any proceeding in any court, tribunal or before any regulatory authority in order to preserve its rights;
• information that the Disclosing Party expressly agrees in writing to be disclosed by the Receiving Party to third parties; information lawfully received by the Receiving Party from an independent third party without any restriction and without any obligation of confidentiality;
• information disclosed without restriction by the Disclosing Party to any third party; and
• information which is independently developed by the Receiving Party without access to or use of the Disclosing Party's Confidential Information.

b. Restrictions on the Use of Confidential Information.

• The Receiving Party agrees, for itself, its affiliates, and their respective authorized representatives, to (a) hold all Confidential Information (regardless of whether it is specifically marked confidential or not) in strict confidence; (b) transmit the Confidential Information only to its representatives, its affiliates, and its affiliates’ representatives, on a ‘need-to-know’ basis and after each one of them has agreed to be bound by these Cash-In Rules and not to disclose the same except as provided herein; (c) not to directly or indirectly use, copy, digest, or summarize any Confidential Information except as provided in these Cash-In Rules, and (d) not to disclose any Confidential Information to any third party without the prior written consent of the Disclosing Party. In the event that the Receiving Party becomes aware that Confidential Information has been disclosed to or accessed by any unauthorized party, the Receiving Party shall immediately notify the Disclosing Party thereof and shall take all appropriate countermeasures against further disclosure and to prevent or stop suspected or actual breaches of these Cash-In Rules.
• The Receiving Party shall strictly comply with any and all Applicable Laws and Rules, including but not limited to the DPA, as well as any policy, measures, rules, and regulations of the Disclosing Party implementing such applicable laws and rules. The Receiving Party understands and agrees that the Disclosing Party shall have no liability for any of the Receiving Party’s acts or omissions which may be in violation of such applicable laws and rules as well as the Disclosing Party’s rules.
• The Disclosing Party may grant its consent for the disclosure of the Confidential Information in its sole discretion and on a case-to-case basis. The Receiving Party expressly agrees not to use the Confidential Information to gain or attempt to gain a competitive advantage over the Disclosing Party. If requested by the Disclosing Party, the Receiving Party shall acknowledge receipt of any Confidential Information by signing receipts, initialing documents, or any other means that the Disclosing Party may reasonably request.
• The Receiving Party will not permit copies of the Confidential Information to be made without the express written consent of the Disclosing Party. Copies shall be deemed confidential and, in all respects, subject to the terms of these Cash-In Rules.
• If the Receiving Party is requested by a governmental entity to disclose any Confidential Information, it will promptly notify the Disclosing Party to allow the Receiving Party to do so. The Receiving Party will also cooperate in the Disclosing Party's efforts to obtain a protective order or other reasonable assurance that confidential treatment will be afforded the Confidential Information. If in the absence of a protective order and the Receiving Party is compelled as a matter of law to disclose the Confidential Information, based upon the written opinion of the Receiving Party addressed to the Disclosing Party, the Receiving Party may disclose to the Party compelling the disclosure only the part of the Confidential Information as required by law to be disclosed. The Receiving Party will advise and consult with the Disclosing Party as to such disclosure and the nature and wording of such disclosure and the Receiving Party will use its best efforts to obtain confidential treatment therefore

c. Property Rights and Ownership. All Confidential Information, unless otherwise specified in writing, shall remain the sole and exclusive property of the Disclosing Party. The Disclosing Party retains ownership, including intellectual property rights, over all preexisting materials, documents and work originally created by it. The ownership over any materials, documents and work resulting collaboration with and through the joint efforts of the Parties shall be subject to the terms of definitive agreements to be negotiated by the Parties. No other rights, and particularly no license and no assignment of intellectual property rights including copyright, patent rights, design rights, trademarks, and mask work protection rights are implied or granted under this Agreement. The Parties shall not make use of the existence of any bilateral business relationship between them for the purpose of their own advertisement.

d. Safekeeping. The Receiving Party shall use the same care to avoid disclosure or unauthorized use of the Confidential Information as it uses to protect its own Confidential Information, but in no event less than reasonable care. It is agreed that:

• All Confidential Information shall be retained by the Receiving Party in a secure place with access limited only to the Receiving Party’s Representatives who need to know such information for purposes of this Agreement; and
• Confidential Information will be disclosed only to each Party’s Representatives on a ‘need-to-know’ basis. It may be disclosed to third-party consultants or advisers only with the prior consent of the Disclosing Party. In the event of such disclosure to any third party, the Receiving Party shall remain liable for any unauthorized disclosure by such person or entity. The Receiving Party shall ensure that all of its representatives, affiliates, and third-party consultants having access to Confidential Information adhere to the terms and conditions of these Cash-In Rules as if they were Parties hereto.

All confidentiality obligations contemplated under this Section shall be coterminous with the permission duration as stated in the PDAX Permission and one (1) year thereafter.

8. REPRESENTATIONS AND WARRANTIES OF THE USER

The User hereby represents and warrants to PDAX that each of the following statements are true, accurate and correct as to the User, and as to each of the Beneficiaries:

a. each of the User and Beneficiary has full power, authority and legal capacity to (i) access and use the PDAX Platform and/or avail of the Conversion, as may be applicable, and the Payout Services and (ii) enter into and deliver, and perform your obligations under the Terms and Conditions, these Payout Rules, and any agreement entered into pursuant to, or in connection with, the Terms and Conditions, these Payout Rules, or the use of the PDAX Platform for, and/or availment of, the Conversion, as may be applicable, and the Payout Services;

If the User or the Beneficiary is an individual or a natural person, he or she has all the legal and mental capacity and rights to avail of the Conversion, as may be applicable, and the Payout Services, under all Applicable Laws and Rules.

If the User or the Beneficiary is a corporation, partnership or a juridical entity or person, it is duly organized, validly existing and in good standing as a corporation, partnership or any other entity as represented under the laws and regulations of the country exercising jurisdiction over your incorporation, organization or chartering;

b. each of the User and Beneficiary is not a resident of (or incorporated in), and will not be availing of the Conversion, as may be applicable, and the Payout Services, from, an unsupported jurisdiction or a jurisdiction where availing of Conversion, as may be applicable, and the Payout Services, are prohibited by Applicable Laws and Rules;

c. each of the User and Beneficiary has not been previously suspended or prohibited from: (i) maintaining a PDAX Account; (ii) being a user of the PDAX Platform; or (iii) availing of the Services.

d. All agreements, documents, contracts and ancillary forms which require User’s or Beneficiary’s signature or consent is duly signed and executed by authorized signatories or representatives by the User or the Beneficiary, as may be applicable, and as such each of such agreements, documents, contracts and ancillary forms constitutes a legal, valid, and binding obligation of the User or the Beneficiary, as the case may be; and

e. User has obtained and effected all consents, approvals and authorizations from Regulatory Authorities that are necessary for the User’s or the Beneficiary’s due execution, delivery, and performance of its obligations under these Payout Rules.

9. INDEMNITY AND LIMITATIONS OF LIABILITY

In addition to Section 17 (Limitation of Liability) and Section 18 (Indemnity) of the PDAX Terms and Conditions, applicable Platform Rules and unless as otherwise provided in a separate written agreement, User agrees to fully defend, hold harmless, and indemnify PDAX or the PDAX Group from and against all claims, disputes, settlements, awards, damages, losses, expenses and costs (including legal costs) suffered or incurred by PDAX or the PDAX Group in connection with or arising from:

a. User’s, the Authorized Person’s or the Beneficiary’s breach of its obligations or warranties or inaccuracy of its representations as conformed or incorporated in these Payout Rules, PDAX Terms and Conditions, Privacy Policy, all applicable PDAX Platform Rules and other relevant documents and communications;

b. any claim or dispute between and among the User, the Authorized Person, the Beneficiary and any third person arising from or in connection with the use of the PDAX Platform or availment of the Conversion, as may be applicable, and the Payout Services by the User or the Authorized Person unless such claim is solely caused by the breach of these Payout Rules, or fraud by PDAX. Disputes between and among the User, the Authorized Person, the Beneficiary and any third person as to Payouts shall be resolved solely between or among them; and

c. any claim, damages, penalties or expenses arising from or in connection with any violation of any Applicable Laws and Rules of the User, the Authorized Person or the Beneficiary.

To the extent allowed by Applicable Laws and Rules, User hereby agrees to fully defend, hold harmless, and indemnify PDAX and the PDAX Group, from and against all claims, disputes, settlements, awards, damages, losses, expenses and costs (including legal costs) suffered or incurred by PDAX and the PDAX Group, in connection with or arising from PDAX use of information materials provided by the User, pursuant to these Payout Rules and the provision of the Conversion, as may be applicable, and the Payout Services.

II. DATA OUTSOURCING AGREEMENT

The User shall abide by all Applicable Laws and Rules in relation to personal data processing and the Privacy Policy.

To the extent that PDAX could potentially process the Personal Data of the Beneficiaries in relation to the Conversion, as may be applicable, and the Payout Services as defined herein, this Data Outsourcing Agreement (the “Sub-Agreement”) is made and executed by and between the User and PDAX.

RECITALS: a. The Parties have agreed to enter into an agreement wherein the User has opened a PDAX Account, solely for Conversion, as may be applicable, and the Payout Services;

b. During the course of the User’s usage of the PDAX Account and availment of the Services, it is understood that Fiat Currency or Digital Assets transferred to, or withdrawn from, the PDAX Account, may constitute an aggregated sum composed of various sums pertaining to a Beneficiary; c. PDAX could potentially process the Personal Data of the Beneficiary or any relevant individual as may be required by Applicable Laws and Rules in relation to the Payout Service; and d. The Parties agree that the User is the Personal Information Controller and PDAX is the Personal Information Processor, as defined in the DPA.

NOW, THEREFORE, for and in consideration of the foregoing premises and mutual covenants stated hereunder, PDAX and User hereto agree as follows:

a. Term– This Sub-Agreement shall have the duration indicated in the DOD (as defined herein).

b. Adherence to the Data Privacy Act of 2012 – The Parties hereby adhere to the DPA, recognizing the importance of appropriate privacy protections for data subjects.

c. Definitions

• DOD refers to the data outsourcing details, to be executed separately by the Parties, which contains the subject matter of processing, duration of processing, purposes of processing, Data Subjects and Personal Data types, geographic location of processing, and details of the arrangement between PDAX and the User.

• Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

• Sensitive Personal Information refers to personal information:

  • About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
  • About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
  • Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
  • Specifically established by an executive order or an act of Congress to be kept classified.

• Personal Data refers to personal information, sensitive personal information, and privileged information.

• Processing refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.

• Data Outsourcing is the disclosure or transfer of Personal Data by a Personal Information Controller to a Personal Information Processor.

• DPA means Republic Act No. 10173, also known as, Data Privacy Act of 2012, its Implementing Rules and Regulations, and the issuances of the National Privacy Commission.

• Data Protection Officer is any individual/s designated by the Personal Information Controller or Personal Information Processor who is accountable for compliance with the DPA.

• Data Subject refers to an individual whose personal, sensitive personal, or privileged information is processed.

• Security Incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place.

• Personal Data Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:

  • An availability breach resulting from loss, accidental or unlawful destruction of personal data;
  • Integrity breach resulting from alteration of personal data; and/or
  • A confidentiality breach resulting from the unauthorized disclosure of or access to Personal Data.

• Personal Information Controller refers to a natural or juridical person, or any other body who controls the processing of Personal Data, or instructs another to process Personal Data on its behalf. The term excludes:

  • A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
  • A natural person who processes personal data in connection with his or her personal, family, or household affairs There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing.

• Personal Information Processor refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of Personal Data pertaining to a Data Subject.

• Technical, Physical, and Organizational Security Measures, or TPOSM refers to all measures aimed at protecting Personal Information transmitted, stored, or otherwise processed against improper, unauthorized, accidental or unlawful processing, destruction or loss, disposal, alteration, disclosure, or access, and against all other unauthorized and unlawful forms of processing.

d. Roles of the Parties– User is the Personal Information Controller of the Personal Data disclosed to PDAX. PDAX is a Personal Information Processor, i.e., it processes such Personal Data upon the instruction of the User. In the event that either party takes on the role of a Personal Information Controller or Personal Information Processor, as defined under the DPA, such party herein undertakes to implement the necessary measures, and execute its role as Personal Information Controller or Personal Information Processor, as the case may be, in relation to any Personal Data which comes into its possession by virtue of the Terms and Conditions and these Rules, in accordance with the DPA.

e. Personal Data to be Collected and Processed– PDAX shall process only the Personal Data listed in the DOD, in accordance with the terms of this Sub-Agreement.

The terms of this Sub-Agreement shall apply to Personal Data in all its forms. It may be on paper, stored electronically, held on film, microfiche, or other media. It includes text, pictures, audio, and video. It covers information transmitted by post, by electronic means, and by oral communication, including telephone and voicemail. It applies throughout the lifecycle of the data from creation, collection, storage, utilization, to disposal. The terms of this Sub-Agreement apply to all officers, employees, and clients of both Parties where they are performing their duties in relation to this Sub-Agreement.

f. Purposes of Processing – PDAX shall process the Personal Data only for the purposes listed in the DOD. The User may, at any time and upon written instructions to PDAX, require PDAX to process the Personal Data pursuant to and consistent with the following purposes:

• Comply with statutory and regulatory requirements, including directives, issuances by, or obligations of User to any competent authority, regulator, supervisory body, enforcement agency, exchange, court, quasi-judicial body, or tribunal;
• Enable User to exercise sound corporate governance over its businesses, ensure that risks arising therefrom are duly identified, measured, managed and mitigated, and enhance risk assessment and prevent fraud;
• Enable User to conduct User audits or investigate a complaint or security threat;
• Other legitimate business purposes of the User and PDAX;
• Establish, exercise, or defend PDAX’s legal claims;
• Fulfill any other purposes directly related to the above-stated purposes.

g. Geographic Location of the Processing – The Personal Data shall be processed by PDAX at the geographic location specified in DOD. PDAX shall, at least thirty (30) days prior to effecting any change in the geographic location, notify the User in writing of such intended change and provide reasonable proof that such change shall not adversely affect the TPOSM currently in place or impact the privacy rights of the Data Subjects.

**h. Obligations of User **– Pursuant to the requirements of the DPA, the User hereby undertakes to:

• Secure the written consent of each Data Subject;
• Process personal data to the extent allowed by the Data Subject in accordance with these Payout Rules, PDAX Terms and Conditions, Privacy Policy, all applicable PDAX Platform Rules and Applicable Laws and Rules;
• Specify the persons and/or entities authorized to receive, access, process, and/or transmit the information obtained and processed by PDAX, giving PDAX the right to refuse to give information to persons or entities not designated by User.

i. Obligations of PDAX – Pursuant to the requirements of the DPA, PDAX hereby undertakes to:

• Process Personal Data only upon the documented instructions of User, including transfers of personal data to another country or an international organization, to the extent contemplated under the DOD, unless such transfer is authorized or required by Applicable Laws and Rules;
• Ensure that an obligation of confidentiality is imposed on persons authorized by PDAX pursuant to this Sub-Agreement to process the Personal Data;
• Implement appropriate security measures and comply with the DPA;
• Assist the Personal Information Controller, by appropriate TPOSM and to the extent possible, fulfill the obligation to respond to requests by Data Subjects relative to the exercise of their rights;
• Make available to the User all information necessary to demonstrate compliance with the obligations laid down in the DPA, and allow for and contribute to audits, including inspections to the extent required by Applicable Laws and Rules and within reasonable office hours with prior written notice to PDAX;
• Immediately inform the User if, in its opinion, an instruction infringes the DPA;
• Assist User, as may be practicable and necessary, in ensuring compliance with the DPA, taking into account the nature of processing and the information available to PDAX;
• At the choice of the User, delete or return all Personal Data to the User upon termination of, and subject to, the Terms and Conditions, Privacy Policy, the Payout Rules and this Sub-Agreement; and
• to the extent relevant to the User, report all available information to the User within forty-eight (48) hours from knowledge of, or reasonable belief that, a personal data breach or a security incident involving Personal Data of a Beneficiary or any Personal Data disclosed by the User to PDAX has occurred, and extend full cooperation to the User to enable the User to comply with its obligations under the DPA or Applicable Laws and Rules.

j. Security Obligations of PDAX – Pursuant to its obligation to maintain the appropriate TPOSM, PDAX warrants that, at minimum, it shall have the following security measures:

Organizational Security Measures

• That it has a designated individual who functions as Data Protection Officer.
• That it has implemented appropriate data protection policies that provide for TPOSM, taking into account the nature, scope, context, and purposes of the processing, as well as the risks posed to the rights and freedoms of Data Subjects.
  • The policies shall implement data protection principles both at the time of the determination of the means for processing and at the time of the processing itself.
  • The policies shall implement appropriate security measures that, by default, ensure only Personal Data which is necessary for the specified purpose of the processing are processed. They shall determine the amount of Personal Data collected, including the extent of processing involved, the period of their storage, and their accessibility.
  • The policies shall provide for documentation, regular review, evaluation, and updating of the privacy and security policies and practices.
• That it shall maintain records that sufficiently describe its data processing system and identify the duties and responsibilities of those individuals who will have access to the Personal Data. Records shall include:
  • Information about the purpose of the processing of Personal Data, including any intended future processing or data sharing;
  • A description of all categories of Data Subjects, Personal Data, and recipients of such Personal Data that will be involved in the processing;
  • General information about the data flow within the organization, from the time of collection, processing, and retention, including the time limits for disposal or erasure of Personal Data;
  • A general description of the TPOSM in place; and
  • The name and contact details of each Party, its representatives, the sub-Users (if applicable), and the compliance officer or Data Protection Officer, or any other individual or individuals accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.
• That its employees shall operate and hold Personal Data under strict confidentiality. This obligation shall continue even upon termination of the employee’s employment.

Physical Security Measures

• That it has implemented policies and procedures to monitor and limit access to and activities in the room, workstation or facility, including guidelines that specify the proper use of and access to electronic media;
• That the design of its office space and work stations, including the physical arrangement of furniture and equipment, shall provide privacy to anyone processing Personal Data, taking into consideration the environment and accessibility to the public;
• That the duties, responsibilities and schedule of individuals involved in the processing of Personal Data are clearly defined to ensure that only the individuals actually performing official duties shall be in the room or work station, at any given time;
• That it has implemented policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of Personal Data; and
• That it has implemented policies and procedures that prevent the mechanical destruction of files and equipment. The room and workstation used in the processing of Personal Data shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats.

Technical Security Measures

• That it has implemented safeguards to protect their computer network against accidental, unlawful or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access through an electronic network;
• That it has the ability to ensure and maintain the confidentiality, integrity, availability, and resilience of their processing systems and services;
• That it performs regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in their computer networks, and for taking preventive, corrective, and mitigating action against security incidents that can lead to a Personal Data Breach;
• That it has the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• That it has a process for regularly testing, assessing, and evaluating the effectiveness of security measures; and
• That it encrypts Personal Data during storage and while in transit, authentication process, and it has implemented other technical security measures that control and limit access.

k. Indemnification – User agrees to irrevocably, unconditionally, and fully indemnify and hold PDAX or the PDAX Group free and harmless from and against any and all claims, suits, actions or demands or losses, damages, costs and expenses including, without limiting the generality of the foregoing, attorney’s fees and costs of suit that User may face, suffer or incur by reason or in respect of:

• User’s or the the Beneficiary’s breach of any of the warranties and obligations set forth in the Payout Rules, PDAX Terms and Conditions, Privacy Policy, all applicable PDAX Platform Rules and this Sub-Agreement, regardless of the cause of such breach; or
• Any act, omission or negligence of the User or the Beneficiary that causes or results in the breach by PDAX of its obligations under the DPA and all Applicable Laws and Rules.

l. Data Subject Rights – Each Party shall respect the following rights accorded to Data Subjects by the DPA:

• Right to be informed. Data Subjects have the right to be informed whether Personal Data pertaining to them shall be, are being, or have been processed, including the existence of automated decision-making and profiling. This Sub-Agreement may be accessed by the Data Subject upon written request submitted to any of the Parties.
• Right to object. Data Subjects have the right to object to the processing of their Personal Data, including processing for direct marketing, automated processing or profiling. They may withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the Data Subject.
• Right to access. Data Subjects have the right to request access to any of their Personal Data, subject to certain restrictions.
• Right to rectification. Data Subjects have the right to dispute the inaccuracy or error in the Personal Data and have the PIC correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.
• Right to erasure or blocking. Data Subjects have the right to suspend, withdraw or order the blocking, removal or destruction of his or her Personal Data from the PIC’s filing system.
• Right to damages. Data Subjects have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, taking into account any violation of the rights and freedoms of the Data Subject.
• Right to lodge a complaint with the National Privacy Commission.

m. Communications Regarding Data Privacy Concerns – For questions, requests, and notifications, communication may be directed to each Party’s designated Data Protection Officer or his/her replacement or substitute.

n. Notarized Data Outsourcing Agreement- To the extent required by Applicable Laws and Rules, the Parties may be required to execute a notarized Data Outsourcing Agreement.