Data Processing Addendum

This Data Processing Addendum (the "DPA") is incorporated into the Master Services Agreement at /legal/terms and into every role-specific Addendum. It applies to processing of personal data performed by Surfacedd in connection with the Services. Capitalized terms not defined here carry the meaning assigned in the MSA. Terms with defined meanings under the GDPR — "controller," "processor," "data subject," "personal data," "processing," "sub-processor," "supervisory authority" — carry those meanings and the equivalent meanings under the UK GDPR, the LGPD, the India DPDP Act, and the Singapore PDPA.

Roles under this DPA follow the data flow, not a single label.

Where Surfacedd acts as processor, the instructions are set out in this DPA, the MSA, the Addendum, and any additional documented instructions provided by the Customer in writing (including via the dashboard). Surfacedd will notify the Customer if, in its opinion, an instruction infringes applicable data protection law.

Where Surfacedd acts as processor, Surfacedd will:

• Process personal data only on documented instructions from the Customer, except as required by applicable law.
• Ensure that persons authorized to process the personal data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures to protect the personal data (Section 6).
• Engage sub-processors only under Section 4.
• Assist the Customer with data-subject-rights requests and with security-obligations compliance, subject to the limits of what is technically feasible given the Services.
• Delete or return personal data at the end of the processing (Section 10).
• Make available information necessary to demonstrate compliance and cooperate with audits (Section 9).

The Customer authorizes Surfacedd to engage the sub-processors listed below. Surfacedd is responsible for the acts and omissions of its sub-processors as if they were its own.

Changes. Surfacedd will notify the Customer of any material change to the sub-processor list (for example, the addition of a new sub-processor that processes material personal data) at least 30 days in advance by email and dashboard notice. The Customer may object in writing within 15 days of notification on reasonable grounds relating to data protection. On receipt of an objection, Surfacedd will either not use that sub-processor for the Customer\u2019s data or permit the Customer to terminate the affected Services for convenience.

Where personal data is transferred out of the EEA, the UK, Switzerland, India, Singapore, or Brazil, Surfacedd relies on the following mechanisms, as applicable:

• EU SCCs. Commission Implementing Decision (EU) 2021/914, with Module One where Surfacedd and the Customer are independent controllers, Module Two where Surfacedd is processor, and Module Three where a sub-processor is involved. The Docking Clause applies where a new party joins.
• UK IDTA. The UK International Data Transfer Agreement (version B1.0) or the UK Addendum to the EU SCCs.
• Swiss transfers. The EU SCCs as interpreted by the Federal Data Protection and Information Commissioner (FDPIC) for Swiss data subjects.
• India DPDP Act. Transfers occur only to jurisdictions not restricted by the Ministry of Electronics and Information Technology (MeitY).
• Singapore PDPA. Contractual clauses providing a standard of protection comparable to PDPA Section 26.
• Brazil LGPD. Standard contractual clauses under Article 33 or the controller\u2019s documented commitment.

A Transfer Impact Assessment is available on request. Where a sub-processor is certified under the EU-US Data Privacy Framework or its UK or Swiss extensions, that certification is identified in the sub-processor list.

Surfacedd implements the technical and organizational measures described in the Privacy Policy Section 12 and maintains an information-security program that includes access control, encryption, logging, incident response, secure software development, and vendor management. On request, Surfacedd will provide a security summary or a SOC 2 report (when available) under a customary NDA.

Surfacedd will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and no later than 72 hours after confirmation of the breach where the Customer is a controller subject to GDPR Article 33 or equivalent laws. Notification will include, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. Surfacedd will not delay notification to conduct a complete forensic investigation. Notifications to the Customer do not imply fault or liability and do not relieve the Customer of its own notification obligations to supervisory authorities or data subjects.

Surfacedd will provide reasonable assistance to the Customer in carrying out a Data Protection Impact Assessment (GDPR Article 35) or consulting with a supervisory authority (Article 36), taking into account the nature of the processing and the information available to Surfacedd.

Surfacedd will make available all information necessary to demonstrate compliance with this DPA. On written request, and not more than once per calendar year (except in response to a regulatory requirement or a documented security incident), the Customer may conduct an audit of Surfacedd\u2019s compliance, either in writing or on-site at a mutually agreed time and scope, subject to reasonable security, confidentiality, and cost allocations. Audits may be conducted by a qualified third-party auditor bound by confidentiality. Where Surfacedd makes a recognized certification or audit report (for example, a SOC 2 Type II report) available, that report satisfies audit requests unless the Customer demonstrates a specific concern not covered by the report.

On termination or expiry of the applicable contract, the Customer may elect in writing within 30 days to have Surfacedd (a) return the Customer\u2019s personal data in a structured, commonly used, machine-readable format, or (b) delete the Customer\u2019s personal data. If no election is made, Surfacedd will delete the data within 90 days of termination or expiry. Surfacedd may retain personal data to the extent required by applicable law (including tax-record retention obligations) or in backup systems until the backup media are overwritten in the ordinary course, in either case continuing to protect that data under this DPA.