Data Processing Agreement

"Controller" means the entity that determines the purposes and means of processing personal data. In this context, Customer is the Controller.

"Processor" means the entity that processes personal data on behalf of the Controller. In this context, Promota is the Processor.

"Personal Data" means any information relating to an identified or identifiable natural person provided by Customer to Promota for processing under the Service.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Applicable Data Protection Law" means the GDPR, UK GDPR, CCPA, and any other privacy or data protection legislation applicable to the processing under this DPA.

"Sub-Processor" means any third party Promota engages to process Personal Data on Customer's behalf.

Promota processes Personal Data only to the extent necessary to provide the Service as described in the applicable order form or service agreement. The subject matter, duration, nature, and purpose of the processing, as well as the types of Personal Data and categories of data subjects, are described in Annex A to this DPA.

Promota will not process Personal Data for any purpose other than providing the Service unless required to do so by applicable law, in which case Promota will inform Customer of that requirement before processing unless legally prohibited from doing so.

Customer represents and warrants that it has a lawful basis for providing Personal Data to Promota and for directing Promota to process that data as described herein. Customer is responsible for ensuring that data subjects have received appropriate notice and, where required, have provided valid consent for their data to be processed in connection with the Service.

Promota agrees to:

• Process Personal Data only on documented instructions from Customer, including as set out in the service agreement and this DPA
• Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
• Implement and maintain technical and organizational security measures as described in Section 7
• Assist Customer in responding to data subject rights requests as described in Section 6
• Notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting Customer's Personal Data
• Delete or return all Personal Data to Customer upon termination of the Service, unless retention is required by law
• Make available to Customer the information reasonably necessary to demonstrate compliance with this DPA

Customer grants Promota general authorization to engage Sub-Processors. Promota's current Sub-Processors are listed at promota.ai/sub-processors and include providers of cloud infrastructure, data enrichment, email delivery, and analytics services.

Promota will notify Customer of any addition or replacement of Sub-Processors with at least 14 days' advance notice. Customer may object to a new Sub-Processor on reasonable data protection grounds by notifying Promota within 14 days. If the parties cannot resolve the objection, either party may terminate the affected service without penalty.

Promota ensures that Sub-Processors are bound by data processing terms no less protective than those in this DPA.

Taking into account the nature of the processing, Promota will provide reasonable assistance to Customer in fulfilling its obligation to respond to data subject rights requests under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

Where a data subject submits a request directly to Promota, Promota will promptly forward it to Customer unless prohibited by law.

Promota implements and maintains technical and organizational measures appropriate to the risk of the processing, including:

• Encryption of Personal Data at rest and in transit
• Access controls and authentication requirements limiting data access to authorized personnel
• Regular security assessments and vulnerability testing
• Incident response procedures and breach notification processes
• Employee security awareness training
• Physical security controls for data center facilities

If Personal Data is transferred outside the European Economic Area, United Kingdom, or Switzerland to a country not recognized as providing adequate protection, Promota will ensure such transfers are subject to appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission (Module 2: Controller to Processor), which are incorporated by reference into this DPA.

Customer may request a copy of the applicable Standard Contractual Clauses by emailing privacy@promota.ai.

Upon reasonable written notice (no less than 30 days), Promota will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by Customer or a third-party auditor mandated by Customer, subject to reasonable confidentiality obligations and limitations to avoid disruption to Promota's operations.

This DPA remains in effect for as long as Promota processes Personal Data on Customer's behalf under the service agreement. Upon termination or expiration of the service agreement, Promota will, at Customer's choice, delete or return all Personal Data within 60 days, unless applicable law requires longer retention, in which case Promota will inform Customer of the requirement and the anticipated retention period.

In the event of a conflict between this DPA and the service agreement, this DPA will govern with respect to data protection matters only. In all other respects, the service agreement controls.