Data Processing Addendum

1. Definitions and Interpretation

1.1 Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement. Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

• 1.1.1 "Affiliate" means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
• 1.1.2 "Customer Third Party Partner" means any entity engaged by Customer for the Processing of Personal Data.
• 1.1.3 "Company Account Data" means personal data that relates to Company's relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer's account and billing information of individuals that Customer has associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.
• 1.1.4 "Company Usage Data" means Service usage data collected and processed by Company in connection with the provision of the Services, including without limitation data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
• 1.1.5 "Customer Data" means any content, data, information or other materials (including Personal Information) submitted or shared by or for Customer to or through the Service.
• 1.1.6 "Data Protection Laws" means, as applicable to the Processing of Personal Data under the Agreement, (i) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"), (ii) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"), and (iii) North American Privacy Laws, in each case to the extent applicable to the Processing under the Agreement.
• 1.1.7 "Data Subject" means (i) an identified or identifiable natural person who is in the European Economic Area (the "EEA") or whose rights are protected by EU Data Protection Laws; or (ii) a "Consumer" as the term is defined in the CCPA.
• 1.1.8 "Data Exporter" means Customer.
• 1.1.9 "Data Importer" means Company.
• 1.1.10 "ex-EEA Transfer" means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the EEA, and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
• 1.1.11 "ex-UK Transfer" means the transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the "UK"), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
• 1.1.12 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. For purposes of clarity, references to the GDPR are intended to include the UK Data Protection Act 2018.
• 1.1.13 "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), and any regulations promulgated thereunder.
• 1.1.14 "North American Privacy Laws" means all privacy and data protection laws and regulations concerning the Processing of Personal Data of Data Subjects located in the United States, Canada or Mexico, to the extent applicable to the Processing under the Agreement, including but not limited to, as applicable: (a) any U.S. state or federal privacy or security law and/or self-regulatory code that are in effect during the Term, and which apply to Personal Information processed pursuant to the Agreement, including but not limited to the Virginia Consumer Data Protection Act, the California Consumer Privacy Act (CCPA), the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Protection Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Montana Consumer Data Privacy Act, the Oregon Consumer Privacy Act, the Delaware Personal Data Privacy Act, each as amended, replaced or supplemented from time to time, and all subordinate legislation made under them, together with any codes of practice, regulations or other guidance issued by the governments, agencies, data protection regulators, or other authorities in the relevant countries, states or other jurisdictions, (b) The Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada and Quebec's Law 25; and/or (c) The Mexico Federal Law on the Protection of Personal Data held by Private Parties of 2010 and any applicable guidelines such as the Mexico Privacy Notice Guidelines of 2013.
• 1.1.15 "Personal Information" or "Personal Data" means (i) any information relating to an identified or identifiable natural person or household, and (ii) any information defined as "personally identifiable information," "personal information," "personal data" or similar terms as such terms are defined under Data Protection Laws.
• 1.1.16 "Personal Data Breach" has the meaning set forth in Section 7 of this DPA.
• 1.1.17 "Sensitive Information" means information defined as "sensitive" or "special category" about an individual or household under Data Protection Laws, including but not limited to: financial account numbers, insurance plan numbers, precise information about health or medical conditions, medical records or pharmaceutical prescriptions, government-issued identifiers (such as a Social Security number), race, ethnicity, religion, trade union membership, sexual orientation, genetic or biometric information and precise location information such as GPS coordinates.
• 1.1.18 "Sub-Processor" means (i) any sub-processor engaged by Company for the Processing of Personal Data, (ii) a third-party who has a need to know or otherwise access Customer's Personal Data to enable Company to perform its obligations under this DPA or the Agreement, and who is authorized under Section 4.2 of this DPA.
• 1.1.19 "Supervisory Authority" has the meaning set forth in Article 51 of the GDPR, or means the Federal Data Protection and Information Commissioner of Switzerland, or the entity responsible for regulating the protection of the Personal Data of Data Subjects, as applicable.
• 1.1.20 "Services" shall have the meaning set forth in the Agreement.
• 1.1.21 "Standard Contractual Clauses" means the EU SCCs and the UK SCCs.
• 1.1.22 "UK SCCs" means the EU SCCs, as amended by the UK Addendum.
• 1.1.23 "EU SCCs" means the standard contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, for transfers of personal data to third countries pursuant to Article 46(2)(c) of the GDPR (as amended, updated or replaced from time to time), as modified by Section 6.2 of this DPA.
• 1.1.24 "Term" means the period from the date this DPA is incorporated and the date the DPA is terminated in accordance with Section 13.1.
• 1.1.25 The terms "Controller", "Personal Data", "Personal Data Breach", "Processor", "Processed", "Processing," have the meanings given to them in the GDPR.
• 1.1.26 "Company" means Bakour Tech LLC, doing business as Brand.Dev ("Brand.dev"), a company registered in Delaware, United States, with its address at 1007 N Orange St. 4th Floor Suite #1839, Wilmington, DE 19801, United States.

2. Processing of Customer's Personal Data Pursuant to this DPA

2.1 To the extent the products and services covered under the Agreement and this DPA involves the Processing of Personal Data, the parties agree that Customer is the Data Controller and Company is a Processor.

2.2 To the extent that the data protection legislation of another jurisdiction is applicable to either party's processing of data covered under this DPA, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data.

2.3 Company shall keep a record of all processing activities with respect to Customer's Personal Data covered under this DPA as required under GDPR.

2.4 Processor shall:

• 2.4.1 comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
• 2.4.2 not Process Customer Personal Data other than on the relevant Customer's documented instructions.
• 2.4.3 not process Personal Data (i) for purposes other than those set forth in the Agreement and/or Exhibit A, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Supervisory Authority to which the Company is subject; in such a case, the Company shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, or (iii) in violation of Data Protection Laws.

2.5 Customer shall:

• 2.5.1 at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws.
• 2.5.2 ensure that the processing of Personal Data in accordance with Customer's instructions will not cause Company to be in breach of the Data Protection Laws.
• 2.5.3 be solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data.
• 2.5.4 not provide or make available to Company any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith.
• 2.5.5 instruct Company to process Personal Data in accordance with the foregoing and as part of any processing initiated by Customer in its use of the Services.

2.6 The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this DPA.

2.7 Following completion of the Services, at Customer's choice, Company shall return or delete Customer's Personal Data promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Customer Personal Data, unless further storage of such Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule or regulation) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control. If Customer and Company have entered into Standard Contractual Clauses as described in Section 11 (Transfers of Personal Data), the parties agree that the certification of deletion or return of Personal Data described in Clause 8.5 of the EU SCCs (as applicable) shall be provided by Company to Customer only upon Customer's request.

2.8 The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent controller, not a joint controller with Customer. Company will process Company Account Data and Company Usage Data as a controller (i) to manage the relationship with Customer; (ii) to carry out Company's core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Company is subject; and (vi) as otherwise permitted under Data Protection Laws and in accordance with this DPA and the Agreement. Company may also process Company Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Data Protection Laws. Any processing by the Company as a controller shall be in accordance with the Company's privacy policy.

2.9 CCPA. Except with respect to Company Account Data and Company Usage Data, the parties acknowledge and agree that Company is a service provider for the purposes of the CCPA (to the extent it applies) and is receiving personal information from Customer in order to provide the Services pursuant to the Agreement, which constitutes a business purpose. Company shall not sell any such personal information. Company shall not retain, use or disclose any personal information provided by Customer pursuant to the Agreement except as necessary for the specific purpose of performing the Services for Customer pursuant to the Agreement, or otherwise as set forth in the Agreement or as permitted by the CCPA. The terms "personal information," "service provider," "sale," and "sell" are as defined in Section 1798.140 of the CCPA. Company certifies that it understands the restrictions of this Section 2.9.

3. Company Personnel and Customer Personnel

3.1 Both parties shall ensure that their respective personnel engaged in the Processing of Personal Data under this DPA are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Data.

3.2 Company shall take appropriate steps to ensure compliance with the Security Measures outlined in Annex II by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data covered under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual's engagement with Company.

3.3 Company shall ensure that access to Personal Data covered under this DPA is limited to those personnel who require such access to perform the Services as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Company shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

4.2 Company shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under this DPA. Company will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The Security Measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of Company's systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness.

4.3 Company may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

4.4 Both parties will (taking into account the nature of the processing of Personal Data under this DPA) cooperatively and reasonably assist each other in ensuring compliance with any of each other's respective obligations with respect to the security of Personal Data and Personal Data breaches under this DPA, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (i) in the case of Company, implementing and maintaining the Security Measures in accordance with Annex II; and (ii) complying with the terms of Section 7 of this DPA.

4.5 Exhibit C sets forth additional information about Company's technical and organizational security measures.

5. Sub-Processors

5.1 Customer acknowledges and agrees that Company may (i) engage its Affiliates as well as the third-party Sub-Processors to access and process Personal Data in connection with the Services and (ii) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this DPA, Customer provides general written authorization to Company to engage sub-processors as necessary to perform the Services.

5.2 Company shall update the Sub-Processor list and notify Customers via the Services or email of any intended changes to its Sub-Processors, including the addition or replacement of Sub-Processors at least fourteen (14) days in advance, thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the Sub-Processor(s).

5.3 If Customer reasonably objects to an engagement in accordance with Section 5.2, and Company cannot provide a commercially reasonable alternative within a reasonable period of time, Company may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days' written notice to Customer.

5.4 If Customer does not object to the engagement of a third party in accordance with Section 5.2 within fourteen (14) days of notice by Company, that third party will be deemed an Authorized Sub-Processor for the purposes of this DPA.

5.5 Company will enter into a written agreement with the Sub-Processor imposing on the Sub-Processor data protection obligations comparable to those imposed on Company under this DPA with respect to the protection of Personal Data. In case a Sub-Processor fails to fulfill its data protection obligations under such written agreement with Company, Company will remain liable to Customer for the performance of the Sub-Processor's obligations under such agreement.

5.6 If Customer and Company have entered into Standard Contractual Clauses as described in Section 11 (Transfers of Personal Data), (i) the above authorizations will constitute Customer's prior written consent to the subcontracting by Company of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Sub-Processors that must be provided by Company to Customer pursuant to Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by the Company beforehand, and that such copies will be provided by the Company only upon request by Customer.

5.7 The Company shall only disclose the personal data to a third party on documented instructions from the data exporter or in alignment with this DPA. In addition, the data may only be disclosed to Sub-Processors.

5.8 Customer acknowledges and agrees that Customer Third Party Partners are not Sub-Processors, and Company assumes no responsibility or liability for the acts or omissions of Customer Third Party Partners.

5.9 A list of Sub-Processors is available in the Company user interface or at a particular web page hosted by Company: https://www.brand.dev/dpa/subprocessors

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Company shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws, provided that (i) Customer is itself unable to respond without Company's assistance and (ii) Company is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.

6.2 Company shall:

• 6.2.1 promptly notify Customer, to the extent permitted by law, if it receives a request from a Data Subject to exercise the Data Subject's right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively "Data Subject Request(s)") under any Data Protection Law in respect of Customer Personal Data;
• 6.2.2 advise the Data Subject to submit their request to Customer, if Company receives a Data Subject Request in relation to Customer's data. Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Company's Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Company, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.
• 6.2.3 ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Company is subject, in which case Company shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.

6.3 The Company commits to resolve complaints about its collection and use of Personal Data. Individuals with inquiries or complaints regarding our handling of Personal Data should first contact the Company at privacy@brand.dev

7. Personal Data Breach

7.1 Company shall notify Customer without undue delay upon Company becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.

7.2 Notifications made pursuant to this section will describe, to the extent possible, details of the Personal Data Breach, including steps taken to mitigate the potential risks and steps Company recommends Customer take to address the Personal Data Breach. Notifications of any Personal Data Breach will take place within a reasonable time. Notifications, if any, will be delivered to one or more of the other party's business, technical or administrative contacts by any reasonable means, including via email. It is each party's responsibility to ensure it maintains accurate contact information. Any notification of or response to a Personal Data Breach under this Section 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Personal Data Breach.

7.3 Each party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for. Company shall co-operate with the Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach. Company shall take such steps in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Company's reasonable control).

7.4 The obligations described in Sections 7.1 and 7.2 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. Company's obligation to report or respond to a Personal Data Breach under Sections 7.1 and 7.2 will not be construed as an acknowledgement by Company of any fault or liability with respect to the Personal Data Breach.

7.5 Company agrees that an unsuccessful Personal Data Breach attempt will not be subject to this Section 7. An unsuccessful Personal Data Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to this DPA or to any of either party's equipment or facilities storing Personal Data, and may include, without limitation, pings and other attacks on servers, unsuccessful log-on attempts, denial of service attacks, or similar incidents.

7.6 Company shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to the Personal Data. As technical and organizational measures are subject to technological development, Company is entitled to implement alternative measures provided they are at least as protected as those offered by the Security Measures and they do not fall short of the level of data protection set out by Data Protection Law.

8. Data Protection Impact Assessment and Prior Consultation

8.1 Company shall, taking into account the nature of the processing and the information available to Company, provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data under this DPA by the Contracted Sub-Processors.

8.2 Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.

8.3 Customer shall, in its use or receipt of the Services covered under this DPA, Process Personal Data in accordance with the requirements of the Data Protection Laws and Customer shall ensure that its instructions for the Processing of Personal Data covered under this DPA shall comply with the Data Protection Laws.

9. Deletion or return of Customer Personal Data

9.1 Company shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Customer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Personal Data.

9.2 The parties agree that the certification of deletion or return of Personal Data described in Clause 8.5 of the EU SCCs (as applicable) shall be provided by Company to Customer only upon Customer's request.

9.3 Both parties hereby instruct the other to delete all Personal Data (including existing copies) from their respective systems and discontinue Processing of such Personal Data in accordance with Data Protection Law as soon as reasonably practicable unless Data Protection Laws (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.

10. Audit rights

10.1 Company shall make available to the Customer on written request at reasonable intervals all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors in a form either (i) make available for Customer's review copies of certifications or reports demonstrating Company's compliance with prevailing data security standards applicable to the processing of Customer's Personal Data, or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer's independent third party representative to conduct an audit or inspection of Company's data security infrastructure and procedures that is sufficient to demonstrate Company's compliance with its obligations under Data Protection Laws, provided that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Company's business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer.

10.2 Information and audit rights of the Customer only arise under section 10.1 to the extent that this DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

10.3 To request an audit, Customer must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to privacy@brand.dev. The auditor must be approved in advance by Company (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to Company before conducting the audit.

10.4 Customer shall promptly notify Company with information regarding any non-compliance discovered during the course of an audit.

10.5 Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Company for any time expended for on-site audits. If Customer and Company have entered into Standard Contractual Clauses as described in Section 11 (Transfers of Personal Data), the parties agree that the audits described in Clause 8.9 of the EU SCCs shall be carried out in accordance with this Section 10.

11. Data Transfer

11.1 Company may store and process the relevant Personal Data in the European Economic Area, the United Kingdom and the United States. Company may transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA).

11.2 Where the Services involve the storage and/or processing of Personal Data that is transferred out of the European Economic Area, Switzerland or the United Kingdom to a jurisdiction that does not have adequate Data Protection Laws, and Data Protection Laws apply to the transfers of such data ("Transferred Personal Data"), the Parties shall ensure that such Transferred Personal Data is afforded a level of protection that is essentially equivalent to that guaranteed by Data Protection Laws. To achieve this, and unless the Parties agree on an alternative transfer mechanism that complies with Data Protection Laws, the Parties will rely on the Standard Contractual Clauses described in this Section 11.

11.3 In the event that Transferred Personal Data originates from the EEA and/or Switzerland, the Parties agree that the EU Commission Implementing Decision (EU) 2021/914 and available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (as amended or updated from time to time) ("Standard Contractual Clauses") will apply and such Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between Company and Customer, the Parties agree that: (i) Module: the Parties select Module Two (Controller to Processor). (ii) Roles: Customer is the "data exporter" and Company is the "data importer". (iii) Governing law and competent supervisory authority: Clause 17 and Clause 13 shall be completed by reference to the EU Member State in which the data exporter is established and the competent supervisory authority of that EU Member State (as applicable). (iv) Use of sub-processors: the Parties select Option 2 (general written authorization) in Clause 9(a). (v) Docking clause: the Parties do not select the optional docking clause in Clause 7. (vi) Redress: the Parties do not select the optional wording in Clause 11(a). (vii) Annexes: Annex I, Annex II and Annex III are provided at the end of this DPA as Schedule A and, to the extent there is a conflict as between this DPA and Schedule A, Schedule A shall govern.

11.4 Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner ("FDPIC") of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Section 13 shall be observed.

11.5 In the event that Transferred Personal Data originates from the United Kingdom, the Parties agree that the Standard Contractual Clauses for transfers reflecting the roles of the Parties as described in the DPA in the form approved by the UK Information Commissioner's Office and currently available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf (as amended or updated from time to time) ("UK Standard Contractual Clauses") shall be incorporated by reference and form an integral part of this DPA. For the purposes of the UK Standard Contractual Clauses, Schedule A of these Terms shall take the place of Annex 1, Annex II and Annex III respectively of the UK Standard Contractual Clauses.

11.6 If the Standard Contractual Clauses (including the UK Standard Contractual Clauses) are deemed invalid by a governmental entity with jurisdiction over Transferred Personal Data (for example, the Court of Justice of the European Union or the UK courts) or if such governmental entity imposes additional rules and/or restrictions regarding such Transferred Personal Data that would require the Parties to adopt supplementary measures, the Parties agree to work in good faith to find an alternative and/or modified approach with respect to such Transferred Personal Data which is in compliance with Data Protection Laws.

11.7 To the extent Customer is the recipient of Personal Data from Company pursuant to these Terms of Service, Customer will provide at least the same level of protection for the information as is required under applicable Data Protection Laws and/or the Standard Contractual Clauses, as applicable.

12. General Terms

12.1 Confidentiality

12.1.1 Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that (i) disclosure is required by law, (ii) the relevant information is already in the public domain.

12.1.2 Company shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Company's confidentiality obligations in the Agreement.

12.1.3 Customer agrees that Company may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or the provision of Services to Customer.

12.2 Notices

12.2.1 All notices and communications given under this DPA must be in writing and sent by email to the email address set out in the Agreement at such other address as notified from time to time by the Parties changing address.

12.3 Liability

12.3.1 Both parties agree that their respective liability under this DPA shall be apportioned according to each parties' respective responsibility for the harm (if any) caused by each respective party.

12.3.2 Nothing in this Section 12 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

12.4 Conflict

12.4.1 In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this DPA; (3) the Terms of Service (Agreement); and (4) the Company's privacy policy. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Terms of Service.

13. Miscellaneous

13.1 This DPA will remain in effect until the termination or expiration of the Agreement between the parties.

13.2 Nothing in this DPA shall impact Parties' intellectual property rights with respect to Personal Data provided by Parties under the Agreement except to the extent required by applicable law.

13.3 Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.

Exhibits

The exhibits referenced in this DPA are set out below.

Exhibit A — Details of Processing (GDPR Article 28(3))

1. Subject matter

Company provides an API and web application that enables Customer to retrieve company/brand information (for example: logos, brand colors, fonts, and related metadata) using a domain name, company name, or ticker, and to manage Customer's account, organizations, and API keys.

2. Duration

Processing continues for the Term of the Agreement and for any additional period required for (i) backup retention, (ii) security and abuse prevention, (iii) billing/finance records, and/or (iv) compliance with applicable law.

3. Nature and purpose of the Processing

• Provision of the Services (receiving Customer requests and returning responses).
• Account administration (authentication, organization/team management, API key issuance and rotation).
• Usage metering and rate limiting; fraud and abuse prevention; troubleshooting.
• Billing and subscription management (including invoices, taxation, and payment processing).
• Customer support and communications (including feedback and support chat).
• Service analytics and product improvement.

4. Categories of Data Subjects

• Customer's authorized users of the Services (including administrators and team members).
• Individuals whose personal data may be included by Customer in support messages or feedback submitted to Company.

5. Types of Personal Data

A. Company Account Data

• Identifiers and contact details: name (if provided), email address, user ID (UID), organization membership.
• Account preferences and onboarding inputs (for example: newsletter opt-in, company website, onboarding reason/goals, role) if provided.

B. Company Usage Data

• API usage and diagnostics: organization ID, API key ID, timestamps, request counters/aggregates, rate-limit events, and related operational logs.
• Device/usage analytics (for example: event data captured in analytics tools), including pseudonymous identifiers and device/browser information where applicable.

C. Billing and subscription data

• Payment and subscription identifiers (for example: Stripe customer ID, subscription ID, and related plan/price identifiers).
• Billing contact details (for example: email address) as required for invoicing and subscription management.
• Tax-related data collected by the payment processor (for example: VAT/Tax ID), where enabled by Customer during checkout.

D. Support and feedback

• Support chat transcripts and metadata (where Customer uses embedded chat support).
• Feedback content submitted by Customer users (which may include personal data if the Customer includes it).

For clarity: the Services are designed to retrieve brand/company information associated with domains and do not require Customer to submit end-user personal data. Customer should not include Sensitive Information in API requests or feedback/support content.

6. Processing operations

• Collection, recording, organization, storage, retrieval, consultation.
• Use, disclosure by transmission (to authorized Sub-Processors), alignment/combination for analytics and billing reconciliation.
• Restriction, erasure, and destruction.

7. Locations of Processing

Company may process Personal Data in the European Economic Area, the United Kingdom, and the United States, and may engage Sub-Processors in those locations, as described in this DPA and the Company's Sub-Processor disclosures.

8. Sub-Processors (indicative categories)

Company may engage Sub-Processors to provide parts of the Services, including:

• Cloud infrastructure and storage (including authentication, database hosting, and object storage).
• Payment processing and billing management.
• Product analytics and performance monitoring.
• Customer communications and support tooling (including chat and email delivery).
• Security and bot/fraud prevention.
• Operational alerting/notifications.

Annex II — Security Measures

Company implements technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are risk-based and may be updated over time without materially reducing overall security.

• Access control: Role-based access control to production systems; principle of least privilege; access limited to authorized personnel with a business need.
• Authentication: Use of strong authentication for administrative access; centralized identity management where applicable.
• Encryption: Encryption in transit for data transmitted over public networks; encryption at rest provided by underlying cloud providers where available.
• Separation of environments: Logical separation between production and non-production environments where applicable; access to non-production data restricted.
• Logging and monitoring: Monitoring for availability, performance, and security-related events; alerting for suspicious activity and service incidents.
• Vulnerability management: Regular dependency updates and security patching practices; review and remediation of identified vulnerabilities within commercially reasonable timeframes.
• Backups and resilience: Measures designed to support service continuity and restoration of access following incidents, including provider-supported redundancy and backup mechanisms where applicable.
• Data minimization: Collection and retention limited to what is reasonably necessary for providing the Services and meeting legal obligations.
• Incident response: Procedures to assess, contain, investigate, and remediate security incidents, and to notify Customers as required under this DPA and applicable law.
• Personnel confidentiality: Confidentiality obligations for personnel with access to Personal Data.

Exhibit C — Additional Information on Technical and Organizational Measures

• Data stores used for account/service administration: Company uses a managed authentication system and database to store user accounts, organizations, API keys, subscription references, and usage history/aggregates.
• Object storage: Customer-provided images uploaded through the Service (for example: organization avatars and temporary uploads for administrative tooling) are stored in managed object storage.
• Billing segregation: Payment card data is processed by the payment processor; Company does not store full payment card details on its systems.
• Operational notifications: Operational notifications and customer-submitted feedback may be forwarded to internal communication tools to facilitate support and incident response.

Schedule A — SCC Annexes (Annex I–III)

This Schedule A provides the information for Annex I, Annex II, and Annex III referenced by the EU SCCs (Commission Implementing Decision (EU) 2021/914) and, where applicable, serves as the corresponding annex information for the UK Addendum.

Annex I — List of Parties & Description of Transfer

A. List of Parties

• Data Exporter: Customer (as defined in the Agreement).
• Data Importer: Bakour Tech LLC, doing business as Brand.Dev ("Brand.dev") (the "Company"), 1007 N Orange St. 4th Floor Suite #1839, Wilmington, DE 19801, United States.

B. Description of Transfer

• Categories of Data Subjects: As described in Exhibit A, Section 4.
• Categories of Personal Data: As described in Exhibit A, Section 5.
• Sensitive data: The Services are not intended to process Sensitive Information; Customer should not submit Sensitive Information through the Services.
• Frequency of transfer: Continuous / on demand, initiated by Customer and Customer users when using the Services.
• Nature of processing: As described in Exhibit A, Sections 3 and 6.
• Purpose(s) of transfer: Provision of the Services, account administration, security, billing, support, and analytics, as described in Exhibit A.
• Retention: As described in Exhibit A, Section 2, and the Agreement.
• Transfers to (sub-)processors: As described in this DPA (including Section 5) and Exhibit A, Section 8, and the Company's Sub-Processor disclosures.

Annex II — Technical and Organizational Measures

The technical and organizational measures are described in Annex II and Exhibit C of this DPA.

Annex III — List of Sub-Processors

The up-to-date list of Sub-Processors is made available at https://www.brand.dev/dpa/subprocessors.

If there is any inconsistency between this Schedule A and the Sub-Processor list, the Sub-Processor list governs as to the identity of Sub-Processors and their locations.