Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the Customer identified in the underlying order form, statement of work, or sign-up flow ("Customer") and EngagementAmp ("EngagementAmp", "we", or "us") for the provision of the EngagementAmp service (the "Agreement").

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.

1. Definitions

• "Applicable Data Protection Law" means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including (where applicable) the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK GDPR and the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively "CCPA"), and comparable state-level laws in the U.S. (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, Kentucky, Indiana, and Florida).
• "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Supervisory Authority" have the meanings given in Applicable Data Protection Law. The terms "Business", "Service Provider", "Sell", "Share", and "Sensitive Personal Information" have the meanings given in the CCPA.
• "Customer Personal Data" means Personal Data that EngagementAmp processes on behalf of the Customer in the course of providing the Service under the Agreement, as further described in Schedule 1.
• "Sub-processor" means any third-party Processor engaged by EngagementAmp to process Customer Personal Data on behalf of Customer.
• "SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914, and where applicable, the UK International Data Transfer Addendum issued by the Information Commissioner's Office.
• "Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

2. Roles & scope

The parties acknowledge that with respect to Customer Personal Data, Customer is the Controller (or, where applicable under CCPA, the Business), and EngagementAmp is the Processor (or, where applicable under CCPA, the Service Provider). EngagementAmp will process Customer Personal Data only on Customer's documented instructions, including those set out in the Agreement and this DPA, and as required by applicable law (in which case EngagementAmp will inform Customer of that legal requirement before processing, unless prohibited by law).

3. CCPA / U.S. state-law restrictions

With respect to Customer Personal Data subject to the CCPA or comparable U.S. state laws, EngagementAmp will:

• Not Sell or Share Customer Personal Data and not retain, use, or disclose Customer Personal Data for any purpose other than the specific business purpose of providing the Service as set out in the Agreement, including not retaining, using, or disclosing it for any commercial purpose other than providing the Service.
• Not process Customer Personal Data outside the direct business relationship between Customer and EngagementAmp.
• Not combine Customer Personal Data with personal information that EngagementAmp receives from, or on behalf of, another person or collects from its own interaction with the Data Subject, except as permitted by applicable law.
• Comply with applicable CCPA obligations and provide the same level of privacy protection as required by CCPA.
• Notify Customer if EngagementAmp determines that it can no longer meet its CCPA obligations and allow Customer to take reasonable and appropriate steps to stop and remediate unauthorized use.

4. Customer responsibilities

Customer is responsible for: (a) the accuracy, quality, and legality of Customer Personal Data; (b) ensuring that Customer has a valid legal basis for the processing it instructs EngagementAmp to perform; (c) providing required notices to Data Subjects; and (d) obtaining any required consents. Customer warrants that its instructions to EngagementAmp comply with Applicable Data Protection Law.

5. Confidentiality & personnel

EngagementAmp will ensure that its personnel who process Customer Personal Data are bound by appropriate confidentiality obligations and are trained on the importance of protecting Customer Personal Data.

6. Security

EngagementAmp will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against Security Incidents and to preserve the security and confidentiality of Customer Personal Data. Current measures are described in Schedule 2. EngagementAmp may update these measures from time to time provided they do not materially reduce the overall security of the Service.

7. Security incidents

EngagementAmp will notify Customer of a Security Incident affecting Customer Personal Data without undue delay and in any event within 72 hours after becoming aware. Notification will include, to the extent known, the nature of the Security Incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the Security Incident. EngagementAmp will reasonably cooperate with Customer in investigating and remediating the Security Incident.

8. Sub-processors

Customer authorizes EngagementAmp to engage the Sub-processors listed at /sub-processors and any successors. EngagementAmp will:

• Enter into a written agreement with each Sub-processor that imposes data protection obligations substantially similar to those in this DPA.
• Remain liable for the acts and omissions of its Sub-processors with respect to Customer Personal Data.
• Provide at least 30 days' prior notice of any new Sub-processor by updating the list at /sub-processors and, where Customer has subscribed to notifications, by email.
• Allow Customer to object on reasonable data-protection grounds within the 30-day notice period. If the parties cannot agree on a resolution, Customer may terminate the affected portion of the Service for cause and receive a pro-rata refund of prepaid fees.

9. International transfers

Customer authorizes EngagementAmp and its Sub-processors to transfer Customer Personal Data outside the European Economic Area, the United Kingdom, or Switzerland, provided that EngagementAmp puts in place an appropriate transfer mechanism. To the extent EngagementAmp transfers Customer Personal Data subject to the GDPR, UK GDPR, or FADP from those regions to a country that has not been the subject of an adequacy decision, the parties incorporate the SCCs (Module Two: Controller-to-Processor) into this DPA, with: (i) the optional docking clause (Clause 7) included; (ii) Option 2 of Clause 9 (general written authorization) with the time period in Section 8 of this DPA; (iii) Option 1 of Clause 17 (governed by the law of Ireland); (iv) Clause 18 specifying the courts of Ireland; (v) Annex I.A populated with the parties' identities; (vi) Annex I.B populated with the details in Schedule 1; (vii) Annex I.C identifying the Irish Data Protection Commission as the competent supervisory authority; and (viii) Annex II populated with the measures in Schedule 2. For UK transfers, the UK Addendum (in force on 21 March 2022) applies and is incorporated by reference, with Part 1 Tables populated by reference to the SCC annexes above. For Swiss transfers, the SCCs apply with references to the GDPR being read as references to the FADP, and the competent supervisory authority being the Swiss Federal Data Protection and Information Commissioner.

10. Data subject rights & cooperation

Taking into account the nature of the processing, EngagementAmp will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to Data Subject requests under Applicable Data Protection Law. If EngagementAmp receives a Data Subject request directly, it will (unless legally prohibited) promptly forward it to Customer and not respond except on Customer's instructions. EngagementAmp will reasonably assist Customer with data protection impact assessments and consultations with Supervisory Authorities to the extent required by Articles 35 and 36 of the GDPR.

11. Audits

EngagementAmp will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. On request and no more than once per year (except following a Security Incident or as required by a Supervisory Authority), EngagementAmp will respond in good faith to reasonable written audit inquiries from Customer, including by providing written responses, security questionnaires, and copies of third-party certifications and audit reports where available. On-site audits will be conducted only at a mutually agreed time and scope and only by an independent third-party auditor bound by confidentiality, with at least 30 days' prior written notice, at Customer's expense.

12. Deletion & return of data

On termination or expiration of the Agreement, EngagementAmp will, at Customer's choice, delete or return all Customer Personal Data in its possession within 60 days, except to the extent EngagementAmp is required by applicable law to retain some or all of the Customer Personal Data. Any retained data will continue to be protected in accordance with this DPA.

13. Liability

Each party's liability arising out of or in connection with this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, those limitations apply across this DPA, the SCCs, and the Agreement, in aggregate.

14. General

This DPA is governed by the law specified in the Agreement, except where Applicable Data Protection Law requires another governing law. If any provision of this DPA is held to be invalid or unenforceable, the remainder remains in force. This DPA may only be modified by a written amendment signed by both parties or by EngagementAmp updating this page, provided that material changes will take effect 30 days after notice to Customer.

Schedule 1 — Details of processing

• Subject matter & duration. The provision of the EngagementAmp service, for the duration of the Agreement and any period thereafter during which EngagementAmp is required to retain Customer Personal Data.
• Nature & purpose of processing. Hosting, authentication, retrieving metrics from third-party services authorized by Customer (e.g., Google Analytics, Google Search Console), generating reports, displaying dashboards, sending operational notifications, and related operations necessary to provide the Service.
• Categories of Data Subjects.Customer's employees, representatives, and end users; and individuals whose data appears in the third-party services Customer connects to the EngagementAmp dashboard (e.g., visitors to Customer's website measured by Google Analytics or Search Console).
• Categories of Personal Data. Names, business email addresses, phone numbers, account identifiers, OAuth tokens, IP addresses, device and browser metadata, usage and log data, and any other Personal Data that Customer submits to or connects with the Service.
• Sensitive Personal Data. None expected. Customer agrees not to use the Service to process Sensitive Personal Data without our prior written agreement.
• Frequency. Continuous, on demand.
• Retention. As set out in Section 5 of the Privacy Policy and Section 12 of this DPA.
• Sub-processors. As listed at /sub-processors.

Schedule 2 — Technical & organizational measures

• Encryption in transit. All Customer Personal Data is transmitted over TLS 1.2 or higher.
• Encryption at rest. The primary database and object storage encrypt data at rest with AES-256 or equivalent.
• Access controls.Role-based access control and row-level security restrict data access to authorized personnel and to the Customer's own account. OAuth refresh tokens are encrypted at rest and used only server-side.
• Authentication. HTTP-only secure session cookies, short-lived JWT sessions, separate elevated session for admin role.
• Application security. Rate limiting and CSRF protection on every API route, Zod schema validation of all inbound payloads, standard security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).
• Logging & monitoring. Request and security logs are retained for up to 90 days and are reviewed for anomalies.
• Personnel. Personnel with access to Customer Personal Data are bound by confidentiality and trained on data protection.
• Vendor management. Sub-processors are reviewed before engagement and contractually bound to substantially similar data protection obligations.
• Backup & resilience. Managed database backups with point-in-time recovery via our hosting providers.
• Incident response. Documented procedure for detection, containment, notification, and post-incident review.