Whereas,

in connection with the performance of its obligations under the Agreement, Processor may Process Controller Personal Data (both as defined below) on behalf of the Controller; and

Whereas,

the parties wish to set forth the mutual obligations with respect to the Processing of Controller Personal Data by the Processor;

Now therefore, intending to be legally bound, the parties hereby agree as follows:

  1. Definitions. In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth below:

1.1. "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interest in the subject entity.

1.2. "Applicable Law" means whichever of the following legal regimes is applicable to the Processing of Personal Data under this DPA:

1.2.1. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR") and laws implementing or supplementing the GDPR;

1.2.2. The GDPR as amended and adopted into UK law in accordance with the European Union (Withdrawal) Act 2018 and the UK's Data Protection Act, 2018 (collectively, "UK GDPR");

1.2.3. The Swiss Data Protection Act, and its implementing regulations, as amended from time to time ("FADP");

1.2.4. The California Consumer Privacy Act of 2018, Cal. Civil Code Title 1.81.5 and the regulations thereunder, as amended by the California Consumer Privacy Rights Act of 2020 (collectively, "CCPA"); and/or

1.2.5. The Israel Protection of Privacy Law, 1981, all related regulations enacted thereunder and the Israel Privacy Protection Authority’s Guidelines and the Israeli Protection of Privacy Regulations (Information Security) – 2017 (collectively, "Israeli Privacy Law").

1.3. "Controller Personal Data" means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the Agreement.

1.4. "Data Protection Laws" means Applicable Law and, to the extent applicable, the data protection or privacy laws of any other applicable country or as agreed in writing between the Parties.

1.5. "Standard Contractual Clauses" means the standard contractual clauses for the transfer of Personal Data to data importers established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in Commission Implementing Decision (EU) 2021/914 and available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&qid=1640528660139&from=EN;

1.6. "UK Addendum" shall mean the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018.

1.7. "Sub Processor" means any person (excluding an employee of Processor or any Processor Affiliate) appointed by or on behalf of Processor or any Processor Affiliate to Process Controller Personal Data on behalf of the Controller in connection with the Agreement.

1.8. "Data Subject" shall mean the person whose Personal Data is Processed and both Data Subject as defined under the GDPR and Consumer as defined under the CCPA.

1.9. "Personal Data" shall mean Personal Data as defined under the GDPR, 'Personal Information' as defined under the CCPA and 'Information' or 'Personal Information' ('meida' or 'meida ishi') as defined under Israeli Privacy Law, in each case, as applicable.

1.10. "Processing" shall be as defined in the GDPR, the CCPA, and Israeli Privacy Law, in each case as applicable.

1.11. The terms "Controller", "Data Protection Officer", "Personal Data Breach", "Processor", and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR.

1.12. The terms "Business", "Sell", "Share", and "Service Provider", shall have the meanings ascribed to them in the CCPA.

  1. Applicability and Roles of the Parties

2.1. For Processing subject to the GDPR, UK GDPR, and/or the FADP: When Controller Personal Data is subject to the GDPR, UK GDPR, and/or the FADP, Controller serves as a Controller of such Personal Data and Processor serves as a Processor on its behalf. In such case, the Applicable Law shall be as described in Sections 1.2.1, 1.2.2, and 1.2.3, respectively, and this DPA shall be interpreted accordingly.

2.2. For Processing subject to the CCPA: When Controller Personal Data is subject to the CCPA, Controller serves as a Business with respect to such Personal Data and Processor serves as a Service Provider on its behalf. In such case, the Applicable Law shall be as described in Section 1.2.4 and this DPA shall be interpreted accordingly.

2.3. For Processing subject to Israeli Privacy Law: When Controller Personal Data is subject to Israeli Law, Controller shall be considered the party controlling the database of Controller Personal Data and Processor serves as an outsourced service provider on its behalf. In such case, the Applicable Law shall be as described in Section 1.2.5 and this DPA shall be interpreted accordingly.

  1. Processing of Controller Personal Data

3.1. Processor shall Process Controller Personal Data on Controller's behalf and at Controller's instructions as specified in the Agreement and in this DPA, including without limitation with regard to transfers of Controller Personal Data to a third country or international organization. Any other Processing shall be permitted only in the event that such Processing is required by any Data Protection Laws to which the Processor is subject. In such event, Processor shall, unless prohibited by such Data Protection Laws on important grounds of public interest, inform Controller of that requirement before engaging in such Processing.

3.2. Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to: (i) Process Controller Personal Data for the provision of the services, as detailed in the Agreement ("Services") and as otherwise set forth in this DPA, and/or as otherwise directed by Controller; (ii) transfer Controller Personal Data to any country or territory as reasonably necessary for the provision of the Services and in accordance with Applicable Law; and (iii) anonymize Controller Personal Data.

3.3. Controller sets forth the details of the Processing of Controller Personal Data in Schedule 1 (Details of Processing of Controller Personal Data), attached hereto.

3.4. For the avoidance of doubt, Controller hereby acknowledges and agrees that the Processor may use anonymized Controller Personal Data for its own purposes such as, without limitation, the maintenance and improvement of its Services, the training of AI models, and the development of new products and services.

3.5. For Processing subject to the CCPA: Processor undertakes that it shall not Sell or Share Personal Data when Processing Personal Data as a Service Provider and shall not retain, use, or disclose Personal Data for any commercial purpose other than providing the Services to Controller and as otherwise permitted under the Agreement.

  1. Controller. Controller represents and warrants that it has and shall maintain throughout the term of the Agreement and this DPA, all necessary rights to provide the Controller Personal Data to Processor for the Processing to be performed in relation to the Services and in accordance with the Agreement and this DPA. To the extent required by Data Protection Laws, Controller is responsible for obtaining any necessary Data Subject consents to the Processing, and for ensuring that a record of such consents is maintained throughout the term of the Agreement and this DPA and/or as otherwise required under Data Protection Laws.

  1. International Data Transfers

5.1. To the extent that the Processor Processes Controller Personal Data relating to Data Subjects in the EU, Switzerland, or Israel and such Processing is subject to GDPR, FADP, or Israeli Privacy Law and the Processing takes place in countries outside of the European Economic Area that do not provide an adequate level of data protection, as determined by the relevant authority in the applicable jurisdiction, the Standard Contractual Clauses shall apply and shall be incorporated herein upon execution of this Agreement by the parties. Annexes 1 and 2 attached hereto shall apply as Annexes 1 and 2 of the Standard Contractual Clauses. The Standard Contractual Clauses are modular, containing numerous sections that each pertain to a specific type of entity or transfer. For the purposes of this DPA and any transfers of data to third countries pursuant hereto, only the modular sections pertaining to module two (Controller to Processor) of the Standard Contractual Clauses shall apply, in addition to all general sections therein. Processor agrees to cooperate with Controller for the implementation of any technical measures as may be deemed necessary to permit the transfer of Controller Personal Data to countries outside of the applicable jurisdiction on the basis of the Standard Contractual Clauses and agrees to provide information as needed in order to allow Controller to conduct a transfer impact assessment.

5.2. To the extent that the Processor Processes Controller Personal Data that is protected by and subject to the UK GDPR and the Processor Processes such data in a country other than the United Kingdom whose data protection laws were deemed inadequate by the United Kingdom, the UK SCCs shall apply and shall be incorporated herein upon execution of this Agreement by the parties. Annexes 1 and 2 attached hereto shall apply as Appendixes 1 and 2 of the UK SCCs. Processor agrees to cooperate with Controller for the implementation of any technical measures as may be deemed necessary to permit the transfer of Controller Personal Data to countries outside of the United Kingdom on the basis of the UK SCCs and agrees to provide information as needed in order to allow Controller to conduct a transfer impact assessment.

5.3. To the extent a data transfer which is subject to the Standard Contractual Clauses in accordance with Section 5.1 above ("International Transfer") originated in Switzerland and such data transfer is subject to the FADP, the following shall apply:

5.3.1. References in the Standard Contractual Clauses to the GDPR shall be interpreted to refer to the FADP.

5.3.2. The relevant supervisory authority for purposes of Clause 13 of the Standard Contractual Clauses shall be the Federal Data Protection and Information Commissioner of Switzerland.

5.3.3. The term "Member State" under the Standard Contractual Clauses will not be interpreted to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.

5.4. Processor shall ensure that any recipient of Controller Personal Data and involved in International Transfer is bound by the same data protection obligations as set out in this section, including the implementation of appropriate safeguards for international data transfers.

  1. Processor Employees. Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need to know and/or access basis and that all Processor employees receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access to and use of Controller Personal Data.

  1. Security

7.1. Processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Controller Personal Data as set forth in the Binding Security Document attached hereto as Schedule 2. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by the nature of the Processing and the information available to the Processor.

7.2. For Processing subject to Israeli Privacy Law: Processor shall implement information security measures and take all necessary measures as per the Israeli Privacy Law, in order to maintain the integrity, availability, confidentiality, survival and reliability of Personal Information of the Data Subjects, and comply with all provisions of the Israeli Privacy Law, including, and without limitation, the obligations of an "external party" under section 15 of the Protection of Privacy Regulations (Data Security), 5777-2017, which a "database owner" must oblige an external party within the framework of an outsourcing agreement (as such terms are defined in the Israeli Privacy Law), and all which are hereby explicitly incorporated in this DPA;

7.3. Processor will report, at least once a year, to Controller on the manner in which it is complying with its obligations under the Israeli Privacy Law and this DPA.

  1. Personal Data Breach

8.1. Processor shall notify Controller without undue delay and, where feasible, immediately upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data. In such event, Processor shall provide Controller with reasonable and available information to assist Controller in meeting any obligations to inform Data Subjects or Supervisory Authorities of the Personal Data Breach as required under Applicable Law.

8.2. At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the parties or required under Applicable Law to assist in the investigation, mitigation and remediation of any Personal Data Breach.

  1. Sub Processing

9.1. Controller authorizes Processor to appoint (and permits each Sub Processor appointed in accordance with this Section 9 to appoint) Sub Processors in accordance with this Section 9.

9.2. Processor may continue to use those Sub Processors already engaged by Processor as identified to Controller as of the date of this DPA, as detailed in Annex 3.

9.3. Processor may appoint new Sub Processors and shall give notice of any such appointment to Controller. If, within seven (7) days of such notice, Controller notifies Processor in writing of any reasonable objections to the proposed appointment, Processor shall not appoint the proposed Sub Processor for the Processing of Controller Personal Data until reasonable steps have been taken to address the objections raised by Controller and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller's reasonable objections, each of Controller or Processor may, by written notice to the other party and with immediate effect, terminate the Agreement to the extent that it relates to the Services requiring the use of the proposed Sub Processor. In such event, the terminating party shall not bear any liability for such termination.

9.4. With respect to each new Sub Processor, Processor shall:

9.4.1. Prior to the Processing of Controller Personal Data by Sub Processor, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that Sub Processor is committed and able to provide the level of protection for Controller Personal Data required by this DPA; and

9.4.2. ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms that offer a materially similar level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of Applicable Law.

9.5. Processor shall remain fully liable to the Controller for the performance of any Sub Processor's obligations.

  1. Data Subject Rights

10.1. Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Processor shall, at Controller's sole expense, use commercially reasonable efforts to assist Controller in fulfilling Controller's obligations with respect to such Data Subject requests, as required under Data Protection Laws.

10.2. Upon receipt of a request from a Data Subject under any Data Protection Laws in respect to Controller Personal Data, Processor shall promptly notify Controller of such request and shall not respond to such request except on the documented instructions of Controller or as required by Data Protection Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Data Protection Laws, inform Controller of such legal requirement prior to responding to the request.

  1. . Data Protection Impact Assessment and Prior Consultation. At Controller's written request and expense, the Processor and each Sub Processor shall provide reasonable assistance to Controller with respect to any Controller Personal Data Processed by Processor and/or a Sub Processor, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any Data Protection Laws.

  1. . Deletion or Return of Controller Personal Data. Processor shall promptly and in any event within 60 (sixty) days of the date of cessation of provision of the Services to Controller involving the Processing of Controller Personal Data, delete, return, or anonymize all copies of such Controller Personal Data, provided however that Processor may retain Controller Personal Data, as permitted by applicable law.

  1. Audit Rights

13.1. Subject to Sections 13.2 and ‎13.3, Processor shall make available to an auditor mandated by Controller in coordination with Processor, upon prior written request, such information reasonably necessary to demonstrate compliance with this DPA and shall allow for audits, including inspections, by such reputable auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.

13.2. Any audit or inspection shall be at Controller's sole expense, and subject to Processor's reasonable security policies and obligations to third parties, including with respect to confidentiality. The results of any audit or inspection shall be considered the confidential information of the Processor and shall be treated with the same degree of care as Controller affords its own confidential information

13.3. Controller and any auditor on its behalf shall use best efforts to minimize or avoid causing any damage, injury or disruption to the Processors' premises, equipment, employees and business and shall not interfere with the Processor's day-to-day business. Controller and Processor shall mutually agree upon the scope, timing and duration of the audit or inspection and the reimbursement rate, for which Controller shall be responsible. Processor need not give access to its premises for the purposes of such an audit or inspection:

13.3.1. to any individual, unless he or she produces reasonable evidence of identity and authority;

13.3.2. if Processor was not given a prior written notice of such audit or inspection;

13.3.3. outside of normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or

13.3.4. for the purposes of more than one (1) audit or inspection in any calendar year, except for any additional audits or inspections which:

13.3.4.1. Controller reasonably considers necessary because of genuine concern as to Processor's compliance with this DPA; or

13.3.4.2. Controller is required to carry out by Applicable Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Applicable Law in any country or territory where Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.

13.3.5. Processor shall immediately inform Controller if, in its opinion, an instruction received under this DPA infringes the GDPR or other applicable Data Protection Laws.

  1. . Limitation of Liability. Controller shall indemnify and hold Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Processor and arising directly or indirectly out of or in connection with a breach of this DPA and/or the Data Protection Laws by Controller. Each party's liability toward the other party shall be subject to the limitations on liability under the Agreement.

  1. General Terms

15.1. Governing Law and Jurisdiction

15.1.1. The parties to this DPA hereby agree that the competent courts in Ireland shall have exclusive jurisdiction regarding all disputes hereunder, and the parties expressly consent to such jurisdiction.

15.1.2. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of Ireland. To the extent that the Standard Contractual Clauses apply, the abovementioned jurisdiction shall be deemed the jurisdiction specified in Clause 17 of the Standard Contractual Clauses, provided that such law allows for third-party beneficiary rights.

15.2. Order of Precedence

15.2.1. Nothing in this DPA reduces Processor's obligations under the Agreement in relation to the protection of Controller Personal Data or permits Processor to Process (or permit the Processing of) Controller Personal Data in a manner that is prohibited by the Agreement.

15.2.2. This DPA is not intended to, and does not in any way limit or derogate from Controller's obligations and liabilities towards the Processor under the Agreement and/or pursuant to Data Protection Laws or any law applicable to Controller in connection with the collection, handling and use of Controller Personal Data by Controller or other processors or their sub processors, including with respect to the transfer or provision of Controller Personal Data to Processor and/or providing Processor with access thereto.

15.2.3. Subject to this Section 15.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail. In the event of inconsistencies between the provisions of this DPA and the Standard Contractual Clauses or UK Addendum (to the extent either applies), the Standard Contractual Clauses or UK Addendum, as applicable, shall prevail.

15.3. Changes in Data Protection Laws

15.3.1. Controller may, by at least 45 (forty five) calendar days' prior written notice to Processor, request in writing any variations to this DPA if they are required as a result of any change in or decision of a competent authority under any Data Protection Laws in order to allow Controller Personal Data to be Processed (or continue to be Processed) without breach of that Data Protection Laws.

15.3.2. If Controller gives notice with respect to its request to modify this DPA under Section ‎15.3.1, (i) Processor shall make commercially reasonable efforts to accommodate such modification request and (ii) Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.

15.4. Severance. Should any provision of this DPA be held invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

List of Sub-Processors as of the Date of This DPA

In accordance with Clause 9.2, the controller has authorized the use of the following sub-processors.

 

Sub-Processors We Use

 

To provide our services, we engage certain third-party vendors who process personal data on our behalf (“Sub-Processors”). These vendors support functionality such as hosting, analytics, communications, authentication, payments, and artificial intelligence features within our product.

 

Each Sub-Processor only processes data to the extent necessary to deliver its specific service, and always under a data processing agreement (DPA) that meets GDPR requirements. We carefully evaluate all Sub-Processors for security, compliance, and data protection standards.

 

Categories of processing activities include:

  • Cloud infrastructure & storage — hosting, databases, file storage

  • AI and cognitive services — text, image, audio, and document processing

  • Analytics — understanding product usage and improving user experience

  • Email/SMS delivery — transactional and system messaging

  • Payments — secure processing of billing and payment methods

  • Authentication & identity — enabling secure login and account management

 

We may update this list as our services evolve. When required, we will notify customers in accordance with our contractual and legal obligations.

Vendor

Category

Purpose

Description of Processing

Data Categories Processed

Location / Data Residency

License Type

Google Gemini

AI Processing

Generative AI (text, vision, multimodal)

Processes user-provided text, images, audio, or documents to generate responses

User-provided text, images, audio, documents, metadata

Global (depends on Google Cloud config)

Proprietary SaaS (Google Cloud Terms & DPA)

Azure Cognitive Services

AI Processing

Audio/vision/language cognitive APIs

Processes speech, text, images, and documents through Azure Cognitive AI services

User audio, text, images, documents, metadata

Region-specific (EU available)

Proprietary SaaS (Microsoft OST & DPA)

Mixpanel

Analytics

Product analytics

Tracks user activity, funnels, and behavioral metrics

Usage data, identifiers, events

EU/US (depends on Mixpanel region)

Proprietary SaaS (Mixpanel Terms & DPA)

Hotjar

Analytics

Behavior analytics & session insights

Collects user interaction data for UX analysis (heatmaps, recordings, widgets)

IP address (masked), device data, behavior data

EU (Malta)

Proprietary SaaS (Hotjar Terms & DPA)

Google Analytics (GA4)

Analytics

Product analytics & website measurement

Collects aggregated usage analytics and user interaction metrics

IP address, device data, usage behavior

Global (localized per GA4 EU controls)

Proprietary SaaS (GA Terms & DPA)

Product Fruits

Analytics & Onboarding

User onboarding & product tours

Provides onboarding flows and user activity insights

User identifiers, usage events

EU (Czech Republic)

Proprietary SaaS (Product Fruits Terms & DPA)

Microsoft Azure

Cloud Provider

Hosting & Infrastructure

Cloud infrastructure hosting including VMs, PostgreSQL, Cognitive Services, Static Web Apps

User account data, application data, logs, usage data

Global

Proprietary Cloud Services (Microsoft OST & DPA)

Azure Storage (Blob)

Cloud Storage

Object/file storage

Stores user-uploaded files (images, documents, media)

Files, metadata

EU East

Proprietary SaaS (Microsoft OST & DPA)

Twilio (SMS)

Communication

SMS delivery

Sends SMS notifications and authentication messages

Phone number, message metadata

Global

Proprietary SaaS (Twilio Terms & DPA)

SendGrid (Twilio Email)

Communication

Transactional email

Sends transactional and system emails

Email addresses, email metadata

Global

Proprietary SaaS (Twilio/SendGrid Terms & DPA)

Azure Communication Services

Communication

Transactional email delivery

Sends system and notification emails

Email, metadata

EU/Global

Proprietary SaaS (Microsoft OST & DPA)

Brevo (Sendinblue)

Email & Marketing SaaS

Transactional + marketing email & CRM

Sends emails and stores contact information

Email, name, message metadata

EU (France)

Proprietary SaaS (Brevo Terms & DPA)

Stripe

Payments

Payment processing

Handles payment data and billing operations

Email, payment method tokens, billing info

US/EU (depends on region)

Proprietary SaaS (Stripe Terms & DPA)

OpenAI API

SaaS SDK

AI text/audio/document processing

Processes user text, documents, or audio (Speech/Whisper)

User-provided content (text/audio/files), metadata

Global (US default unless Azure OpenAI used)

Proprietary SaaS (OpenAI Terms & DPA)

Google Maps Platform

SaaS SDK

Maps & Geolocation Services

Loads and renders embedded Google Maps components and location features

IP address, location lookup data (if used)

Global

Proprietary SaaS (Google Maps Terms & DPA)

Firebase Auth

SaaS SDK

Authentication

User identity management and account authentication

Email, name, provider IDs, metadata

Global (Google Cloud regions)

Proprietary SaaS (Google Cloud Terms & Firebase DPA)

Firebase Admin SDK

SaaS SDK

Backend Firebase integration

Server-side authentication and user management

Account identifiers, metadata

Global

Proprietary SaaS (Google Cloud Terms & Firebase DPA)

Azure Cognitive Services

SaaS SDK

AI audio & cognitive processing

Speech-to-text, Whisper model, and cognitive APIs

User audio, text, image/file content

EU/Global (depends on region)

Proprietary SaaS (Microsoft OST & DPA)

© For Posterity Ltd, 2026. All rights reserved.

© For Posterity Ltd, 2026. All rights reserved.