Data Processing Agreement

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

In this DPA, unless the context otherwise requires:

• "Controller" means you, the Customer, who determines the purposes and means of processing Personal Data.
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, LGPD, CCPA, PIPEDA and any successor legislation.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data.
• "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure or destruction.
• "Processor" means HMD Corp, which processes Personal Data on behalf of the Controller.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

1.2 Roles of the Parties

For the purposes of this DPA: (a) you are the Controller with respect to any Personal Data contained in your Customer Data (such as your email contacts' information); and (b) we are the Processor, processing Personal Data only on your behalf and in accordance with your documented instructions. Nothing in this DPA shall be construed to create a joint controller relationship.

2. SCOPE OF PROCESSING

2.1 Subject Matter and Duration

This DPA governs our processing of Personal Data to provide you with the Notify'n AI-powered multi-channel marketing platform and related services. Processing will continue for the duration of the Service Agreement and for such period thereafter as required to complete our obligations under this DPA.

2.2 Nature and Purpose of Processing

We process Personal Data for the following purposes:

• Delivering campaigns to your contacts on your behalf across email, SMS, WhatsApp, push notification and voice channels
• Storing and managing your contact lists and subscriber data
• Tracking multi-channel engagement (opens, clicks, deliveries, reads, bounces, unsubscribes, call events)
• Providing analytics and reporting on campaign performance
• Processing unsubscribe and opt-out requests and maintaining suppression lists
• Providing AI-powered features such as send time optimisation, channel selection and content generation
• Building and maintaining behavioural profiles (Contact DNA) at contact, demographic and overall tiers for prediction and optimisation
• Generating anonymised, aggregated analytics and benchmarks from engagement data
• Technical support and troubleshooting
• Fraud prevention and security

2.3 Types of Personal Data

The following categories of Personal Data may be processed:

• Contact Information: Email addresses, names, phone numbers, physical addresses
• Custom Data: Any custom fields or data you choose to upload about your contacts
• Engagement Data: Email open/click events, SMS delivery/read receipts, WhatsApp read receipts, push notification taps, voice call connection/duration data, timestamps, IP addresses, device/browser information
• Behavioural Profile Data: AI-derived engagement scores, channel preference scores, optimal timing windows and demographic-tier aggregations (Contact DNA)
• Preference Data: Subscription status, consent records, communication preferences, channel opt-in/opt-out status
• Segmentation Data: Tags, lists, segments and groupings you assign to contacts
• Voice Data: Call metadata (duration, connection status, timestamps); call audio is not recorded or stored unless you enable call recording, in which case recordings are stored for the retention period you configure

2.4 Categories of Data Subjects

• Your marketing contacts across all channels (email, SMS, WhatsApp, push, voice)
• Your customers, leads and prospects
• Your employees and team members (for account management)
• Any other individuals whose data you upload to the Service

2.5 Special Categories of Data

You must not upload special categories of personal data (as defined in Article 9 of the GDPR), including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning sex life or sexual orientation, unless you have obtained explicit consent and have a specific agreement with us.

3. CONTROLLER OBLIGATIONS

3.1 Lawful Basis

You represent, warrant and covenant that:

• You have and will maintain a lawful basis for processing Personal Data under applicable Data Protection Laws
• You have obtained all necessary consents from Data Subjects for the processing contemplated by this DPA
• You have provided all required notices and disclosures to Data Subjects
• The Personal Data you provide has been collected in accordance with applicable laws

3.2 Instructions

Your instructions for processing are set forth in this DPA, the Service Agreement and through your configuration and use of the Service. Any additional or alternative instructions require our prior written agreement and may be subject to additional fees.

3.3 Compliance

You are solely responsible for compliance with Data Protection Laws in your capacity as Controller, including: (a) determining the purposes and legal basis for processing; (b) ensuring data quality and accuracy; (c) honouring Data Subject rights; (d) maintaining records of processing activities.

4. PROCESSOR OBLIGATIONS

4.1 Processing Instructions

We shall:

• Process Personal Data only on your documented instructions, unless required by applicable law, in which case we will notify you (unless prohibited)
• Immediately inform you if we believe an instruction infringes Data Protection Laws
• Not process Personal Data for our own purposes except to the extent necessary to provide the Service

4.2 Confidentiality

We shall:

• Ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to personnel who need access to perform their duties
• Ensure personnel receive appropriate training on data protection

4.3 Security Measures

We implement and maintain appropriate technical and organisational security measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures include:

• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Controls: Role-based access, multi-factor authentication, audit logging
• Network Security: Firewalls, intrusion detection, DDoS protection
• Physical Security: SOC 2 certified data centres, biometric access
• Operational Security: Vulnerability management, penetration testing, incident response
• Business Continuity: Automated backups, disaster recovery, geographic redundancy

See our Security page for additional details.

4.4 Data Subject Rights

We shall assist you in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. We will notify you promptly upon receiving any such request directly.

4.5 Data Protection Impact Assessments

Upon reasonable request, we shall provide you with information reasonably necessary to conduct data protection impact assessments or prior consultations with supervisory authorities, as required under applicable Data Protection Laws.

5. SUB-PROCESSORS

5.1 Authorization

You hereby authorize us to engage Sub-processors to process Personal Data on your behalf, subject to the conditions in this Section. A current list of our Sub-processors is available at ourSubprocessors page.

5.2 Sub-processor Obligations

Before engaging any Sub-processor, we shall:

• Enter into a written agreement with the Sub-processor imposing data protection obligations no less protective than this DPA
• Conduct appropriate due diligence on the Sub-processor's security measures
• Remain liable to you for the Sub-processor's compliance with data protection obligations

5.3 Changes to Sub-processors

We will notify you of any intended changes to Sub-processors at least 30 days before the change. You may object to a new Sub-processor by notifying us in writing within 14 days of our notification. If we cannot reasonably accommodate your objection, you may terminate the affected Services.

6. INTERNATIONAL DATA TRANSFERS

6.1 Transfer Mechanisms

Personal Data may be transferred to and processed in countries outside the European Economic Area ("EEA"), United Kingdom, or other jurisdictions with data transfer restrictions. We ensure that such transfers are protected by appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
• UK Addendum to the EU SCCs for transfers from the UK
• Adequacy decisions by the European Commission where applicable
• Binding Corporate Rules where implemented by Sub-processors

6.2 Standard Contractual Clauses

Where required by Data Protection Laws, the parties agree to be bound by the Standard Contractual Clauses (Module Two: Controller to Processor), which are hereby incorporated by reference. For the purposes of the SCCs:

• The data exporter is the Controller (you)
• The data importer is the Processor (HMD Corp)
• The governing law shall be that of Ireland (or your EU member state if you are established in the EU)
• The competent supervisory authority shall be determined based on your establishment

6.3 Supplementary Measures

We implement supplementary technical and organisational measures to ensure an adequate level of protection for transfers, including encryption, pseudonymisation where appropriate and security certifications.

7. PERSONAL DATA BREACH NOTIFICATION

7.1 Notification

We shall notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach affecting Personal Data processed on your behalf. Notification shall include:

• A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
• Contact details for obtaining further information
• A description of the likely consequences of the breach
• A description of measures taken or proposed to address the breach

7.2 Cooperation

We shall cooperate with you and provide reasonable assistance in: (a) investigating the breach; (b) meeting your notification obligations to supervisory authorities and Data Subjects; and (c) mitigating the effects of the breach.

7.3 Your Obligations

You are solely responsible for determining whether a Personal Data Breach triggers notification obligations to supervisory authorities or Data Subjects under applicable Data Protection Laws, and for making such notifications.

8. AUDITS AND COMPLIANCE

8.1 Audit Information

We shall make available to you:

• Our SOC 2 Type II report (under NDA)
• Results of penetration testing and security assessments (summary form)
• Documentation of our security measures and certifications
• Responses to reasonable security questionnaires

8.2 Audit Rights

Upon reasonable written request (no more than annually), and subject to confidentiality obligations, we shall allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Such audits shall be conducted during normal business hours, with reasonable advance notice, and shall not unreasonably interfere with our business operations.

8.3 Audit Costs

You shall bear the costs of any audits you conduct. If an audit reveals a material breach of this DPA, we shall bear the reasonable costs of that specific audit.

9. RETURN AND DELETION OF DATA

9.1 During the Term

You may export your data at any time through the Service's export functionality. We provide data export in standard, machine-readable formats.

9.2 Upon Termination

Upon termination or expiration of the Service Agreement, at your election:

• Return: We will provide you with a copy of your data in a standard format
• Deletion: We will delete Personal Data within 30 days of termination, except as required by applicable law

If you do not make an election within 30 days of termination, we will proceed with deletion.

9.3 Exceptions

We may retain Personal Data after termination to the extent required by applicable law, for backup retention periods or to resolve disputes. Any retained data will continue to be protected in accordance with this DPA.

10. LIABILITY

10.1 Liability Cap

Each party's total aggregate liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Service Agreement.

10.2 Indemnification

You shall indemnify, defend and hold us harmless from any claims, damages or expenses arising from your breach of this DPA, your violation of Data Protection Laws in your capacity as Controller, or your instructions that cause us to violate applicable laws.

11. GENERAL PROVISIONS

11.1 Conflict

In the event of any conflict between this DPA and the Service Agreement with respect to data protection matters, this DPA shall prevail.

11.2 Term

This DPA shall remain in effect for as long as we process Personal Data on your behalf.

11.3 Amendments

We may update this DPA to reflect changes in Data Protection Laws or our processing practices. Material changes will be notified to you in advance.

11.4 Governing Law

This DPA shall be governed by the same law that governs the Service Agreement, except that the Standard Contractual Clauses shall be governed as specified therein.

12. CONTACT INFORMATION

For questions or requests regarding this DPA or data protection:

© 2026 HMD Corp. All rights reserved.