Data Processing Addendum

1. Definitions & scope of applicable law

1.1 The defined terms below have the meanings set out below; where this DPA uses terms defined in the EU SCCs and not in this DPA, those terms have the meanings given in the EU SCCs.

• "Applicable Data Protection Law" means, collectively, every privacy, data protection, or data security law that applies to the Processing of Personal Data under this DPA, including: GDPR (Regulation (EU) 2016/679); UK GDPR (Data Protection Act 2018 read with Regulation 2016/679 as incorporated into UK law); the Swiss Federal Act on Data Protection (revFADP); CCPA (Cal. Civ. Code §§ 1798.100 et seq.) as amended by CPRA; Virginia CDPA; Colorado CPA; Connecticut CTDPA; Utah UCPA; Texas TDPSA; PIPEDA (Canada); LGPD (Brazil, Law No. 13.709/2018); POPIA (South Africa, Act 4 of 2013); APPI (Japan, Act on the Protection of Personal Information); PIPL (China, Personal Information Protection Law); and any successor or equivalent legislation. Where multiple regimes apply, the stricter applies to the relevant Processing.
• "Customer Personal Data" means Personal Data that the Customer (acting as Controller) transmits to, or causes to be transmitted to, the Service for Processing on the Customer's behalf. Customer Personal Data does not include SDK Diagnostic Telemetry (defined below).
• "Controller" means the natural or legal person which alone or jointly with others determines the purposes and means of the Processing of Personal Data. The terms "business" (CCPA) and "responsible party" (POPIA) are treated as equivalent for the purposes of this DPA, with appropriate regime-specific adjustments at §2.5.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates. The term "consumer" (CCPA) is treated as equivalent.
• "Personal Data" means any information that relates to an identified or identifiable natural person, including (without limitation) "personal information" (CCPA, POPIA), "personal data" (GDPR), "personal data" (LGPD), and "personally identifiable information" where the term is used in Applicable Data Protection Law.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
• "Processor" means a natural or legal person which Processes Personal Data on behalf of the Controller. The terms "service provider" (CCPA), "contractor" (CCPA), "processor" (UK GDPR / LGPD / POPIA), and "operator" (LGPD) are treated as equivalent for the purposes of this DPA.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in GDPR Article 4(2).
• "Sub-processor" means a third party engaged by Crossdeck to Process Personal Data on behalf of the Customer.
• "Restricted Transfer" means a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a third country that has not received an adequacy decision under GDPR Article 45, UK Data Protection Act 2018 §17A, or the FDPIC equivalent, respectively.
• "EU SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• "UK IDTA" means the International Data Transfer Addendum to the EU SCCs, version B1.0 (21 March 2022), issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018.
• "SDK Diagnostic Telemetry" means the telemetry transmitted by Crossdeck's SDK to Crossdeck for the operational reliability of the Service, as described in the Privacy Policy §6, for which Crossdeck acts as an independent Controller. This DPA does not govern that telemetry.

1.2 Regime-specific overlays. Where Applicable Data Protection Law grants Data Subjects rights, imposes obligations, or creates lawful bases that exceed the GDPR floor used in this DPA, the additional rule applies as an overlay. The named-regime list at §1.1 ("Applicable Data Protection Law") is the conclusive list of regimes the Parties have agreed to address; if a regime not on that list becomes applicable to a Processing activity, the Parties will negotiate an addendum in good faith within 60 days of becoming aware.

2. Roles & processing activities

2.1 Roles. For Customer Personal Data, the Customer is the Controller and Crossdeck is the Processor. Where the Customer is itself a Processor of a third party's Personal Data (a "Sub-Controller" scenario), Crossdeck acts as a Sub-Processor and Module 3 of the EU SCCs applies in addition to Module 2; the Customer warrants that it has the authority under its own Processor agreement with that third party to engage Crossdeck.

2.2 Scope of Processing. Crossdeck Processes Customer Personal Data only:

• to provide the Service to the Customer in accordance with the Terms of Service;
• to comply with the Customer's documented instructions, which include the use of the Service per its published API documentation and dashboard;
• to comply with Applicable Data Protection Law; and
• as further set out in Annex A to this DPA.

2.3 Independent controller activities — out of scope. This DPA does not apply to Crossdeck's Processing of (i) account data of the Customer's personnel for billing, support, and relationship management, or (ii) SDK Diagnostic Telemetry, each of which Crossdeck Processes as an independent Controller under its Privacy Policy.

2.4 Customer's instructions — limits. Crossdeck will inform the Customer if, in Crossdeck's reasonable opinion, an instruction infringes Applicable Data Protection Law. Crossdeck is not obliged to verify the lawfulness of an instruction; the Customer warrants its instructions comply with Applicable Data Protection Law.

2.5 CCPA-specific certifications. Crossdeck certifies that, in relation to Customer Personal Data of California Consumers: (i) it will not Sell or Share Personal Data within the meaning of CCPA / CPRA; (ii) it will not retain, use, or disclose Personal Data for any purpose other than the specific purpose of performing the Services or as otherwise permitted by CCPA / CPRA; (iii) it will not retain, use, or disclose Personal Data outside of the direct business relationship between the Customer and Crossdeck; and (iv) it will comply with Cal. Civ. Code §1798.140(j) and §1798.140(ag) restrictions on combination of Personal Data received from different sources.

2.6 POPIA-specific. Crossdeck is an Operator under POPIA §1 and processes Personal Information with the knowledge or authorisation of the Customer (Responsible Party) under POPIA §20. Crossdeck will treat Personal Information that comes to its knowledge as confidential and will not disclose it except as required by law or in the course of the proper performance of its duties.

3. Customer instructions

3.1 The Customer's instructions to Crossdeck for the Processing of Customer Personal Data are: (i) the Customer's use of the Service per the published API and dashboard documentation; (ii) any specific Processing operations the Customer initiates through the dashboard (data exports, deletions, data subject rights actions); (iii) any written supplemental instructions the Customer issues from a registered admin account.

3.2 Out-of-scope instructions. Crossdeck is not obliged to act on instructions that exceed the Service's functionality, that would cause Crossdeck to breach Applicable Data Protection Law, or that would require Crossdeck to combine Personal Data received from the Customer with Personal Data received from another Crossdeck Customer. Crossdeck may bill for time spent implementing supplemental instructions that materially exceed the scope of the Service at its then-current professional services rate, on prior written notice.

4. Sub-processors

4.1 General authorisation. The Customer authorises Crossdeck to engage Sub-processors to Process Customer Personal Data on the terms of this DPA. The list of Sub-processors authorised on the Effective Date is set out in Annex C and at cross-deck.com/legal/sub-processors.

4.2 Advance notice — 30 days. Crossdeck will give the Customer at least thirty (30) calendar days' advance written notice before engaging any new Sub-processor or making any material change to an existing Sub-processor relationship that materially affects Customer Personal Data Processing. Notice is given by email to the Customer's registered notification address and by an entry in the public Sub-processor list.

4.3 Right to object. The Customer may object to a new Sub-processor on reasonable, good-faith grounds related to data protection, by written notice to [email protected] within the 30-day notice window. If the Customer objects, the Parties will discuss the objection in good faith. If Crossdeck cannot reasonably accommodate the objection within 30 days of the objection, the Customer may terminate the affected portion of the Service or the entire Service by written notice, without penalty, and Crossdeck will refund pre-paid Service fees pro-rated to the termination date. Termination for this reason is the Customer's sole and exclusive remedy for an objected-to Sub-processor.

4.4 Sub-processor obligations. Crossdeck will: (i) impose on each Sub-processor data protection terms that are no less protective of Personal Data than those set out in this DPA, including the EU SCCs (Module 3) for Sub-processor onward transfers where applicable; (ii) remain liable to the Customer for the acts and omissions of its Sub-processors to the same extent as if those acts and omissions were Crossdeck's own; (iii) maintain a written list of Sub-processors and the categories of Customer Personal Data each Sub-processor Processes; (iv) confirm on Customer's written request that each Sub-processor's data residency aligns with the residency commitments made in the Sub-processor list.

5. Confidentiality

5.1 Crossdeck will ensure that all of its personnel authorised to Process Customer Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality, in each case surviving the termination of their engagement with Crossdeck.

5.2 Crossdeck will limit access to Customer Personal Data to those personnel who require access for the performance of their duties, on a least-privilege basis enforced by role-based access controls.

6. Security measures

6.1 Crossdeck will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The specific measures in force on the Effective Date are set out in Annex B.

6.2 Crossdeck may update Annex B from time to time provided that the overall level of protection is not reduced without the Customer's prior written consent. Material reductions in security posture are notified to the Customer at least 30 days in advance.

7. Personal Data Breach notification

7.1 Notification SLA — 24 hours from confirmation. Crossdeck will notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within twenty-four (24) hours of Crossdeck's confirmation that a Personal Data Breach has occurred. The 24-hour clock runs from confirmation, not from time-of-occurrence; Crossdeck's confirmation requires (i) a reasonable factual basis that the criteria of a Personal Data Breach in §1.1 are met, (ii) attribution to a specific Customer's Personal Data, and (iii) escalation to a member of Crossdeck's security incident response team. Crossdeck will document the rationale for the confirmation timestamp in its incident response record and make that record available on the Customer's reasonable request.

7.2 Content of notification. Crossdeck's notification will include, to the extent then known: (i) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned; (ii) the name and contact details of Crossdeck's incident response lead; (iii) the likely consequences of the Personal Data Breach; (iv) the measures taken or proposed to address the Personal Data Breach and to mitigate its adverse effects. Where information cannot be provided in full at the time of initial notification, Crossdeck will provide updates as it becomes available.

7.3 Preliminary report — 72 hours. Within seventy-two (72) hours of the initial notification, Crossdeck will provide a written preliminary report covering the §7.2 items in greater detail and the immediate containment and mitigation steps taken.

7.4 Full root-cause analysis — 14 days. Within fourteen (14) calendar days of the initial notification, Crossdeck will provide a written full root-cause analysis covering: timeline of the incident, root cause, remediation taken, prevention measures implemented, and an assessment of the effectiveness of the remediation.

7.5 Cooperation. Crossdeck will reasonably cooperate with the Customer's investigation of the Personal Data Breach, including making relevant personnel and incident response records available to assist the Customer in fulfilling its own notification obligations to supervisory authorities and Data Subjects under Applicable Data Protection Law.

7.6 No admission. Notification of a Personal Data Breach under this clause is not, by itself, an admission by Crossdeck of fault or liability.

8. Data Subject rights assistance

8.1 Crossdeck will, taking into account the nature of the Processing, assist the Customer through appropriate technical and organizational measures, insofar as this is possible, to fulfil the Customer's obligation to respond to Data Subject rights requests under Applicable Data Protection Law (rights of access, rectification, erasure, restriction, portability, objection, withdrawal of consent, opt-out of sale / sharing).

8.2 Self-service. The Service provides built-in self-service mechanisms for the Customer to discharge most Data Subject rights requests directly via the dashboard and the API (data export, data deletion, opt-out flags, identity merge / unmerge). The mechanisms available on the Effective Date are described in Annex D.

8.3 Direct Data Subject contact. Where a Data Subject contacts Crossdeck directly with a rights request relating to Customer Personal Data, Crossdeck will (i) inform the Data Subject that the Customer is the Controller of the relevant Personal Data and direct them to the Customer, and (ii) notify the Customer of the request within 5 business days. Crossdeck will not act on a Data Subject rights request relating to Customer Personal Data without the Customer's documented instruction, except where required by Applicable Data Protection Law.

9. DPIA & prior consultation cooperation

9.1 Crossdeck will, on the Customer's reasonable written request and taking into account the nature of the Processing and the information available to Crossdeck, provide reasonable assistance to the Customer in: (i) conducting Data Protection Impact Assessments under GDPR Article 35 / equivalent; (ii) consulting with the relevant supervisory authority under GDPR Article 36 where required; (iii) producing records of Processing under GDPR Article 30.

9.2 Crossdeck publishes a DPIA-supporting pack at cross-deck.com/legal/security covering the standard inputs to a Customer DPIA (categories of data, recipients, retention, security measures, transfer mechanisms). For Customer-specific DPIA cooperation beyond the standard pack, Crossdeck may charge a reasonable professional services fee on prior written notice.

10. Audit rights & the SOC 2 substitute

10.1 Audit right. The Customer has the right, subject to this §10, to audit Crossdeck's compliance with this DPA once per twelve (12) month period and additionally without limitation following a Personal Data Breach affecting the Customer.

10.2 SOC 2 / equivalent substitute. Crossdeck satisfies the audit right primarily through the provision of third-party audit reports under recognised standards. Where the Customer accepts a current SOC 2 Type II report (or equivalent — ISO 27001 certification with Statement of Applicability covering the relevant control areas) as evidence of Crossdeck's compliance with this DPA, no on-site audit will be conducted in that audit cycle.

10.3 SOC 2 roadmap. Crossdeck is committed to obtaining SOC 2 Type II attestation. The audit period commences in the first calendar quarter of 2027; the initial report is expected by the third calendar quarter of 2027. Until the initial report is available, Crossdeck will, on Customer's written request, provide its current Security Overview, Sub-processor list, and a written response to a reasonable security questionnaire (capped at ninety (90) questions per audit cycle).

10.4 On-site audit terms. Where the Customer is entitled to and elects to conduct an on-site audit not satisfied by §10.2, the audit will be conducted: (i) on at least 30 days' advance written notice; (ii) during Crossdeck's normal business hours; (iii) in a manner that does not unreasonably interfere with Crossdeck's business or compromise Crossdeck's information security or the personal data of other Customers; (iv) by an independent auditor reasonably acceptable to Crossdeck (which acceptance will not be unreasonably withheld); (v) at the Customer's expense (including Crossdeck's reasonable internal personnel costs at its then-current professional services rate where the audit duration exceeds two business days); and (vi) subject to a written confidentiality agreement no less protective than that between the Parties.

10.5 Regulator audits. Audits by a competent supervisory authority under Applicable Data Protection Law fall outside the scope of §10.1–§10.4 and Crossdeck will cooperate as required by law.

11. International data transfers

11.1 Crossdeck stores and Processes Customer Personal Data primarily in Google Cloud's us-central1 region (Council Bluffs, Iowa, United States). The Customer consents to Restricted Transfers of Customer Personal Data to the United States and to such other countries as a Sub-processor's data residency may require, on the terms of this §11.

11.2 EU Restricted Transfers — EU SCCs (Module 2) incorporated. For Restricted Transfers from the European Economic Area, the Parties incorporate the EU SCCs by reference, with the modules and clauses as completed below:

• Module 2 (controller to processor) applies between the Customer (data exporter, Controller) and Crossdeck (data importer, Processor).
• Module 3 (processor to processor) applies where the Customer is itself a Processor (see §2.1).
• Clause 7 (Docking Clause): not used.
• Clause 9 (Use of Sub-processors): Option 2 (general written authorisation) applies. The list of Sub-processors and the change-notification mechanism are as set out in §4 of this DPA.
• Clause 11 (Redress): the option permitting Data Subjects to lodge a complaint with an independent dispute resolution body shall not apply.
• Clause 17 (Governing law): the Parties agree that this is the law of Ireland.
• Clause 18 (Choice of forum and jurisdiction): the courts of Ireland.
• Annex I.A (Parties): Customer = data exporter; Crossdeck = data importer.
• Annex I.B (Description of transfer): as set out in Annex A of this DPA.
• Annex I.C (Competent supervisory authority): the Irish Data Protection Commission, with one-stop-shop deferral where applicable.
• Annex II (Technical and organizational measures): as set out in Annex B of this DPA.
• Annex III (List of Sub-processors): as set out in Annex C and at cross-deck.com/legal/sub-processors.

11.3 UK Restricted Transfers — UK IDTA incorporated. For Restricted Transfers from the United Kingdom, the Parties incorporate the UK IDTA (version B1.0, 21 March 2022) by reference as an Addendum to the EU SCCs at §11.2, with:

• Table 1 (Parties): as in §11.2 Annex I.A.
• Table 2 (Selected SCCs, Modules and Selected Clauses): the EU SCCs at §11.2, with Module 2 and (where applicable) Module 3.
• Table 3 (Appendix Information): as in §11.2.
• Table 4 (Ending this Addendum when the Approved Addendum Changes): neither Party.

11.4 Swiss Restricted Transfers. For Restricted Transfers from Switzerland, the Parties adopt the EU SCCs at §11.2 with the FDPIC adaptations: (i) references to "GDPR" include the revFADP; (ii) the competent supervisory authority is the Swiss FDPIC; (iii) the term "Member State" is interpreted to include Switzerland to enable Data Subjects in Switzerland to enforce their rights in their place of habitual residence.

11.5 Transfer impact assessment. The Parties confirm that they have, prior to the Effective Date, undertaken a transfer impact assessment in accordance with the EDPB Recommendations 01/2020 considering the laws and practices of the destination country (United States) and have determined that supplementary measures (encryption in transit and at rest, strict access controls, transparency reporting, challenge of overbroad government requests) provide an essentially equivalent level of protection. The TIA is reviewed annually and made available to Customers on written request.

11.6 Conflict. In the event of any conflict between this DPA and the EU SCCs / UK IDTA / Swiss adaptation, the SCCs / IDTA / adaptation prevail in respect of Restricted Transfers; this DPA prevails in all other respects.

12. Term, termination, return & deletion

12.1 This DPA enters into force on the Effective Date and remains in force for so long as Crossdeck Processes Customer Personal Data.

12.2 Customer's choice at termination. Within thirty (30) days of the termination or expiry of the Service, the Customer may, by written instruction, require Crossdeck to: (a) return all Customer Personal Data to the Customer in a structured, commonly used and machine-readable format; or (b) delete all Customer Personal Data. Absent a Customer instruction within the 30-day window, Crossdeck will default to deletion.

12.3 Deletion procedure. Deletion will be completed within thirty (30) days of the Customer's instruction (or, in the default case, within sixty (60) days of termination). "Deletion" means removal from all production systems and from any secondary indexes, caches, and search indexes. Customer Personal Data residing in immutable backups will be retained for no longer than ninety (90) days after the deletion instruction and will be destroyed on the backup rotation schedule; during that 90-day window, the data remains encrypted and access is restricted to authorised disaster-recovery personnel only.

12.4 Statutory retention exceptions. Crossdeck may retain Customer Personal Data beyond §12.3 to the extent required by Applicable Data Protection Law (e.g. tax, audit, anti-money- laundering retention obligations), with the retention limited to the minimum necessary period and the data subject only to such access as required to comply with the retention obligation.

12.5 Certification of deletion. On Customer's written request, Crossdeck will certify in writing that deletion under §12.3 has been completed.

13. Liability allocation

13.1 Each Party's liability under or in connection with this DPA, whether in contract, tort (including negligence), for breach of statutory duty, or otherwise, is subject to the limitations and exclusions of liability set out in the Terms of Service, except where Applicable Data Protection Law (in particular GDPR Article 82) provides for a higher floor, in which case the statutory floor applies.

13.2 Joint liability under GDPR Art. 82. Nothing in this DPA limits the Parties' direct liability to Data Subjects under GDPR Article 82. As between the Parties, each Party will bear its own share of any liability to a Data Subject according to the degree of responsibility of each Party for the event giving rise to the damage, and the Party that has paid compensation in excess of its share may claim back from the other Party that part of the compensation corresponding to the other Party's share.

14. General provisions

14.1 Order of precedence. In the event of any conflict between this DPA, the EU SCCs / UK IDTA / Swiss adaptation, and the Terms of Service, the order of precedence is: (i) the EU SCCs / UK IDTA / Swiss adaptation (in respect of Restricted Transfers only); (ii) this DPA; (iii) the Terms of Service.

14.2 Governing law & jurisdiction. Save where the EU SCCs, UK IDTA, or Swiss adaptation provide otherwise (see §11), this DPA is governed by the laws specified in the Terms of Service and is subject to the exclusive jurisdiction specified therein.

14.3 Severability. If any provision of this DPA is found by any court or competent supervisory authority to be invalid, illegal, or unenforceable, the remaining provisions will continue in full force and effect.

14.4 Entire agreement. This DPA together with the Terms of Service constitutes the entire agreement between the Parties with respect to its subject matter and supersedes all prior agreements and understandings.

Annex A — Description of processing

Annex B — Technical & organizational measures

The full description is maintained in the Security Overview. Summary of the measures in force on the Effective Date:

Annex C — Authorised sub-processors

The current list is published and maintained at cross-deck.com/legal/sub-processors. That list is incorporated by reference into this Annex C as if set out in full.

Annex D — Data subject rights handling matrix