Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of, and is governed by, the SourceLoop Terms of Service or other written agreement between SourceLoop, Inc. ("SourceLoop") and the customer named in that agreement ("Customer") (together, the "Agreement"). This DPA reflects the parties' agreement on the processing of Personal Data in connection with applicable Data Protection Laws.

By accepting the Agreement, Customer accepts this DPA on behalf of itself and, to the extent required, its Affiliates. Customer is responsible for ensuring that any Authorized Affiliate using the Service complies with the obligations set out in this DPA.

1. Definitions

Capitalized terms not defined here have the meaning given to them in the Agreement or in applicable Data Protection Laws.

1.1 "Affiliate" means any entity that controls, is controlled by, or is under common control with a party.

1.2 "Customer Personal Data" means Personal Data that SourceLoop processes on behalf of Customer in providing the Service, including End User Data as defined in the Terms of Service.

1.3 "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"); the United Kingdom Data Protection Act 2018 and the UK GDPR; the Swiss Federal Act on Data Protection ("FADP"); the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); and any successor or equivalent laws in other jurisdictions.

1.4 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

1.5 "Standard Contractual Clauses" or "SCCs" means (a) for transfers of Personal Data subject to GDPR, the clauses in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and (b) for transfers subject to UK GDPR, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office (the "UK Addendum").

1.6 "Sub-processor" means any third party engaged by SourceLoop to process Customer Personal Data on behalf of Customer.

1.7 The terms "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Supervisory Authority", "Business", "Service Provider", "Sale", and "Share" have the meanings given in applicable Data Protection Laws.

2. Roles and Scope

2.1 The parties acknowledge that, with respect to Customer Personal Data, Customer is the Controller (or "Business" under the CCPA) and SourceLoop is the Processor (or "Service Provider" under the CCPA). SourceLoop will process Customer Personal Data only as a Processor on behalf of Customer.

2.2 This DPA applies to SourceLoop's processing of Customer Personal Data under the Agreement. Details of the processing (subject matter, duration, nature, purpose, categories of data, and categories of Data Subjects) are set out in Annex 1.

3. Customer Instructions

3.1 SourceLoop will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country, unless required to do so by law to which SourceLoop is subject; in such a case, SourceLoop will inform Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2 The Agreement (including this DPA), together with Customer's configuration of, and use of, the Service, constitute Customer's complete and final documented instructions to SourceLoop. Any additional or alternate instructions must be agreed in writing and may be subject to additional fees.

3.3 SourceLoop will inform Customer if, in its opinion, an instruction from Customer infringes Data Protection Laws.

4. Customer Obligations

4.1 Customer represents and warrants that (a) it has all rights and lawful bases necessary to authorize SourceLoop's processing under the Agreement; (b) it has provided all notices and obtained all consents required by Data Protection Laws to enable SourceLoop's processing; and (c) the instructions issued under Section 3 comply with Data Protection Laws.

4.2 Customer is responsible for the security of its own systems and for keeping its credentials and OAuth tokens confidential.

4.3 Customer will not include in Customer Personal Data any special categories of data (Article 9 GDPR), data relating to criminal convictions and offences (Article 10 GDPR), or other sensitive personal information beyond what the Service is designed to process, unless agreed in writing by SourceLoop.

5. Confidentiality

SourceLoop will ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory) and have received appropriate data-protection training.

6. Security Measures

6.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, SourceLoop will implement appropriate technical and organizational measures designed to protect Customer Personal Data against a Personal Data Breach. These measures are described in Annex 2.

6.2 SourceLoop will regularly test, assess, and evaluate the effectiveness of these measures, and will update them in response to evolving threats and best practices.

7. Sub-processors

7.1 General Authorization. Customer authorizes SourceLoop to engage Sub-processors to process Customer Personal Data, subject to this Section 7. The current list of Sub-processors is published at sourceloop.ai/subprocessors and is incorporated into this DPA by reference.

7.2 Notice of New Sub-processors. SourceLoop will give Customer at least thirty (30) days' prior notice of the engagement of any new Sub-processor by updating the Sub-processor page and, where the change is material, by email.

7.3 Right to Object. Customer may object on reasonable data-protection grounds to a new Sub-processor by notifying SourceLoop within fifteen (15) days of receiving notice. The parties will work in good faith to resolve the objection. If no resolution is reached, Customer may, as its sole and exclusive remedy, terminate the Agreement for the affected portion of the Service and receive a pro-rata refund of prepaid fees for the unused remainder of the term.

7.4 Liability for Sub-processors. SourceLoop will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and SourceLoop remains liable for the acts and omissions of its Sub-processors as if they were its own.

8. Data Subject Rights

8.1 SourceLoop will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to requests by Data Subjects to exercise their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, objection, and not to be subject to automated decision-making).

8.2 If a Data Subject contacts SourceLoop directly with a request relating to Customer Personal Data, SourceLoop will, without undue delay, redirect the Data Subject to Customer or forward the request to Customer's designated contact.

9. Personal Data Breach Notification

9.1 SourceLoop will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notice will include, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed.

9.2 SourceLoop will provide reasonable cooperation and assistance to Customer in connection with Customer's obligations under Articles 33 and 34 GDPR or equivalent provisions of other Data Protection Laws.

10. Data Protection Impact Assessments and Prior Consultation

SourceLoop will provide Customer with reasonable cooperation and assistance, taking into account the nature of the processing and the information available to SourceLoop, to enable Customer to carry out a data protection impact assessment under Article 35 GDPR (or equivalent) and any prior consultation with a Supervisory Authority under Article 36 GDPR (or equivalent).

11. International Data Transfers

11.1 EU/EEA Transfers. Where SourceLoop's processing of Customer Personal Data involves a transfer of Personal Data from the European Economic Area to a third country not deemed adequate by the European Commission, the parties agree that the SCCs (Module Two: Controller-to-Processor) are hereby incorporated by reference and entered into between Customer (as "data exporter") and SourceLoop (as "data importer"), with the following selections:

1. Clause 7 (Docking clause): included;
2. Clause 9 (Sub-processors): Option 2 (general written authorization), with the time period in Section 7.2 of this DPA;
3. Clause 11(a) (Independent dispute resolution): not selected;
4. Clause 17 (Governing law): the law of Ireland;
5. Clause 18 (Forum and jurisdiction): courts of Ireland;
6. Annex I.A (Parties): Customer and SourceLoop as identified in the Agreement;
7. Annex I.B (Description of transfer): as set out in Annex 1 of this DPA;
8. Annex I.C (Competent supervisory authority): the supervisory authority of the EU Member State in which the data exporter is established or, if not established in the EU, the Irish Data Protection Commission;
9. Annex II (Technical and organizational measures): as set out in Annex 2 of this DPA.

11.2 UK Transfers. For transfers subject to the UK GDPR, the UK Addendum is hereby incorporated by reference and completed as follows: Table 1 with the parties identified in the Agreement; Table 2 with the SCCs version selected in 11.1; Table 3 with the annexes set out in this DPA; Table 4 selecting "neither party" for the right to terminate the Addendum.

11.3 Swiss Transfers. For transfers subject to the FADP, the SCCs apply with the following modifications: (a) references to the GDPR are interpreted as references to the FADP; (b) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and (c) the term "Member State" includes Switzerland.

11.4 Conflict. In the event of any conflict between this DPA and the SCCs (or UK Addendum), the SCCs (or UK Addendum) prevail to the extent of the conflict.

12. Audits

12.1 SourceLoop will make available to Customer, on reasonable request, the information necessary to demonstrate compliance with the obligations laid down in this DPA, in the form of (a) SourceLoop's most recent third-party audit reports (such as SOC 2 Type II) and (b) responses to reasonable security questionnaires.

12.2 If the information made available under Section 12.1 is not sufficient to demonstrate compliance, Customer (or an independent third-party auditor mandated by Customer that is not a competitor of SourceLoop and is bound by confidentiality obligations) may conduct an audit of SourceLoop's data-protection practices, subject to: (a) at least thirty (30) days' prior written notice; (b) a maximum of one audit per twelve-month period (except in response to a regulatory inquiry or a confirmed Personal Data Breach); (c) a scope and methodology agreed in advance; (d) conduct during normal business hours and in a manner that does not unreasonably interfere with SourceLoop's operations; and (e) Customer bearing its own costs and the reasonable costs incurred by SourceLoop.

13. Return and Deletion of Customer Personal Data

13.1 At Customer's choice, SourceLoop will delete or return all Customer Personal Data to Customer after the end of the provision of services relating to processing, and will delete existing copies, unless EU, Member State, or other applicable law requires storage of the Customer Personal Data.

13.2 SourceLoop will, in any event, delete or anonymize Customer Personal Data within ninety (90) days after termination or expiration of the Agreement, except where retention is required by law. Backups containing Customer Personal Data will be deleted in accordance with SourceLoop's documented backup-rotation schedule.

14. Liability

Each party's liability arising under or in connection with this DPA, whether in contract, tort, or otherwise, is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits or excludes either party's liability to a Data Subject under applicable Data Protection Laws.

15. Term and Termination

This DPA takes effect on the effective date of the Agreement and remains in effect until the Agreement terminates. Termination of the Agreement automatically terminates this DPA, except for provisions that by their nature survive (including Sections 5, 9, 11, 13, and 14).

16. Order of Precedence and Governing Law

16.1 In the event of a conflict between this DPA and any other agreement between the parties (including the Terms of Service), this DPA prevails with respect to the subject matter hereof.

16.2 This DPA is governed by, and construed in accordance with, the governing-law and dispute-resolution provisions of the Agreement, except where required otherwise by Data Protection Laws or the SCCs.

Annex 1 — Description of Processing

A. Subject matter. SourceLoop's provision of the marketing attribution and analytics platform described in the Agreement, including the Application, the Snippet, APIs, and related integrations.

B. Duration. For the term of the Agreement, plus the post-termination retention and deletion period set out in Section 13.

C. Nature and purpose of processing. Collection, storage, organization, structuring, retrieval, transmission, analysis, and (on Customer instruction) deletion of Customer Personal Data, for the purpose of providing marketing attribution, analytics, funnels, dashboards, CRM synchronization, and offline conversion synchronization to Customer.

D. Categories of Data Subjects. Customer's website visitors and end users, including prospects, leads, customers, and users of Customer's products and services.

E. Categories of Personal Data.

1. online identifiers: visitor identifier, session identifier, IP address (typically truncated or hashed), device identifiers, browser fingerprint signals;
2. behavioral data: page views, click events, form submissions, conversion events, time on page, referrer, landing page;
3. attribution data: UTM parameters, click identifiers (GCLID, Wbraid, Gbraid, fbclid, li_fat_id), search keywords, campaign metadata;
4. contact data submitted by the Data Subject to Customer: name, email, phone number, company, role, and any other fields configured by Customer in its forms;
5. device and network metadata: user agent, browser, operating system, language, time zone.

F. Special categories of data. None. Customer is contractually prohibited from submitting special categories of data to the Service.

G. Frequency of transfer. Continuous, in real-time as Customer's properties generate events.

H. Retention period. As set out in Section 13 of this DPA and the retention configuration available in the Application.

Annex 2 — Technical and Organizational Measures

SourceLoop maintains the following measures, which may be updated from time to time provided that the overall level of protection is not reduced:

1. Encryption. Customer Personal Data is encrypted in transit using TLS 1.2 or higher between Customer's properties, the Application, and SourceLoop's storage. Data at rest is encrypted using AES-256 or stronger.

2. Access control. Role-based access controls restrict access to Customer Personal Data to personnel with a legitimate need. Multi-factor authentication is required for all production-system access. Access reviews are conducted at least quarterly.

3. Network and infrastructure security. Production environments run in private networks behind a Web Application Firewall and DDoS protection. Inbound traffic is filtered by identity and IP allow-lists where appropriate. Production hosts are hardened, patched on defined SLAs, and monitored for intrusion.

4. Application security. SourceLoop follows a secure software development lifecycle (SSDLC) including code review, automated static and dynamic security testing, dependency-vulnerability scanning, and regular penetration testing by an independent third party.

5. Logging and monitoring. Application, audit, and access logs are centrally collected, retained, and monitored for anomalies. Alerts trigger an on-call response process.

6. Backup and resilience. Customer Personal Data is backed up on a defined schedule, with backups encrypted and stored in a separate region. Recovery objectives (RPO/RTO) are documented and tested.

7. Personnel. All personnel undergo background checks (where permitted by law), execute confidentiality agreements, and complete annual security and privacy training.

8. Incident response. SourceLoop maintains a documented incident-response plan covering detection, containment, eradication, recovery, and post-incident review, with breach notification within seventy-two (72) hours of confirmation.

9. Vendor management. Sub-processors are vetted for security and bound by contractual obligations no less protective than those in this DPA.

10. Physical security. Customer Personal Data is hosted in industry-leading cloud data centers with physical access controls, environmental safeguards, and 24x7 monitoring.

Annex 3 — List of Sub-processors

The current list of approved Sub-processors is published at sourceloop.ai/subprocessors and is incorporated by reference into this DPA.

Contact

Questions about this DPA, requests to execute a counter-signed copy, or sub-processor objections can be sent to hello@sourceloop.ai.