Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer", the data controller) and Taploop, Inc. ("Taploop", the data processor) for the processing of Personal Data on Customer's behalf in connection with the Services. It reflects the parties' obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent laws.

1. Definitions

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Sub-processor" have the meanings given in the GDPR. "Applicable Law" means the data protection laws in force where Customer or its end users are located.

2. Roles

Customer is the Controller and Taploop is the Processor of Personal Data submitted to the Services. Each party complies with its obligations under Applicable Law.

3. Scope of processing

• Subject matter: provision of the Taploop Services.
• Duration: the term of the agreement plus any retention period required by law.
• Nature & purpose: hosting, analyzing, and routing Customer Data to deliver marketing automation, CRM, audience analysis, and referral functionality.
• Categories of data subjects: Customer's contacts, leads, customers, and end users.
• Categories of Personal Data: identifiers, contact details, behavioral and engagement data, content created by data subjects.

4. Customer instructions

Taploop processes Personal Data only on Customer's documented instructions, including those set out in the agreement and the configuration of the Services, unless required to do so by law.

5. Confidentiality

Personnel authorized to process Personal Data are bound by confidentiality obligations.

6. Security measures

Taploop implements appropriate technical and organizational measures, including:

• Encryption in transit (TLS 1.2+) and at rest where appropriate.
• Access controls based on least privilege and role-based permissions.
• Audit logging and monitoring.
• Secure software development lifecycle.
• Regular backups and disaster recovery testing.
• Vendor risk management for sub-processors.

7. Sub-processors

Customer authorizes Taploop to engage sub-processors (such as cloud hosting, email, and analytics providers) under written agreements imposing data protection obligations no less protective than this DPA. A current list is available on request, and Taploop will give prior notice of additions, allowing Customer a reasonable opportunity to object.

8. International transfers

Where Personal Data is transferred outside the EEA/UK, the parties rely on the EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK Addendum, or another valid transfer mechanism, supplemented as needed.

9. Data subject rights

Taking into account the nature of the processing, Taploop assists Customer with appropriate technical and organizational measures to fulfill requests from Data Subjects (access, correction, deletion, restriction, portability, objection).

10. Personal Data breaches

Taploop notifies Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Data and provides information reasonably necessary for Customer to meet its own notification obligations.

11. Audits

Taploop makes available information necessary to demonstrate compliance with this DPA and, on reasonable notice, allows for and contributes to audits, including by providing third-party certifications and reports where available.

12. Deletion or return of data

On termination of the agreement, Taploop deletes or returns Customer Data within 90 days, unless retention is required by law.

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the agreement.

14. Order of precedence

In the event of a conflict, this DPA prevails over the agreement with respect to data protection matters.

15. Contact

Privacy queries: [email protected]. To request a signed counterpart of this DPA, email [email protected].