Data Processing Addendum

1.1 Parties. The Processor is DLTD, Inc., a Delaware corporation with its principal place of business in the United States. The Controller is the Customer entity that has accepted the Agreement and this DPA.

1.2 Applicability. This DPA applies to DLTD’s Processing of Personal Data on behalf of Customer in connection with the Services. It applies to Processing subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable data protection laws (collectively, “Data Protection Laws”).

1.3 Roles. The parties acknowledge that with respect to Customer Personal Data Processed under the Services, Customer is the Controller (or Business under CCPA/CPRA), and DLTD is the Processor (or Service Provider under CCPA/CPRA). DLTD shall Process Customer Personal Data only on behalf of Customer.

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement or in the GDPR. For convenience:

• “Personal Data” means any information relating to an identified or identifiable natural person (Data Subject), as defined in GDPR Art. 4(1), that is Processed by DLTD on behalf of Customer in connection with the Services.
• “Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in GDPR Art. 4(2).
• “Sub-processor” means any third party engaged by DLTD to Process Customer Personal Data on behalf of DLTD in connection with the Services.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates, as defined in GDPR Art. 4(1).
• “Personal Data Breach” has the meaning given in GDPR Art. 4(12): a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021, specifically Module Two (Controller-to-Processor).
• “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office under s.119A of the Data Protection Act 2018.

3.1 Subject matter. The subject matter of the Processing is the provision of the Services to Customer, including broker removal, AI exposure auditing, inbox metadata auditing, endpoint privacy monitoring, IT-administrator dashboards, and related employee offboarding automation.

3.2 Duration. DLTD will Process Customer Personal Data for the duration of the Agreement and for the limited period thereafter permitted by Section 12 (Return and Deletion) below.

3.3 Nature and purpose. DLTD Processes Customer Personal Data solely to (a) provide, secure, monitor, and improve the Services for Customer; (b) respond to Customer support requests; (c) comply with Customer’s documented instructions; and (d) comply with applicable law. Categories of Data Subjects and types of Personal Data are described in Annex C.

3.4 No secondary use. DLTD shall not (i) Sell or Share (as defined under CCPA/CPRA) Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data outside of the direct business relationship between DLTD and Customer; or (iii) combine Customer Personal Data with personal information that DLTD receives from or on behalf of any other person, except as expressly permitted by CCPA/CPRA § 1798.140(ag)(1)(D) for the purposes of providing the Services. DLTD certifies that it understands and will comply with these restrictions.

3.5 No model training. DLTD shall not use Customer Personal Data to train, fine-tune, or develop any artificial intelligence or machine-learning model, whether DLTD’s own or any third party’s. This restriction is contractually binding on all Sub-processors that have access to Customer Personal Data.

4.1 Documented instructions. DLTD shall Process Customer Personal Data only on the documented instructions of Customer, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law. In such a case, DLTD shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

4.2 Form of instructions. Customer’s documented instructions are set forth in (a) the Agreement, (b) this DPA, (c) configuration options Customer selects through the Services administrative dashboard, and (d) any further written instructions issued by Customer and acknowledged by DLTD in writing (including by email).

4.3 Notification of unlawful instructions. DLTD shall notify Customer if, in DLTD’s opinion, an instruction from Customer infringes the GDPR or other applicable Data Protection Law. DLTD may, without liability, suspend Processing pursuant to such an instruction until Customer modifies or confirms the lawfulness of the instruction.

5.1 Personnel obligations. DLTD shall ensure that any person authorized to Process Customer Personal Data on its behalf (including employees, contractors, and agents) is subject to a binding written or statutory obligation of confidentiality with respect to such Personal Data, both during and after the term of their engagement with DLTD.

5.2 Need-to-know. DLTD shall limit access to Customer Personal Data to those personnel who require such access to perform DLTD’s obligations under the Agreement, and shall provide such personnel with training appropriate to their role on the Processing of Personal Data and on DLTD’s information security program.

6.1 Appropriate measures. DLTD shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures shall be designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such data. A description of those measures is set forth in Annex A.

6.2 Updates. DLTD may update the technical and organizational measures from time to time provided that any such update does not materially decrease the overall level of protection of Customer Personal Data.

7.1 General authorization. Customer grants DLTD a general authorization to engage Sub-processors to Process Customer Personal Data in connection with the Services, subject to the requirements of this Section 7. A current list of approved Sub-processors is set forth in Annex B.

7.2 Sub-processor obligations. DLTD shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data than those set out in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor. DLTD remains liable to Customer for the acts and omissions of its Sub-processors to the same extent as if performed by DLTD itself.

7.3 Notification of changes. DLTD shall notify Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance via email to Customer’s designated security contact and/or by publishing the updated Annex B at dltd.app/business/dpa.

7.4 Objection right. Customer may object on reasonable data protection grounds to the appointment of a new Sub-processor within thirty (30) days of such notice. If Customer objects, the parties shall work together in good faith to find a workable solution. If no such solution can be found, Customer may, as its sole remedy, terminate the Services that cannot be provided without the Sub-processor, without penalty, on written notice to DLTD.

8.1 Assistance to Controller. Taking into account the nature of the Processing, DLTD shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection) and analogous rights under other Data Protection Laws.

8.2 Direct requests. If DLTD receives a request directly from a Data Subject relating to Customer Personal Data, DLTD shall (a) not respond to the substance of the request, except to acknowledge receipt and to direct the Data Subject to Customer, and (b) promptly forward the request to Customer’s designated contact.

8.3 California Authorized Agent. Where Customer or its end users have engaged DLTD as an Authorized Agent under California Civil Code § 1798.135 in connection with the Services, DLTD shall submit deletion, access, and opt-out-of-sale requests to data brokers and other third parties on behalf of such end users in accordance with applicable law and with the documented instructions of Customer and the end user.

9.1 Notification to Customer. DLTD shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification shall be sent to the security contact designated by Customer in the administrative dashboard.

9.2 Information provided. To the extent known at the time of notification, DLTD shall provide Customer with at least the following information: (a) the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to be taken by DLTD to address the breach, including, where appropriate, measures to mitigate its possible adverse effects; and (d) the contact point at DLTD from whom further information can be obtained.

9.3 Cooperation. DLTD shall cooperate with Customer in Customer’s investigation, mitigation, and (if required) public notification of the Personal Data Breach. DLTD’s notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgment by DLTD of any fault or liability.

10.1 Audit reports. DLTD shall make available to Customer, on written request, the most recent third-party audit reports (such as SOC 2 Type II reports, when issued), penetration test summaries, and other compliance attestations that DLTD has obtained, subject to customary confidentiality protections.

10.2 Customer audits. Customer (or an independent third-party auditor selected by Customer and reasonably acceptable to DLTD, and bound by appropriate confidentiality obligations) may, no more than once per twelve (12) month period and on at least thirty (30) days’ prior written notice, conduct an audit of DLTD’s compliance with this DPA. Such audits shall be conducted during normal business hours, shall not unreasonably interfere with DLTD’s business operations, and shall not require DLTD to disclose information of other customers or information that is subject to legally privileged or trade-secret protection.

10.3 Audit costs. Each party shall bear its own costs in connection with an audit under this Section, except that if the audit reveals a material breach of this DPA by DLTD, DLTD shall reimburse Customer for Customer’s reasonable third-party audit costs.

10.4 Regulatory inspections. Nothing in this Section limits the inspection rights of a competent supervisory authority under applicable Data Protection Laws.

11.1 Transfers from the EEA, UK, and Switzerland. Where Customer Personal Data subject to the GDPR, UK GDPR, or Swiss FADP is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), Module Two (Controller-to-Processor), are hereby incorporated by reference into this DPA and shall apply to such transfers as if executed by the parties.

11.2 SCC selection of options. For the purposes of the SCCs:

• Clause 7 (Docking clause): The optional docking clause applies.
• Clause 9(a) (Sub-processors): Option 2 (general written authorization) applies, with a minimum thirty (30) day prior notice period in accordance with Section 7.3 of this DPA.
• Clause 11(a) (Independent dispute resolution): The optional independent dispute resolution language is not selected.
• Clause 17 (Governing law): The SCCs are governed by the law of the Republic of Ireland.
• Clause 18 (Choice of forum and jurisdiction): Disputes arising from the SCCs shall be resolved by the courts of Ireland.
• Annex I.A (List of parties): Customer is the data exporter; DLTD, Inc. is the data importer. Contact details are as set out in the Agreement and Section 16 below.
• Annex I.B (Description of transfer): Categories of Data Subjects, categories of Personal Data, and frequency of transfer are as described in Annex C of this DPA. The transfer is for the duration set out in Section 3.2 above.
• Annex I.C (Competent supervisory authority): The supervisory authority of the EU Member State in which the Customer is established, or, where Customer is not established in the EU, the Irish Data Protection Commission.
• Annex II (Technical and organizational measures): As set out in Annex A of this DPA.
• Annex III (List of Sub-processors): As set out in Annex B of this DPA.

11.3 UK transfers. Where Customer Personal Data subject to the UK GDPR is transferred to a third country, the UK International Data Transfer Addendum to the EU SCCs (the “UK Addendum”) is hereby incorporated by reference and the parties agree to be bound by its terms. The SCCs as incorporated above shall be modified by the UK Addendum as required.

11.4 Swiss transfers. Where Customer Personal Data subject to the Swiss FADP is transferred to a third country, the SCCs shall apply with the following adaptations: (a) references to the GDPR shall be read as references to the Swiss FADP; (b) references to EU Member States and supervisory authorities shall include Switzerland and the Swiss Federal Data Protection and Information Commissioner; and (c) the law applicable to the SCCs shall be Swiss law for transfers exclusively governed by the Swiss FADP.

11.5 Conflict. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail with respect to Processing of Personal Data subject to the GDPR, UK GDPR, or Swiss FADP.

12.1 On termination. Upon termination or expiration of the Agreement, DLTD shall, at Customer’s choice, return all Customer Personal Data to Customer or delete such data, and delete existing copies, unless applicable law requires further storage. Deletion or return shall be completed within thirty (30) days of termination, subject to the backup retention period described in Section 12.3.

12.2 Certification. DLTD shall, on Customer’s written request, provide a written certification of the deletion of Customer Personal Data.

12.3 Backups. Customer Personal Data residing in DLTD’s encrypted, rolling backup systems shall be purged in the ordinary course within thirty (30) days of termination. During the backup retention period, such data shall remain subject to the confidentiality and security obligations of this DPA and shall not be Processed for any purpose other than backup restoration in case of disaster.

13.1 Term. This DPA takes effect on the earlier of (a) Customer’s acceptance of this DPA in connection with the Agreement and (b) the date the Agreement takes effect. It shall continue for the term of the Agreement and shall survive for so long as DLTD Processes Customer Personal Data.

13.2 Limitation of liability. Each party’s and all of its Affiliates’ liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA together.

13.3 Order of precedence. In the event of any conflict or inconsistency between this DPA, the Agreement, and any SCCs incorporated by reference, the order of precedence is: (i) the SCCs; (ii) this DPA; (iii) the Agreement.

13.4 Governing law. Except as otherwise provided in the SCCs (which are governed by the law specified therein), this DPA shall be governed by the law specified in the Agreement.

13.5 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remainder shall continue in full force and effect.

DLTD has implemented and shall maintain the following technical and organizational measures designed to ensure the security of Customer Personal Data:

A.1 Encryption

• Encryption in transit. All connections to DLTD’s web application, iOS application, browser extension, and APIs are protected by TLS 1.2 or higher, with HTTP Strict Transport Security (HSTS) enforced on all public domains.
• Encryption at rest. All Customer Personal Data is encrypted at rest using AES-256 at the database storage layer (managed by Supabase/PostgreSQL). Sensitive fields including OAuth tokens and child profile identifiers are additionally encrypted at the application layer using Supabase Vault with per-user keys.
• Key management. Encryption keys are managed by the underlying cloud provider (AWS KMS via Supabase) and are never stored alongside the data they protect.

A.2 Access Controls

• Row-Level Security. Every Customer-data table in DLTD’s Postgres database enforces PostgreSQL Row-Level Security (RLS), keyed to the authenticated user’s identity. Customers and end users can read only rows they own.
• Least privilege for personnel. Production database access is limited to a defined set of DLTD engineering personnel, granted on a need-to-know basis and logged.
• Authentication of personnel. All DLTD personnel access to production systems requires multi-factor authentication (MFA/2FA).
• Customer authentication. Customer end-user authentication is provided by Supabase Auth, supporting strong passwords (hashed with bcrypt), OAuth single sign-on, and MFA.

A.3 Logging, Monitoring, and Audit

• Application-layer audit logs record administrator actions, authentication events, and security-relevant changes.
• Infrastructure logs are captured by Supabase, Vercel, and Cloudflare and retained for the period required by applicable policy.
• Anomalous-activity monitoring is performed at the application edge and within the database layer.

A.4 Secure Development

• Source code is managed in version control with mandatory code review prior to merge to production branches.
• Automated dependency-vulnerability scanning runs on every push.
• Secrets are managed via environment variables held in Vercel and Supabase secret stores; no secrets are checked into source control.

A.5 Operational Security

• Patching. Application dependencies are patched on a rolling basis. Critical security patches are applied within seven (7) days.
• Backups. Postgres point-in-time recovery is enabled with a seven (7)-day window through the managed Supabase service. Periodic encrypted snapshots are retained for thirty (30) days.
• Disaster recovery. The Services are hosted on geographically redundant cloud infrastructure (Vercel, Supabase) supporting recovery from regional outages.

A.6 Personnel Security

• All DLTD personnel are subject to written confidentiality obligations as a condition of engagement.
• All personnel with production access receive annual security and privacy training.

A.7 Compliance Program

• SOC 2 Type II. DLTD is pursuing SOC 2 Type II attestation, targeted for completion in Q4 2026.
• GDPR alignment. DLTD’s Processing program is aligned to GDPR Article 28 processor obligations.
• CCPA/CPRA. DLTD is CCPA-compliant and serves as Authorized Agent under California Civil Code § 1798.135 for end-user opt-out and deletion requests submitted to data brokers via the Services.
• HIPAA. DLTD does not currently sign Business Associate Agreements (BAAs) and the Services are not intended for the Processing of Protected Health Information (PHI).

A.8 Vulnerability Disclosure

• DLTD operates a bug bounty / responsible-disclosure program at security@dltd.app. Acknowledgement is provided within two (2) business days of a valid report.

DLTD uses the following Sub-processors to provide the Services. The list below is current as of the date of this DPA. The most current list is maintained at dltd.app/business/dpa.

DLTD warrants that each Sub-processor listed above has executed appropriate transfer mechanisms (including the SCCs where applicable) and is bound by data protection obligations no less protective than those in this DPA.

C.1 Categories of Data Subjects

• Customer’s employees and contractors who are issued seats on the Business tier (“Seat Users”).
• Customer’s administrators and security contacts who configure the Services.
• Senders of email messages received in a Seat User’s connected Gmail inbox (limited to the From, Subject, Date, and List-Unsubscribe header fields).

C.2 Categories of Personal Data

• Account data: email address, hashed and salted password (Supabase Auth), display name, organization affiliation, tier and seat assignment.
• Identity data submitted for broker removal: at the Seat User’s option, home address, prior addresses, phone number, date of birth, and known aliases — submitted to third-party data brokers under the Authorized Agent role.
• Broker scan findings: records of broker-site exposures discovered for the Seat User and the status of removal requests.
• AI exposure audit findings: categorized findings (e.g., “memory exposure”) and severity flags returned by the browser extension. Raw chatbot memory content is processed on-device and is not transmitted to DLTD.
• Inbox audit findings: sender domains and derived metadata from Gmail message headers and labels. DLTD does not Process message bodies, attachments, or snippets.
• OAuth tokens: Google API access and refresh tokens issued for the Inbox Audit feature, stored encrypted at rest.
• Telemetry: aggregate, opt-outable product-analytics events sent to DLTD’s self-hosted PostHog instance.

C.3 Special Categories of Data

The Services are not intended for the Processing of special categories of personal data within the meaning of GDPR Art. 9 (including racial or ethnic origin, religious beliefs, biometric data, health data, or sex life or sexual orientation) and Customer shall not configure the Services to Process such data. DLTD does not knowingly Process such data.

C.4 Frequency of Transfer

Continuous, for the duration of the Agreement.

C.5 Retention Period

For the duration of the Agreement, plus the deletion period set forth in Section 12.

When a Business customer accepts the Agreement through the DLTD order form or administrator dashboard, that acceptance binds the parties to this DPA. A countersigned PDF version may be requested from security@dltd.app.

Data protection questions: privacy@dltd.app. Security and DPA requests: security@dltd.app.