Data Processing Addendum

"Controller", "Processor", "Data Subject", "Personal Data" and "Processing" have the meanings given in the GDPR. "Customer" is the account holder that agreed to the Terms of Service with us. "SCCs" means the Standard Contractual Clauses adopted by the European Commission under Decision 2021/914, with the UK addendum where applicable.

For Personal Data uploaded or generated by Customer through the Service (for example: contacts captured via two-way sharing, business-card profiles for the Customer's employees, scan analytics for the Customer's QR codes), the Customer is the Controller and Zybergo LLC is the Processor. For our own use of Personal Data (e.g. the Customer's billing details), we are the Controller — see our Privacy Policy.

• Subject matter: Processing Personal Data to provide the Service.
• Duration: The term of the agreement plus any retention period required by law or technically necessary for backups.
• Nature & purpose: Hosting, displaying, transmitting, analysing and otherwise Processing Personal Data so the Customer can operate QR codes, digital business cards, restaurant menus and related features.
• Categories of Data Subjects: the Customer's employees, end-customers, scan visitors, and other people whose data the Customer chooses to upload.
• Types of Personal Data: names, contact details, profile photos, job titles, social handles, opt-in messages, device & scan metadata, HMAC'd IPs.

We will Process Personal Data only on the Customer's documented instructions, which include the Terms of Service and configurations the Customer makes in the Service. We'll notify the Customer if we believe an instruction violates applicable data-protection law.

Our personnel authorised to access Personal Data are bound by written confidentiality obligations.

We maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Current measures include TLS in transit, encryption-at-rest where supported by our database host, hashed passwords (via our authentication provider), HMAC'd visitor identifiers in analytics, principle-of-least-privilege internal access, audit logging and timed credential rotation.

The Customer authorises us to engage the following sub-processors, each of which is bound by terms no less protective than this DPA:

• Clerk — authentication.
• Stripe — payments and Connect payouts.
• Cloudflare — DNS, edge delivery, optional Workers/KV.
• Resend — transactional email.
• Database hosting provider — the managed MySQL host of record.

We'll give the Customer at least 30 days' prior notice of any new or replacement sub-processor. The Customer may object on reasonable data-protection grounds; if we can't resolve the objection, the Customer may terminate the affected portion of the Service.

For transfers from the EEA, the UK or Switzerland to a country without an adequacy decision, the parties incorporate the SCCs (Module 2: Controller-to-Processor; Module 3 where Customer is itself a processor), with the UK Addendum and the Swiss equivalent as applicable. Annexes I.A, I.B, II and III are populated by reference to this DPA, Section 3 above, Section 6 above and Section 7 above respectively.

Taking into account the nature of the Processing, we'll assist the Customer with reasonable technical and organisational measures (insofar as possible) to respond to data-subject requests for access, rectification, erasure, restriction, portability and objection. Most requests can be fulfilled by the Customer directly through the dashboard.

We'll notify the Customer without undue delay (and where feasible within 72 hours) after becoming aware of a Personal Data breach affecting the Customer's data. Our notice will describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed.

On reasonable written notice (and no more than once per 12 months, unless required by a regulator or following a material breach), we will make available to the Customer information necessary to demonstrate compliance with this DPA. Audits will be conducted during business hours, subject to reasonable confidentiality undertakings, in a manner that does not unreasonably interfere with our operations or compromise other customers' data.

On termination of the Service, we will delete or return Personal Data within a reasonable period (typically 30 days), except to the extent applicable law requires storage.

Liability under this DPA is subject to the same caps and exclusions set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under applicable law.

In the event of a conflict between the Terms of Service and this DPA in relation to the Processing of Personal Data, this DPA controls.

Data-protection contact: privacy@drentio.com. To execute a signed copy of this DPA for your records, email legal@drentio.com.