Data Processing Addendum

1. Definitions

In this DPA, the following terms have the meanings set forth below. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

“Controller”

means the Customer, who determines the purposes and means of Processing Personal Data.

“Processor”

means FunnelMob, which Processes Personal Data on behalf of the Controller.

“Data Subject”

means an identified or identifiable natural person whose Personal Data is Processed under this DPA. This includes End Users of the Controller's applications.

“Personal Data”

means any information relating to a Data Subject that is Processed by the Processor on behalf of the Controller in connection with the Services.

“Processing” or “Process”

means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.

“Processing Instructions”

means the Controller's documented instructions to the Processor regarding the Processing of Personal Data, as set forth in this DPA, the Agreement, and the Controller's configuration of the Services.

“Sub-Processor”

means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

“Security Incident”

means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed by the Processor.

“Standard Contractual Clauses” or “SCCs”

means the standard contractual clauses for the transfer of Personal Data to processors established in third countries, as approved by the European Commission in Commission Implementing Decision (EU) 2021/914.

2. Scope and Roles

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Services provided under the Agreement.

The Controller is the Data Controller for Personal Data collected from End Users through the FunnelMob SDK and other integrations. The Controller determines the purposes and means of Processing and is responsible for ensuring a valid lawful basis for Processing.

The Processor is the Data Processor and shall Process Personal Data only on documented instructions from the Controller, as set forth in this DPA and the Agreement. The Processor shall not Process Personal Data for any purpose other than providing the Services to the Controller.

The details of the Processing, including the subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects, are described in Annex I.

3. Processing Instructions

The Processor shall Process Personal Data only in accordance with the Controller's documented Processing Instructions. The Processing Instructions include: (a) the terms of the Agreement and this DPA; (b) the Controller's configuration of the Services (including SDK settings, privacy mode selections, and dashboard configurations); and (c) any additional written instructions agreed by the parties.

If the Processor believes that a Processing Instruction from the Controller infringes applicable data protection law, the Processor shall promptly inform the Controller. The Processor may suspend the relevant Processing until the Controller modifies or confirms the instruction, but is not obligated to independently assess the legality of the Controller's instructions.

The Processor shall not Process Personal Data for any purpose other than as instructed by the Controller, except where required by applicable law. In such cases, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such notification.

4. Confidentiality

The Processor shall ensure that all personnel authorized to Process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

The Processor shall ensure that access to Personal Data is limited to personnel who need access to fulfill the Processor's obligations under this DPA and the Agreement.

5. Security Measures

The Processor shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against Security Incidents, as described in Annex II.

These measures include, but are not limited to:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Network firewalls, segmentation, and intrusion detection/prevention
• Role-based access controls with least-privilege principles
• Regular vulnerability scanning and penetration testing
• Secure software development lifecycle
• Employee security awareness training
• Documented incident response procedures
• Physical and environmental security for data center facilities (provided by sub-processors)

The Processor shall regularly test, assess, and evaluate the effectiveness of these measures and update them as necessary to ensure ongoing security of Processing.

6. Sub-Processing

The Controller authorizes the Processor to engage the Sub-Processors listed in Annex III as of the effective date of this DPA.

The Processor shall provide the Controller with at least thirty (30) days' advance written notice before engaging a new Sub-Processor or replacing an existing one. The notice shall include the Sub-Processor's name, the nature of the Processing, and the location of Processing.

The Controller may object to a new Sub-Processor by notifying the Processor in writing within the thirty (30) day notice period. If the Controller objects, the parties shall discuss the concern in good faith and work to find a mutually acceptable resolution. If no resolution can be reached within thirty (30) days of the Controller's objection, the Controller may terminate the affected Services without penalty.

The Processor shall:

• Enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those in this DPA
• Remain fully liable to the Controller for the performance of each Sub-Processor's obligations
• Conduct appropriate due diligence on Sub-Processors before engagement

The current list of Sub-Processors is maintained in Annex III and in the Privacy Policy (Section 12).

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.

If the Processor receives a request from a Data Subject directly, the Processor shall: (a) promptly notify the Controller; (b) not respond to the request except on the Controller's documented instructions or as required by applicable law; and (c) provide the Controller with cooperation and information necessary to respond to the request.

The Processor provides the Controller with self-service tools via the dashboard and API to search for, access, export, rectify, delete, and restrict Processing of Data Subject data.

8. Data Breach Notification

The Processor shall notify the Controller of any Security Incident without undue delay and in any event within seventy-two (72) hours of becoming aware of the Security Incident.

The notification shall include, to the extent available:

• A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor's point of contact for further information
• A description of the likely consequences of the Security Incident
• A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Security Incident.

The Processor shall assist the Controller in fulfilling the Controller's obligation to notify supervisory authorities and Data Subjects, as required by applicable data protection law.

9. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent required under GDPR Article 35 and Article 36, taking into account the nature of Processing and the information available to the Processor.

Such assistance may include providing information about the Processing activities, technical measures, and organizational safeguards implemented by the Processor.

10. International Data Transfers

To the extent that the Processing involves the transfer of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, the parties agree to the following transfer mechanisms:

Standard Contractual Clauses (EU)

The Standard Contractual Clauses set forth in Commission Implementing Decision (EU) 2021/914 are incorporated into this DPA by reference. For the purposes of the SCCs: (a) Module Two (Controller to Processor) applies; (b) the Controller is the “data exporter” and the Processor is the “data importer”; (c) the governing law is that of the EU Member State in which the Controller is established; and (d) the competent supervisory authority is the authority of the EU Member State in which the Controller is established.

UK International Data Transfer Addendum

For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (as issued by the Information Commissioner's Office) is incorporated into this DPA by reference.

Swiss Transfers

For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Act on Data Protection (FADP), and the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

Supplementary Measures

The Processor implements supplementary technical and organizational measures as described in Annex II, including encryption in transit and at rest, access controls, pseudonymization where feasible, and regular security assessments.

11. Return and Deletion of Data

Upon termination of the Agreement or upon the Controller's written request, the Processor shall, at the Controller's choice:

• Return: Make Personal Data available for export in a structured, commonly used, machine-readable format for thirty (30) days following termination.
• Delete: Delete all Personal Data within ninety (90) days of the expiration of the export window, unless applicable law requires retention.

Backup copies shall be purged within one hundred eighty (180) days of the deletion date.

Upon completion of deletion, the Processor shall provide written certification to the Controller confirming that Personal Data has been deleted, upon request.

The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor shall: (a) limit Processing to the purposes required by law; (b) maintain confidentiality of the retained data; and (c) delete the data when the legal retention requirement expires.

12. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

Audit conditions:

• The Controller shall provide at least thirty (30) days' advance written notice of any audit.
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
• The Controller shall bear the costs of any audit, unless the audit reveals a material breach by the Processor.
• The auditor shall be bound by confidentiality obligations.
• Audits shall not occur more than once per twelve (12) month period, unless required by a supervisory authority or following a Security Incident.

As an alternative to an on-site audit, the Processor may, at its discretion, provide: (a) a summary of the results of a recent third-party audit or certification (e.g., SOC 2 Type II report); (b) responses to the Controller's written audit questionnaire; or (c) other documentation reasonably demonstrating compliance.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement (Terms of Service, Section 23).

Nothing in this DPA shall limit either party's liability for obligations that cannot be limited under applicable data protection law.

14. Duration and Termination

This DPA takes effect upon the Controller's acceptance of the Agreement and remains in effect for the duration of the Agreement.

The Processor's obligations under this DPA shall survive termination of the Agreement to the extent necessary to complete the return or deletion of Personal Data as described in Section 11, and for any Personal Data retained pursuant to legal obligations.

In the event of a conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA shall prevail.

Annex I: Details of Processing

A. Categories of Data Subjects

• End Users of the Controller's mobile and web applications
• Individuals who interact with the Controller's tracking links

B. Types of Personal Data

• Device identifiers (IDFV, Android ID, and where configured and consented: IDFA, GAID)
• Device and operating system information (model, OS version, app version)
• Network information (network type, carrier name)
• App usage data (sessions, screen views, events)
• Attribution data (install source, campaign, click timestamps)
• IP addresses (used for geo-lookup, then hashed or discarded within 24 hours)
• Locale, language, and timezone
• Where configured by Controller: in-app purchase data, subscription events, custom event properties, precise geolocation, deep link referral data

C. Purposes of Processing

• Mobile attribution and analytics
• Event tracking and funnel analysis
• Fraud detection and prevention
• AI-powered insights generation
• Link tracking and deep linking
• Remote configuration delivery
• Generating reports and dashboards for the Controller

D. Retention Periods

• Event data: 13 months (configurable shorter by Controller)
• Attribution data: 24 months (configurable shorter by Controller)
• Link tracking data: 24 months
• AI Agent query logs: 90 days
• Raw IP addresses: 24 hours maximum

Annex II: Technical and Organizational Security Measures

1. Encryption

• Data in transit: TLS 1.2 or higher for all communications
• Data at rest: AES-256 encryption for stored Personal Data
• Encryption key management with regular rotation

2. Access Controls

• Role-based access controls (RBAC) with least-privilege principles
• Multi-factor authentication for administrative access
• Regular access reviews and revocation of unnecessary privileges
• Unique user accounts—no shared credentials

3. Network Security

• Network firewalls and segmentation
• Intrusion detection and prevention systems (IDS/IPS)
• DDoS protection
• VPN or equivalent for remote administrative access

4. Application Security

• Secure software development lifecycle (SDLC)
• Code reviews and static analysis
• Regular vulnerability scanning
• Periodic penetration testing by qualified assessors
• Dependency management and security patching

5. Organizational Measures

• Employee background checks
• Security awareness training for all personnel
• Confidentiality agreements for all personnel
• Documented incident response plan
• Vendor security assessments before engagement
• Business continuity and disaster recovery planning

6. Data Minimization and Pseudonymization

• IP addresses hashed or discarded after geographic lookup (within 24 hours)
• Compliance Mode disables collection of all device identifiers
• Data retention limited to defined periods with automated deletion
• Pseudonymization applied where feasible to reduce risk

7. Physical Security

Physical security for data center facilities is managed by our infrastructure Sub-Processors (see Annex III), each of which maintains industry-standard physical security controls including access controls, environmental controls, surveillance, and redundancy.

Annex III: List of Sub-Processors

The following Sub-Processors are authorized to Process Personal Data on behalf of the Controller as of the effective date of this DPA:

This list is updated when Sub-Processors are added or removed. The Controller will receive thirty (30) days' advance notice of any changes as described in Section 6.