Data Processing Addendum (DPA)

1.1 The Customer acts as the Data Controller.

1.2 REFLEKT LLC acts as the Data Processor.

Processor shall process Personal Data solely on documented instructions from the Controller, including as set forth in the Agreement and this DPA.

The subject matter of processing is the provision of services, including but not limited to:

• social media feed embedding
• subscription management
• affiliate attribution
• analytics functionality
• hosting and infrastructure services
• customer support

Processing shall continue for the duration of the Agreement and any legally required retention period.

Processing activities may include:

• hosting and storage of account data
• processing subscription and billing information
• referral attribution and commission reporting
• email communications
• website analytics and performance monitoring
• security monitoring and fraud prevention

Processor shall not process Personal Data for its own independent commercial purposes.

Data subjects may include:

• customer account holders
• customer employees or authorized users
• website visitors
• end users whose publicly available content is displayed via authorized integrations

Depending on the Services used, Personal Data may include:

• name
• email address
• account credentials
• IP address
• device and browser data
• billing and transaction data
• publicly available social media content (as authorized)
• referral identifiers

Processor does not intentionally collect special categories of personal data.

Processor shall:
a) Process Personal Data only on documented instructions from Controller;
b) Ensure confidentiality of authorized personnel;
c) Implement appropriate technical and organizational safeguards;
d) Assist Controller with data subject requests;
e) Assist Controller in fulfilling obligations under Articles 32–36 GDPR;
f) Notify Controller without undue delay and in any event within 48 hours after becoming aware of a Personal Data breach;
g) Delete or return Personal Data upon termination, unless legally required to retain it;
h) Maintain documented information security policies aligned with industry standards;
i) Ensure personnel are subject to confidentiality obligations and receive data protection training;
j) Conduct regular risk assessments;
k) Implement data protection by design and by default (Article 25 GDPR);
l) Maintain records of processing activities where applicable (Article 30 GDPR)

Processor implements appropriate safeguards including:

• EU-hosted infrastructure (primary hosting within the European Union)
• encryption in transit (SSL/TLS)
• encryption at rest (where applicable)
• role-based access controls
• secure authentication procedures
• access logging and monitoring
• least-privilege access model
• network segmentation and firewall protection
• DDoS protection mechanisms
• regular vulnerability scanning and penetration testing
• incident response procedures
• backup and disaster recovery processes
• business continuity planning
• no uncontrolled local storage of production data

8.1 Controller grants general authorization for Processor to engage subprocessors.

8.2 Subprocessors may include providers of:

• cloud infrastructure
• CDN and security services
• payment processing
• email delivery services
• analytics services
• affiliate and referral systems

8.3 Processor ensures that each subprocessor is bound by written contractual obligations providing a level of data protection consistent with this DPA.

8.4 Processor remains responsible for subprocessor compliance.

8.5 Upon reasonable request, Processor shall provide information regarding subprocessors.

8.6 Processor shall notify Controller of any intended changes concerning subprocessors at least 10 days in advance.

8.7 Controller may object on reasonable grounds, and Processor shall use commercially reasonable efforts to provide an alternative.

9.1 REFLEKT LLC is established in Armenia, which is not subject to an adequacy decision by the European Commission.

9.2 Access from Armenia constitutes an international transfer under GDPR.

9.3 Transfers shall be governed by the Standard Contractual Clauses (SCCs) (EU 2021/914), incorporated into this DPA. The parties agree that:

• Module 2 (Controller to Processor) applies
• Controller is the data exporter
• REFLEKT LLC is the data importer

9.4 Processor implements supplementary safeguards including:

• encrypted data transmission
• strict access control and monitoring
• least-privilege model
• controlled administrative access

9.5 Where subprocessors process data outside the EEA, appropriate safeguards (SCCs, adequacy decisions, or EU-US Data Privacy Framework where applicable) shall apply.

9.6 Processor confirms that it has conducted a Transfer Impact Assessment (TIA) and determined that the applied safeguards ensure an adequate level of protection.

Processor shall assist Controller in responding to requests relating to:

• access
• rectification
• erasure
• restriction
• portability
• objection

Processor shall notify Controller without undue delay and in any event within 48 hours after becoming aware of a Personal Data breach.

Such notification shall include:

• nature of the breach
• categories and number of affected data subjects
• likely consequences
• mitigation measures taken

Processor shall retain Personal Data only as long as necessary for the purposes of processing, unless a longer retention period is required by law.

Unless otherwise agreed:

• account data: retained for the duration of the Agreement
• billing data: retained for up to 7 years
• logs: retained for up to 12 months

Upon termination:

• Personal Data shall be deleted within 30 days
• backups shall be overwritten within 90 days

Processor shall make available information reasonably necessary to demonstrate compliance.

Processor may satisfy audit requirements by providing:

• third-party certifications
• security documentation
• audit reports

On-site audits:

• require reasonable advance notice
• are subject to confidentiality
• must not disrupt operations
• are limited to once per year unless required by law or due to a security incident

Processor shall be liable for direct damages resulting from its breach of this DPA, subject to the limitations of liability set forth in the Agreement.

Personal Data shall primarily be hosted within the EEA.

Access from third countries (including Armenia) shall be:

• limited
• controlled
• logged

Processor does not perform automated decision-making or profiling within the meaning of Article 22 GDPR.

In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.