1. Definition

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data Protection Law” means all applicable legislation relating to data protection and privacy, including without limitation the European Union Data Protection Directive 95/46/EC and all local laws and regulations amending or replacing it, including the General Data Protection Regulation (GDPR), together with national implementing laws of any Member State of the European Union or, to the extent applicable, any other country, as amended, repealed, consolidated or replaced from time to time. The terms “process”, “processings” and “processed” shall be construed accordingly.

“Data Subject” means the individual to whom the personal data relates.

“GDPR” means General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing and on the free movement of personal data.

“Instruction” means the written and documented instruction issued by the Controller to the Processor requesting a specific action with respect to Personal Data (including, without limitation, depersonalization, blocking, deletion and making available).

“Permitted Affiliates” means any of Customer’s Affiliates who (i) are permitted to use the Subscription Services pursuant to the Agreement, but have not entered into their own separate agreement with Sozialens and are not a “Customer” as defined in the Agreement, (ii) are classified as a Controller of Personal Data Processed by Sozialens, and (iii) are subject to European Data Protection Laws.

“Personal data” means any information relating to an identified or identifiable individual when such information is contained in customer data and protected in a similar manner to personal data or personally identifiable information under Data Protection Law.

“Personal data breach” means a breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.

“Processing” means any operation or set of operations which is performed on personal data, including recording, collection, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Standard Contractual Clauses” means the standard contractual clauses for processors approved pursuant to the European Commission decision of 4.6.2021 on standard contractual clauses between controllers and processors pursuant to Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council.

“Subprocessor List” means Sozialens subprocessor page available at https://sozialens.com/en/subprocessor-list.

2. Processing information

a. Categories of data subjects. The controller may submit personal data to the Subscription Service, to the extent determined and controlled by the controller in its sole discretion, including, without limitation, contacts and other end users, such as employees, contractors, collaborators, customers, influencers, suppliers and subcontractors of the controller. Individuals who intend to communicate or transfer personal data to the controller's end users are also considered to be data subjects.

b. Types of personal data. Contact information (as defined in the Terms and Conditions of Service for Sozialens customers), to the extent determined and controlled by the customer in its sole discretion, and other personal data, such as navigation data (including website usage information), email data, system usage data, application integration data and other electronic data sent, stored or received by end users through the Subscription Service.

c. Nature and purpose of processing. The purpose of the processing of personal data by the processor is to provide services to the controller that is involved in the processing of personal data. Personal data will be subject to such processing activities as specified in the Agreement or a Purchase Order.

d. Purpose of processing. Personal data will be processed to provide the stated services, to the extent indicated by Controller and your use of the services, and agreed to in the Agreement and any applicable Purchase Order.

e. Duration of processing. Personal data will be processed for the duration of the Agreement, pursuant to Section 4 of this DPA.

3. Responsibility of the controller (the Client)

a. Compliance with Laws. Within the scope of the Agreement and in its use of the Services, Customer shall be responsible for complying with all requirements applicable to it under applicable Data Protection Laws with respect to the Processing of Personal Data and the Instructions it issues to Sozialens.

In particular, but without prejudice to the foregoing, Customer acknowledges and agrees that it shall be solely responsible for: (i) the accuracy, quality and legality of Customer Data and the means by which Customer acquired the Personal Data; (ii) complying with all necessary transparency and legality requirements under applicable Data Protection Laws for the collection and use of Personal Data, including obtaining any necessary consents and authorizations (particularly for Customer's use for marketing purposes); (iii) ensuring that it has the right to transfer or provide access to the Personal Data to Sozialens for processing in accordance with the terms of the Agreement (including this DPA); (iv) ensure that your Instructions to Sozialens regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) comply with all laws (including Data Protection Laws) applicable to any email or other content created, sent or managed through the Subscription Services, including those relating to obtaining consents (where required) to send emails, the content of emails, and your email implementation practices. Customer shall inform Sozialens without undue delay if it is unable to comply with its responsibilities under this subsection (a) or applicable Data Protection Laws.

b. Controller Instructions. The parties agree that the Agreement (including this DPA), together with Customer’s use of the Subscription Service in accordance with the Agreement, constitute Customer’s complete and final Instructions to Sozialens in relation to the Processing of Personal Data, and any additional instructions outside the scope of the Instructions will require prior written agreement between Customer and Sozialens.

4. Processor Obligations (Sozialens)

a. Compliance with Instructions. The parties acknowledge and agree that Customer is the controller of the personal data and Sozialens is the processor of such information. Sozialens will only process personal data for the purposes described in this DPA or as otherwise agreed within the scope of Customer’s legal instructions, except where and to the extent required by applicable law. Sozialens is not responsible for compliance with Data Protection Laws applicable to Customer or Customer’s industry that generally do not apply to Sozialens.

b. Conflict of Laws. If Processor believes that an instruction from Controller infringes Data Protection Law, Processor must notify Controller immediately. If Processor is unable to process personal data in accordance with instructions due to a legal requirement under any European Union or Member State law, Processor will (i) promptly inform Controller of that legal requirement before carrying out the relevant processing to the extent permitted by Data Protection Law; and (ii) suspend processing (activities other than merely safeguarding and maintaining the security of the affected personal data) until the controller provides further instructions that the processor is able to comply with. If this provision is invoked, then pursuant to the Agreement, the processor shall not be liable to the controller for failure to provide the relevant Subscription Services until the controller provides further instructions regarding processing.

c. Security. Sozialens will implement and maintain appropriate technical and organizational measures to adequately protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure and access, as described in Schedule 2 of this DPA ("Security Measures"). Notwithstanding anything to the contrary, Sozialens may modify or update the Security Measures at its discretion, provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures. Such measures include, without limitation, the following:

i. Prevent access by unauthorized persons to personal data processing systems.

ii. Prevent unauthorized use of personal data processing systems.

iii. Ensure that persons eligible to use the personal data processing system have access only to the personal data to which they are authorized to access in accordance with their access rights, and that, during processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorization.

iv. Ensure that personal data are not read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the recipient entities of any transfer of personal data can be established and verified using data transmission facilities.

v. Ensure that an audit trail is established to document whether and by whom personal data were entered, modified or deleted from processing systems.

vi. Ensure that personal data are processed only in accordance with instructions.

vii. Ensuring that personal data is protected against accidental destruction or loss.

The processor shall assist the controller in fulfilling its obligation to implement security measures with respect to personal data (including, where applicable, the controller's obligations under Articles 32 to 34 [inclusive] of the GDPR), by (i) implementing and maintaining the security measures described in Schedule 2, (ii) complying with the terms of Section 4.d. (Personal data breach); and (iii) providing the controller with information relating to the processing in accordance with Section 6 (Audits).

d. Confidentiality. The processor shall ensure that personnel authorized by the processor to process personal data on its behalf are subject to confidentiality obligations with respect to that personal data. The confidentiality commitment shall survive completion of the activities referred to above.

e. Personal data breach. The processor shall notify the controller without undue delay of any personal data breach of which it becomes aware. At the controller's request, the processor shall provide the controller with all assistance reasonably necessary to notify the controller of any relevant personal data breach, if the controller is required to do so pursuant to the Data Protection Law.

Data Protection.

f. Deletion or recovery of personal data. In addition to the extent required to comply with Data Protection Law, after termination or expiration of the Agreement, the processor will delete or return all personal data (including copies thereof) processed pursuant to this DPA. If the processor is unable to delete personal data for technical or other reasons, the processor will take reasonable steps to ensure that the personal data is blocked from any further processing.

Upon termination or expiration of the Agreement and upon issuance of an instruction, the controller shall, within a period set by the processor, stipulate reasonable steps to return the data or delete the stored data. Any additional costs arising from the return or deletion of personal data after termination or expiration of the Agreement shall be borne by the controller.

The processor will enable the controller to delete personal data of end users using the functionality of the Subscription Service.

g. Data protection impact assessments and consultation with supervisory authorities. To the extent that the requested information is available to the processor and the controller does not have access to the requested information, the processor shall provide such reasonable assistance to the controller with data protection impact assessments and, after consultation with supervisory or other competent authorities, as the controller considers reasonable pursuant to Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to the processing of personal data.

5. Interested party requests

The Processor will enable the Controller to respond to data subject requests to exercise their rights under applicable Data Protection Law in a manner consistent with the functionality of the Subscription Service. To the extent that the Controller is unable to comply with a data subject request, at the Controller's request, the Processor may offer reasonable assistance to the Controller to comply with such request to the extent possible and only as required by applicable Data Protection Law. The Controller shall reimburse the Processor for commercially reasonable costs incurred in connection with this assistance.

The Processor will offer reasonable assistance, including the implementation of appropriate technical and organizational measures subject to the nature of the processing, to enable the Controller to respond to any data subject requests to exercise their rights under Data Protection Law in respect of personal data (including rectification, restriction, erasure or portability of, and access to, personal data as applicable), to the extent permitted by law. If such a request is made directly to the processor, the processor shall immediately inform the controller and suggest that data subjects forward their request to the controller. The controller shall be solely responsible for responding to data subjects' requests.

6. Audits

In accordance with data protection laws and in response to a reasonable written request from the controller, the processor may make available to the controller information in its possession or control relating to the processor's compliance with the obligations of data processors under the Data Protection Law, in respect of its processing of personal data.

The controller may, upon written request and at least 30 days' notice to the processor, during normal business hours and without interrupting the processor's business operations, conduct an on-site inspection of the processor's business operations or request that a qualified external auditor do so with the processor's approval, which shall not be unreasonably withheld.

Upon written request from the controller with at least 30 days' notice, the processor may provide the controller with all information necessary for such audit, to the extent that such information is within the processor's control and the processor is not prevented from disclosing it pursuant to applicable law, an obligation of confidentiality or any other obligation to a third party.

7. Subprocessors or Subcontractors

a. Appointment of Subprocessors. Controller acknowledges and agrees (a) to the engagement as subprocessor of Processor Affiliates and the third parties listed in our Subprocessor List, and (b) that Processor and Processor Affiliates may respectively appoint third party subprocessors in connection with the provision of the Subscription Service.

Where the Processor's activity includes engagement with a Subprocessor, Processor will enter into a contract with such Subprocessor that imposes on the Subprocessor the same obligations as the Processor under this DPA. Where the Subprocessor fails to comply with its data protection obligations, Processor shall remain liable to Controller for the Processors' compliance with such obligations.

Where a subprocessor is engaged, the controller shall have the right to monitor and inspect the subprocessor's activities in accordance with this DPA and the Data Protection Law, including to obtain information from the processor, upon written request, regarding the material terms of the contract and the implementation of data protection obligations under the subprocessing contract, where necessary, by reviewing the relevant documents.

The provisions of this Section 7 shall apply mutually if the processor's activity includes the engagement of a subprocessor in a country outside the European Economic Area ("EEA") that is determined by the European Commission to not provide an adequate level of protection of personal data. If during the term of this DPA Sozialens transfers personal data to a subprocessor located outside the EEA, prior to such transfer, Sozialens shall ensure that a legal mechanism is in place to achieve adequacy of processing.

b. List of current processors and notification or objection to new processors. If the processor intends to instruct subprocessors other than the companies listed in the Subprocessor List, it shall notify the controller by updating the List and give the controller the opportunity to object to the interaction of the new subprocessors within 30 days of the notification. The objection must be based on reasonable grounds. If the processor and the controller are unable to resolve such objection, each party may terminate the Agreement by providing written notice to the other party. The controller may receive a refund of any prepaid and unused fees for the period following the effective date of termination.

8. Data transfers

The Controller acknowledges and agrees that in connection with the provision of the services set forth in the Agreement, personal data will be transferred to Sozialens, S.L., in the EU and other jurisdictions where the subprocessors have operations. The Processor may access and process personal data on a global basis as necessary to provide the Subscription Service, in accordance with the Sozialens Customer Service Terms and Conditions.

To the extent that the Controller or the Processor uses a specific statutory mechanism to standardize international data transfers and that mechanism is subsequently revoked or declared invalid by a court of competent jurisdiction, the Controller and the Processor agree to cooperate in good faith to achieve an appropriate alternative mechanism that will allow the transfer to be made lawfully.

9. Additional provisions for European data

a. Scope of Section 9. This Section 9 (Additional Provisions for European Data) shall apply only with respect to European Data.

b. Roles of the Parties. When processing European Data in accordance with Customer’s instructions, the parties acknowledge and agree that Customer is the controller of European Data and Sozialens is the processor.

c. Instructions. If Sozialens believes that a Customer Instruction violates European Data Protection Laws (where applicable), it will inform Customer without delay.

d. Notification and Objection to New Subprocessors. Sozialens will notify Customer of any changes to Subprocessors by updating the Subprocessor List and will give Customer the opportunity to object to the engagement of the new Subprocessor on reasonable grounds relating to the protection of Personal Data within 30 days of updating the Subprocessor List. If Customer notifies Sozialens of such an objection, the parties will discuss Customer’s concerns in good faith with a view to reaching a commercially reasonable resolution. If such a resolution cannot be reached, Sozialens will, in its sole discretion, either not appoint the new Subprocessor or allow Customer to suspend or terminate the affected Subscription Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

e. Data protection impact assessments and consultation with supervisory authorities. To the extent that the required information is reasonably available to Sozialens, and Customer does not have access to the required information, Sozialens will provide reasonable assistance to Customer with any data protection impact assessments and prior consultation with supervisory authorities or other competent data privacy authorities to the extent required by European data protection laws.

f. Transfer mechanisms for data transfers. Sozialens will not transfer European Data to any country or recipient that is not recognized as providing an adequate level of protection of Personal Data (within the meaning of European Data Protection Law), unless it first takes all necessary steps to ensure the transfer complies with applicable European data protection laws. Such steps may include (without limitation) transferring such data to a recipient that has obtained authorization under binding corporate rules pursuant to European Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

g. Demonstration of Compliance. Sozialens will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and to enable and contribute to audits, including inspections of Customer to assess compliance with this DPA. Customer acknowledges and agrees that it will exercise its audit rights under this DPA by instructing Sozialens to comply with the audit measures described in this subsection (g). Customer acknowledges that the Subscription Service is hosted by Sozialens data center partners who maintain independently validated security programs (including SOC 2 and ISO 27001) and that Sozialens systems are regularly tested by independent third-party penetration testing firms. Upon request, Sozialens will provide (on a confidential basis) a summary copy of its penetration testing reports to Customer so that Customer may verify Sozialens compliance with this DPA. In addition, upon Customer’s written request, Sozialens will provide written responses (on a confidential basis) to all reasonable requests for information made by Customer necessary to confirm Sozialens compliance with this DPA, provided that Customer will not exercise this right more than once per calendar year.

10. General Provisions a. Modifications. Notwithstanding anything else to the contrary in the Agreement and without prejudice to Section 4(c) (Security), Sozialens reserves the right to make updates and changes to this DPA and the terms that apply in Section 10(a) “Modifications” of the Agreement.

b. Nullity and Ineffectiveness. In the event of a conflict, this DPA shall take precedence over the provisions of the Agreement. If any individual provision of this DPA is held to be invalid or unenforceable, the validity and enforceability of the remaining provisions of this DPA shall not be affected.

c. Limitation of Liability. Each party and each of its Affiliates’ liability, taken together, arising out of or in connection with the Agreement, shall be indemnified and held harmless from any and all claims, damages, losses, liabilities, costs, expenses, or expenses incurred by Sozialens.

Any and all claims arising under this DPA (and any other DPA between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the section of the Agreement entitled 'Limitation of Liability' and any reference in that section to the liability of one party means the aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA). For the avoidance of doubt, if Sozialens, SL, is not a party to the Agreement, the section of the Agreement entitled 'Limitation of Liability' shall apply between the Client and Sozialens, SL, and in such regard any reference to Sozialens, 'we', 'us' or 'our' shall include both Sozialens, SL, and the Sozialens entity that is a party to the Agreement.

d. Applicable law and competent jurisdiction. This Agreement is subject by agreement of both parties, the Client and Sozialens, to the Spanish legal system. The Client and Sozialens expressly waive any jurisdiction that may apply to them under the law and submit to the jurisdiction of the Courts and Tribunals of the city of Madrid. This DPA shall be governed by and construed in accordance with the laws in force and the jurisdiction provisions in the Agreement, unless Data Protection Laws require otherwise.

Annex 1: Processing details

This Annex forms part of the Clauses. Member States may, according to their national procedures, complete or specify any additional necessary information to be included in this Annex.

A. Data Exporter

The data exporter is the Client, as defined in the Sozialens Customer Service Terms and Conditions (“Agreement”).

B. Data Importer

The data importer is Sozialens, S.L., a global provider of influencer marketing software.

C. Data Subjects

Categories of data subjects established pursuant to Section 2 of the Data Processing Agreement to which the Clauses are attached.

D. Data Categories

Categories of personal data established pursuant to Section 2 of the Data Processing Agreement to which the Clauses are attached.

E. Special Data Categories (if applicable)

The parties do not anticipate the transfer of special categories of data.

F. Processing Operations

Processing activities established pursuant to Section 2 of the Data Processing Agreement to which the Clauses are attached:

Annex 2: Technical and organizational security measures

This Annex forms part of the Clauses.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or accompanying documentation/legislation):

Sozialens currently complies with the security practices described in this Annex 2. Notwithstanding anything to the contrary agreed to by the data exporter, Sozialens may modify or update these practices at its discretion provided that such modification and update do not result in a material degradation in the protection offered by these practices. All capitalized terms not defined herein shall have the meanings set forth in the Agreement.

a) Access control

i) Prevention of unauthorized access to products

Outsourced processing: Sozialens hosts its service with third-party cloud infrastructure providers. Sozialens also maintains contractual relationships with vendors to provide the service in accordance with our Data Processing Agreement. Sozialens relies on contractual agreements, privacy policies, and vendor compliance programs to protect data processed or stored by vendors.

Physical and Environmental Security: Sozialens hosts its product infrastructure with third-party multi-tenant infrastructure providers. Physical and environmental security controls are audited for compliance with SOC 2 Type II and ISO 27001, among other certifications.

Authentication: Sozialens has implemented a uniform password policy for its customers' products. Customers interacting with the products through the user interface must authenticate before accessing non-public customer data.

Authorization: Customer data is stored on multi-tenant storage systems that customers can access only through application user interfaces and application programming interfaces. Customers do not have direct access to the underlying application infrastructure. The authorization model in each of Sozialens products is designed to ensure that only appropriately assigned individuals can access the relevant features, visualizations, and customization options. Authorization checks for accessing datasets are performed by validating user permissions against attributes associated with each dataset.

Application Programming Interface (API) Access: Public product APIs can be accessed using an API key or through Oauth authorization.

ii) Preventing Unauthorized Product Use

Sozialens implements industry-standard access controls and detection capabilities for the internal networks supporting its products.

Access Controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include virtual private cloud (VPC) deployments, security group assignment, and traditional firewall rules.

Intrusion Detection and Prevention: Sozialens implemented a Web Application Firewall (WAF) solution to protect client-hosted websites and other applications accessed over the Internet. The WAF is designed to identify and prevent attacks against publicly available network services.

Static Code Analysis: Security reviews are performed on code stored in Sozialens source code repositories to check for good coding practices and identifiable software flaws.

Penetration Testing: Sozialens uses industry-recognized penetration testing service providers to perform four penetration tests per year. The goal of penetration testing is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

Bug Bounties: A bug bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. Sozialens has implemented a bug bounty program to expand the opportunities available to work with the security community and improve product defense against sophisticated attacks.

iii) Limitations on privilege and authorization requirements

Access to products: A subset of Sozialens employees have access to products and customer data through interfaces Controlled Access: The purpose of providing access to a subset of employees is to provide the customer with effective technical support, troubleshoot potential issues, detect and resolve security incidents, and implement data security protection measures. Access is enabled through just-in-time requests; these requests are logged. Employees are granted access based on their position, and high-risk privilege grants are reviewed daily. Employee roles are reviewed at least once every six months.

Background Check: All Sozialens employees undergo a third-party background check prior to being offered employment, in accordance with applicable laws. All employees must comply with company guidelines, non-disclosure requirements, and ethical standards.

b) Transmission Control

In Transit: Sozialens offers HTTPS encryption (also known as SSL or TLS) on each of its login interfaces and free of charge on each customer site hosted on Sozialens products. Sozialens implements the HTTPS protocol using industry-standard algorithms and certificates.

At Rest: Sozialens stores user passwords in accordance with policies that follow industry-standard practices for security. Sozialens has implemented technologies to ensure that stored data is encrypted at rest.

c) Input Control

Detection: Sozialens designed its infrastructure to record extensive information about system behavior, incoming traffic, system authentication, and other application requests. Aggregate internal systems record data and alert relevant employees about malicious, unwanted, or anomalous activity. Sozialens personnel, including security, operations, and support personnel, respond to known incidents.

Response and Monitoring: Sozialens maintains a log of known security incidents that includes descriptions, dates and times of relevant activities, and incident resolution. Security, operations, and support personnel investigate suspected and confirmed security incidents; Appropriate measures for the resolution of these incidents are identified and documented. For any confirmed incident, Sozialens will take appropriate steps to minimize product or customer damage, or unauthorized disclosure.

Communication: If Sozialens becomes aware of illegal access to customer data stored on its products it will: 1) notify affected customers of the incident; 2) provide a description of the steps Sozialens is taking for the incident; and 3) provide status updates to the customer contact as Sozialens deems necessary. In the event of incident notifications, they will be sent to one or more of the customer contacts in a manner arranged by Sozialens, including by email or telephone.

d) Availability Control

Infrastructure Availability: Infrastructure providers use commercially reasonable efforts to ensure a minimum uptime of 99.9%. Providers maintain a minimum of N+1 redundancy for power, network, and air conditioning services.

Fault Tolerance: Backup and replication strategies are designed to ensure redundancy and failover protections during a major processing failure. Backed-up customer data is stored in multiple durable data stores and replicated across multiple Availability Zones.

Online Backups and Replicas: To the extent possible, production databases are designed to replicate data between at least 1 primary and 1 secondary database. All databases are backed up and maintained using industry-standard methods.

Sozialens products are designed to ensure redundancy and seamless failover. Server instances supporting the products are also built with the goal of avoiding single points of failure. This design helps Sozialens operations maintain and update product applications and back-end capacity while limiting downtime.