Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (the “Agreement”) between Point11 Solutions LLC (“Provider” or “Processor”) and the customer identified in the Agreement (“Customer” or “Controller”). This DPA applies to the extent Provider processes Personal Data on behalf of Customer in connection with the Services.

Capitalized terms not defined herein have the meanings given in the Agreement.

1. Definitions

• “Data Protection Laws” — all applicable laws and regulations relating to the processing of Personal Data, including GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable data protection or privacy legislation.
• “Personal Data” — any information relating to an identified or identifiable natural person that is processed by Provider on behalf of Customer as part of Customer Data.
• “Processing” — any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
• “Security Incident” — any actual or reasonably suspected unauthorized access to, acquisition of, use of, or disclosure of Personal Data processed by Provider on behalf of Customer.
• “Sub-Processor” — any third party engaged by Provider to process Personal Data on behalf of Customer.

2. Scope and Roles

2.1 Customer is the Controller (or, where Customer acts on behalf of another controller, the Processor) of Personal Data. Provider is the Processor (or Sub-Processor, as applicable) of Personal Data.

2.2 This DPA applies to all Personal Data processed by Provider in connection with the Services, regardless of format or medium.

2.3 The subject matter, duration, nature, purpose, and categories of Personal Data and data subjects are described in Annex 1 to this DPA.

3. Processing Instructions

3.1 Provider shall process Personal Data only in accordance with Customer's documented instructions, unless required to do so by applicable law. The Agreement (including this DPA) constitutes Customer's initial instructions. Customer may issue additional written instructions consistent with the Agreement.

3.2 Provider shall immediately inform Customer if, in Provider's opinion, an instruction from Customer violates applicable Data Protection Laws.

3.3 Provider shall not process Personal Data for any purpose other than providing the Services as described in the Agreement.

4. Confidentiality

4.1 Provider shall ensure that all persons authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

4.2 Provider shall not disclose Personal Data to any third party except as authorized by Customer, required by law, or as permitted under this DPA (including to Sub-Processors).

5. Security

5.1 Provider shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in the Agreement (Section 6.2) and at point11.com/security.

5.2 Provider shall regularly test, assess, and evaluate the effectiveness of its security measures.

6. Sub-Processors

6.1 Customer provides general authorization for Provider to engage Sub-Processors to process Personal Data, subject to the requirements of this Section 6.

6.2 Provider maintains a current list of Sub-Processors at point11.com/legal/sub-processors.

6.3 Provider shall notify Customer at least thirty (30) days in advance of any intended addition or replacement of a Sub-Processor by updating the Sub-Processor list and notifying Customer via email to the address associated with Customer's account.

6.4 Customer may object to a new Sub-Processor by providing written notice to Provider within fifteen (15) days of receiving notification. If Customer objects on reasonable data protection grounds, the parties shall discuss the objection in good faith. If the parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected Services without penalty by providing written notice.

6.5 Provider shall enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those in this DPA. Provider remains fully liable for the acts and omissions of its Sub-Processors.

7. Data Subject Rights

7.1 Provider shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures to fulfill Customer's obligation to respond to requests from data subjects exercising their rights under Data Protection Laws.

7.2 If Provider receives a request directly from a data subject regarding Customer's Personal Data, Provider shall promptly redirect the data subject to Customer and notify Customer, unless prohibited by law.

8. Security Incident Notification

8.1 Provider shall notify Customer of any Security Incident without undue delay and in no event later than seventy-two (72) hours after becoming aware of the incident.

8.2 Such notification shall include, to the extent available: (a) the nature of the Security Incident, including the categories and approximate number of data subjects and records affected; (b) the likely consequences; (c) measures taken or proposed to address the incident; and (d) a contact point for further information.

8.3 Provider shall cooperate with Customer's investigation and response efforts and shall take all commercially reasonable steps to contain, remediate, and mitigate the effects of the Security Incident.

9. Data Protection Impact Assessments

Provider shall, taking into account the nature of Processing and the information available, provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Data Protection Laws.

10. International Data Transfers

10.1 Provider shall not transfer Personal Data outside the United States without Customer's prior written consent, except as necessary to provide the Services using infrastructure located in jurisdictions identified at point11.com/security.

10.2 Where Personal Data originating in the European Economic Area, United Kingdom, or Switzerland is transferred to the United States, the parties rely on:

• (a) the EU-U.S. Data Privacy Framework (and the UK Extension and Swiss-U.S. Data Privacy Framework, as applicable), to the extent Provider is certified; or
• (b) the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), which are hereby incorporated by reference and available upon request.

10.3 Provider shall implement supplementary measures where required by applicable law to ensure an adequate level of protection for transferred Personal Data.

11. Audit Rights

11.1 Provider shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA.

11.2 Customer (or an independent third-party auditor appointed by Customer and subject to appropriate confidentiality obligations) may conduct an audit of Provider's processing activities no more than once per twelve-month period, upon at least thirty (30) days' prior written notice, during normal business hours, and in a manner that minimizes disruption to Provider's operations.

11.3 Audits shall be at Customer's expense, unless the audit reveals a material breach of this DPA, in which case Provider shall bear the reasonable costs.

11.4 Provider may satisfy audit requests by providing: (a) its most recent SOC 2 Type II report; (b) completed security questionnaires; or (c) other relevant third-party audit reports, provided such documentation reasonably addresses Customer's audit objectives.

12. Data Retention and Deletion

12.1 Upon expiration or termination of the Agreement, Provider shall, at Customer's election, return or delete all Personal Data in its possession within thirty (30) days, unless retention is required by applicable law.

12.2 Provider shall provide written certification of deletion upon Customer's written request.

12.3 Provider may retain Personal Data to the extent and for the duration required by applicable law, provided that Provider shall maintain the confidentiality and security of such retained data and shall not process it for any other purpose.

13. Duration and Termination

This DPA shall remain in effect for the duration of the Agreement. The obligations under this DPA shall survive termination of the Agreement to the extent Provider continues to process Personal Data on behalf of Customer.

14. Governing Law

This DPA shall be governed by the same governing law as the Agreement, except where Data Protection Laws require otherwise.

Annex 1: Details of Processing

Subject Matter

Processing of Personal Data as necessary to provide the Services described in the Agreement.

Duration

For the term of the Agreement, plus any post-termination retention period described in Section 12.

Nature and Purpose

Hosting, storage, retrieval, analysis, display, transmission, and processing of Customer Data to deliver the Services, including website hosting, AI agent interactions, analytics, and commerce functionality.

Categories of Personal Data

As determined by Customer, which may include: names, email addresses, phone numbers, IP addresses, device identifiers, browsing behavior, transaction data, voice recordings (where Voice Agent Services are used), chat transcripts, and any other personal data Customer submits to the platform.

Categories of Data Subjects

As determined by Customer, which may include: Customer's employees, end users, website visitors, customers, prospects, and business contacts.

Special Categories

Provider does not intentionally process special categories of personal data (e.g., health data, biometric data, racial/ethnic origin) unless Customer configures the Services to process such data. If Customer processes special categories, Customer is solely responsible for ensuring a lawful basis and obtaining required consents.