Data Processing Addendum

1. DEFINITIONS

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in applicable Data Protection Laws.
• "Processor" means SubJolt, when processing Personal Data on behalf of the Controller to provide the Service.
• "Controller" means the Customer, who determines the purposes and means of processing End User Personal Data.
• "Data Protection Laws" means all applicable data protection and privacy laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and other applicable national or state data protection legislation.
• "Sub-processor" means any third party engaged by SubJolt to process Personal Data on behalf of the Controller.
• "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to countries outside the EEA (Commission Implementing Decision (EU) 2021/914).
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. SCOPE AND ROLES

SubJolt acts in two capacities depending on the data:

• As Processor: for End User data processed through the widget on the Customer's website (subscription identifiers, customer identifiers, session data, event data, and free-text cancellation reasons).
• As Controller: for the Customer's own account data (business name, email, billing information) which SubJolt collects and manages independently.

This DPA governs SubJolt's role as Processor. SubJolt's processing of Customer account data as Controller is governed by our Privacy Policy.

3. PROCESSING INSTRUCTIONS

SubJolt shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Controller's instructions are defined by: (a) the Principal Agreement and this DPA; (b) the Customer's widget configuration settings; and (c) any additional written instructions agreed upon by the parties. If SubJolt believes an instruction infringes Data Protection Laws, it will promptly notify the Controller.

4. PERSONNEL AND CONFIDENTIALITY

SubJolt ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform their duties in connection with the Service.

5. SECURITY MEASURES

SubJolt implements and maintains appropriate technical and organizational security measures, including:

• Encryption of data in transit (TLS 1.2+) and at rest.
• Secure storage of payment gateway credentials (server-side only, never exposed to client code).
• Access controls and authentication (role-based access, session management).
• Input validation and rate limiting on all API endpoints.
• Error logging with automatic redaction of sensitive values (API keys, tokens).
• Regular security reviews of code and infrastructure.

See Annex II below for a detailed description of security measures.

6. SUB-PROCESSORS

The Controller provides general authorization for SubJolt to engage Sub-processors to assist in providing the Service. The current list of authorized Sub-processors is maintained at https://subjolt.com/subprocessors.

• Prior notice: SubJolt will notify the Controller at least 30 days before adding or replacing a Sub-processor by updating the Subprocessors page and sending email notification to the Controller's registered email address.
• Right to object: if the Controller has a reasonable objection to a new Sub-processor, the Controller may notify SubJolt in writing within 15 days of receiving notice. The parties will work in good faith to find an alternative. If no resolution is reached, the Controller may terminate the affected Service without penalty.
• Sub-processor obligations: SubJolt imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA. SubJolt remains liable for the acts and omissions of its Sub-processors.

7. DATA BREACH NOTIFICATION

SubJolt will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Data Breach involving Personal Data processed on behalf of the Controller. The notification will include:

• A description of the nature of the Data Breach.
• The categories and approximate number of Data Subjects and records affected.
• The likely consequences of the Data Breach.
• The measures taken or proposed to address the breach and mitigate its effects.
• The contact point for further information (privacy@subjolt.com).

8. DATA SUBJECT REQUESTS

SubJolt will reasonably assist the Controller in fulfilling its obligation to respond to Data Subject requests (including requests for access, rectification, erasure, restriction, portability, and objection). If SubJolt receives a request directly from a Data Subject, it will promptly forward the request to the Controller and will not respond to the Data Subject directly unless instructed by the Controller.

9. DATA TRANSFERS

SubJolt is based in the United States. For transfers of Personal Data from the EEA or UK to the US:

• SubJolt relies on the Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor). The SCCs are incorporated by reference into this DPA.
• For transfers from the UK, SubJolt additionally relies on the UK International Data Transfer Addendum (IDTA) to the EU SCCs.
• SubJolt implements supplementary measures (encryption, access controls, data minimization) to ensure an adequate level of protection for transferred data.

10. AUDIT RIGHTS

SubJolt will make available to the Controller, on reasonable request and at the Controller's expense, all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. SubJolt will allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable advance notice (at least 30 days), confidentiality obligations, and scope limited to SubJolt's processing of the Controller's Personal Data. Audits shall not occur more than once per calendar year unless required by a supervisory authority.

11. DATA DELETION AND RETURN

Upon termination of the Principal Agreement, SubJolt will, at the Controller's election, return or delete all Personal Data processed on behalf of the Controller within 30 days, unless applicable law requires continued storage. The Controller may request data export during this 30-day period. After the 30-day period, SubJolt will delete all remaining Personal Data, including event logs, configurations, and stored gateway credentials.

12. CCPA PROVISIONS

To the extent the CCPA applies, SubJolt acts as a "Service Provider" (as defined in the CCPA) with respect to Personal Data processed on behalf of the Controller. SubJolt:

• Shall not sell or share the Controller's Personal Data.
• Shall not retain, use, or disclose Personal Data for any purpose other than performing the Service, as specified in the Principal Agreement.
• Shall not combine Personal Data received from the Controller with Personal Data received from other sources, except as permitted by the CCPA.
• Will assist the Controller in responding to verifiable consumer requests.

13. TERM AND SURVIVAL

This DPA remains in effect for the duration of the Principal Agreement and for as long as SubJolt processes Personal Data on behalf of the Controller. The obligations under Sections 4 (Confidentiality), 5 (Security), 7 (Breach Notification), 10 (Audit Rights), and 11 (Data Deletion) survive termination.