DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is entered into by and between:

[INSERT LEGAL NAME], with its registered address at [INSERT ADDRESS] (“Customer”); and

ENGAGESPARK, INC., a Delaware corporation with its registered address at 16192 Coastal Highway, 19958 Lewes, DE, United States (“Processor” or “engageSPARK”).

This DPA forms part of and is incorporated into the engageSPARK Terms of Service between Customer and Processor (the “Parties”) as well as any additional agreement entered into by the Parties related to the Services (collectively, the “Agreement”). This DPA is effective as of [INSERT EFFECTIVE DATE].

1. Definitions

1.1 Applicable Data Protection Law means any law applicable to the Processing of Contact Personal Information under the Agreement, including, where applicable: (a) Regulation (EU) 2016/679 (“EU GDPR”); (b) the EU GDPR as incorporated into United Kingdom law and supplemented by the Data Protection Act 2018 (“UK GDPR”); and (c) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”) – in each case as amended, replaced, or superseded from time to time – and any other data protection or privacy law that is materially equivalent to the EU GDPR, UK GDPR, or CCPA.

1.2 Contact Personal Information means any personal data or personal information relating to Customer’s contacts, beneficiaries, end users, subscribers, recipients, respondents, callers, survey participants, chatbot users, message recipients and originators or other individuals (collectively “Contacts”) whose information is submitted to the Services by the Customer or the Contacts, and which engageSPARK Processes on Customer’s behalf under the Agreement.

1.3 Controller, Processor, Processing, Personal Data Breach, Data Subject, and Subprocessor have the meanings given to them under Applicable Data Protection Law. Where the CCPA applies, references to a Controller include a “business” and references to a Processor include a “service provider,” as those terms are defined under the CCPA.

1.4 Security Measures means the technical and organizational measures described in Annex 2.

1.5 Services means the services provided by engageSPARK under the Agreement.

1.6 Restricted Transfer means a transfer of Contact Personal Information that is restricted under Applicable Data Protection Law in the absence of an approved transfer mechanism.

1.7 Channel Providers means third-party telecommunications carriers, mobile network operators, SMS aggregators, voice carriers, and similar communications infrastructure providers used to transmit communications to and from Data Subjects on Customer’s Documented Instructions.

1.8 Customer’s Documented Instructions means the Agreement, this DPA, Customer’s configuration and use of the Services, and Customer’s written support or administrative instructions – each individually and together.

2. Scope and Roles

2.1 This DPA applies only to engageSPARK’s Processing of Contact Personal Information on Customer’s behalf in connection with the Services.

2.2 As between the parties, Customer is the Controller and Custom appoints engageSPARK as the Processor of Contact Personal Information.

2.3 This DPA does not apply to data Processed by engageSPARK as an independent controller, including:

(a) account registration and login data;

(b) billing, payment, tax, invoicing, and collections data;

(c) Customer business contact and relationship-management data;

(d) operational metadata generated by engageSPARK in the course of administering, securing, and protecting the Services against abuse, fraud, and unlawful use, to the extent such metadata is generated by engageSPARK rather than submitted by Customer and does not contain Contact Personal Information; and

(e) legal compliance, recordkeeping, and claims-related data.

2.4 The Processing covered by this DPA is described in Annex 1.

3. Processing Instructions

3.1 engageSPARK will Process Contact Personal Information only on Customer’s Documented Instructions, unless required to do otherwise by applicable law.

3.2 Customer is responsible for:

(a) the lawfulness of the Contact Personal Information and the means by which Customer collected it;

(b) providing all notices and obtaining all consents and other legal bases required under Applicable Data Protection Law;

(c) ensuring that its instructions to engageSPARK are lawful; and

(d) using the Services in compliance with Applicable Data Protection Law.

3.3 If engageSPARK becomes aware that an instruction infringes Applicable Data Protection Law, engageSPARK will promptly inform Customer and may suspend the affected Processing unless and until Customer withdraws the instruction or provides revised documented instructions that do not infringe Applicable Data Protection Law.

3.4 Restrictions on engageSPARK’s Use of Contact Personal Information. For the avoidance of doubt, and consistent with Section 3.1, engageSPARK will not: (a) sell or share Contact Personal Information; (b) retain, use, or disclose Contact Personal Information for any purpose other than providing the Services to Customer pursuant to Customer’s Documented Instructions; (c) retain, use, or disclose Contact Personal Information outside the scope of the Agreement; or (d) use Contact Personal Information to develop, train, fine-tune, evaluate, or improve any artificial intelligence, machine learning, large language, or similar models, except where such Processing is requested by Customer. engageSPARK may generate aggregated or de-identified data derived from the Services for engageSPARK’s legitimate business purposes, provided that such data cannot reasonably be used to identify any Data Subject and is not re-identified.

3.5 Special Categories of Personal Data. While the Services may be used in contexts that involve special categories of personal data within the meaning of Article 9 of the EU GDPR or UK GDPR (including data concerning health, ethnic origin, or religious beliefs that may arise in humanitarian, public health, and similar use cases), engageSPARK does not provide functionality, certifications, or controls specifically designed for special category processing unless expressly agreed in writing. Customer is solely responsible for: (a) ensuring it has a valid legal basis under Article 9 or 10 of the EU GDPR or UK GDPR (as applicable); (b) implementing additional appropriate safeguards required by Applicable Data Protection Law; (c) configuring its use of the Services (including retention settings, access controls, channel selection, and the content of communications) consistent with the heightened sensitivity of such data; and (d) notifying engageSPARK in advance where required to enable engageSPARK to assess and, if necessary, agree on supplemental measures. engageSPARK does not undertake to provide functionality, certifications, or controls specific to the Processing of special category data unless expressly agreed in writing.

4. Confidentiality

4.1 engageSPARK will ensure that persons authorized to Process Contact Personal Information are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

4.2 engageSPARK will limit access to Contact Personal Information to persons who need such access to provide, support, secure, or maintain the Services.

5. Security

5.1 engageSPARK will implement and maintain appropriate technical and organizational measures designed to protect Contact Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Contact Personal Information.

5.2 The Security Measures are described in Annex 2.

5.3 engageSPARK may update the Security Measures from time to time, provided that such updates do not materially reduce the overall security of the Services.

6. Subprocessors

6.1 Customer generally authorizes engageSPARK to engage Subprocessors in connection with the Services.

6.2 engageSPARK will maintain a list of authorized Subprocessors in Annex 3.

6.3 engageSPARK will enter into a written agreement with each Subprocessor imposing data protection obligations appropriate to the nature of the services provided and no less protective of Contact Personal Information than those set out in this DPA, to the extent applicable.

6.4 engageSPARK will remain responsible for the acts and omissions of its Subprocessors to the extent required by Applicable Data Protection Law, subject to the liability limitations in the Agreement.

6.5 engageSPARK will provide Customer with at least thirty (30) days’ prior notice before authorizing a new Subprocessor that will Process Contact Personal Information. Notice will be provided by email to the email address on file for Customer’s account administrators (specifically, the users with the roles “Owner” and “Manager” in the engageSPARK platform) or such other notification mechanism as engageSPARK may make available from time to time. Customer is responsible for keeping its account contact information current and for ensuring that designated personnel monitor those addresses.

6.6 If Customer has a reasonable objection to a proposed new Subprocessor on data protection grounds, Customer must notify engageSPARK within that thirty (30) day period. The parties will work in good faith to address the objection.

6.7 If the parties cannot resolve the objection, Customer may terminate the affected Services or cancel its account before the new Subprocessor begins Processing Contact Personal Information.

6.8 Channel Providers. Customer acknowledges that the Services rely on Channel Providers to transmit communications to and from Data Subjects on Customer’s instructions. Channel Providers act as independent controllers or independent processors of Contact Personal Information under their own terms and applicable telecommunications law for the purpose of transmitting, routing, and delivering communications as telecommunications carriers and transmitters. engageSPARK does not control the Processing performed by Channel Providers in their role as mere conduits transmitting communications, and Channel Providers are not Subprocessors of engageSPARK for purposes of this DPA in respect of such transmission activities. Customer authorizes the disclosure of Contact Personal Information to Channel Providers to the extent necessary to provide the Services. Where engageSPARK engages a Channel Provider in a capacity that goes beyond mere transmission and constitutes Processing on engageSPARK’s behalf, that engagement will be treated as a Subprocessor relationship under this Section 6.

7. Assistance

7.1 Taking into account the nature of the Processing and the information available to engageSPARK, engageSPARK will provide reasonable assistance to Customer in responding to Data Subject requests relating to Contact Personal Information.

7.2 If engageSPARK receives a Data Subject request relating to Contact Personal Information, engageSPARK will, to the extent legally permitted:

(a) notify Customer; and

(b) not respond except on Customer’s instructions or as required by law.

7.3 Taking into account the nature of the Processing and the information available to engageSPARK, and to the extent required by Applicable Data Protection Law, engageSPARK will provide reasonable assistance to Customer with:

(a) security of Processing;

(b) Personal Data Breach notifications;

(c) data protection impact assessments; and

(d) consultations with supervisory authorities.

7.4 Reasonable assistance provided in the ordinary course will be included in the Services. engageSPARK may charge reasonable fees for assistance that is excessive, unusual, repetitive, or materially beyond the ordinary scope of the Services, at engageSPARK’s then-current standard professional services rates, charged on a time-and-materials basis.

8. Personal Data Breach Notification

8.1 engageSPARK will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Contact Personal Information.

8.2 The notice will include, to the extent available:

(a) the nature of the Personal Data Breach;

(b) the categories and approximate number of affected Data Subjects and records, where known;

(c) the likely consequences, where known;

(d) the measures taken or proposed to address the breach; and

(e) a contact point for follow-up.

8.3 engageSPARK may provide information in phases as it becomes available.

9. Deletion and Return

9.1 During the term of the Agreement, Customer may access and export Contact Personal Information using the functionality of the Services, if and as made available in the Services.

9.2 Customer is responsible for exporting Contact Personal Information using the functionality of the Services prior to closure or termination of its account. Following closure or termination, engageSPARK has no obligation to retain Contact Personal Information or provide additional export windows beyond what the Services make available, except as expressly agreed in writing or required by law.

9.3 Upon Customer’s deletion of Contact Personal Information through the Services, or upon closure or termination of Customer’s account, engageSPARK will delete Contact Personal Information held within the Services in accordance with its standard deletion processes, subject to Sections 9.4 through 9.7.

9.4 Deletion of Contact Personal Information held within the Services. engageSPARK’s standard deletion process for Contact Personal Information held within the production environment of the Services includes: (a) deletion or removal of active Contact Personal Information from Services databases upon Customer deletion action or account closure; (b) a soft-delete period of seven (7) days; (c) deletion from backups or backup rotation within thirty (30) days after the soft-delete period; and (d) deletion from technical logs within thirty (30) days of a Customer deletion action or account closure.

9.5 Contact Personal Information shared outside the Services. Customer acknowledges that Contact Personal Information may be shared with or received by engageSPARK outside the production environment of the Services in the course of the parties’ relationship, including in support tickets, email correspondence, chat messages, screenshots, file attachments, call recordings, meeting notes, and similar materials submitted to or generated by engageSPARK personnel (“Out-of-Service Materials”). Out-of-Service Materials are retained in accordance with engageSPARK’s standard support, communications, and recordkeeping practices, which include defined retention periods appropriate to the operational, security, troubleshooting, audit, and legal purposes for which they are held, and which provide for deletion of such materials when no longer needed for those purposes. Out-of-Service Materials are not subject to the deletion timelines in Section 9.4.

Customer should not submit Contact Personal Information to engageSPARK through out-of-band channels and should redact or anonymize Contact Personal Information in materials sent to engageSPARK. engageSPARK’s standard support practices do not require, and engageSPARK does not request, the submission of Contact Personal Information through out-of-band channels; where engageSPARK requires data to investigate an issue, it will use the Services or anonymized examples. Customer is responsible for any Contact Personal Information that Customer (or Customer’s personnel, agents, or contractors) submits to engageSPARK in Out-of-Service Materials.

engageSPARK has no obligation to search Out-of-Service Materials for Contact Personal Information or to delete Contact Personal Information from Out-of-Service Materials as part of its standard deletion processes. Where Customer requests that engageSPARK identify, search, locate, redact, or delete Contact Personal Information that Customer submitted in Out-of-Service Materials, engageSPARK will provide reasonable assistance subject to Customer’s payment of reasonable fees on a time-and-materials basis at engageSPARK’s then-current standard professional services rates. engageSPARK’s efforts under this paragraph will be on a reasonable-efforts basis using the search and review capabilities of its standard support and communications tooling, and engageSPARK does not warrant that all instances of Contact Personal Information in Out-of-Service Materials will be identified or removed. This Section 9.5 governs requests relating to Out-of-Service Materials notwithstanding any contrary implication of Section 7.

9.6 For data Processed by engageSPARK as an independent controller (including the categories listed in Section 2.3), engageSPARK’s retention practices are described in engageSPARK’s Privacy Policy, available at https://www.engagespark.com/privacy-policy/, and are not governed by this DPA.

9.7 Upon Customer’s written request, engageSPARK will confirm deletion of Contact Personal Information held within the Services, except to the extent engageSPARK is permitted or required to retain such information under applicable law. Confirmation of deletion does not extend to Out-of-Service Materials, which are governed by Section 9.5.

10. Compliance Information and Audit

10.1 engageSPARK will, no more than once per twelve (12) month period and subject to reasonable advance written notice, make available to Customer information reasonably necessary to demonstrate compliance with this DPA from documentation and records then maintained by engageSPARK in the ordinary course of its business. engageSPARK is not required to create new materials (including completing questionnaires, templates, or forms) except as separately agreed in writing, and any such work will be billable at engageSPARK’s then-current standard professional services rates on a time-and-materials basis. engageSPARK may charge reasonable fees for compliance information requests that are excessive, repetitive, or that go materially beyond the ordinary scope of such reviews.

10.2 engageSPARK may satisfy this obligation by providing, as appropriate:

(a) summaries or descriptions of relevant security documentation, policies, and controls;

(b) information regarding Subprocessors; and

(c) other reasonably requested compliance documentation, subject to confidentiality and security restrictions.

10.3 On-site audits are not included under this DPA unless separately agreed in writing or required by mandatory law.

10.4 Customer will keep confidential all information received under this Section and use it only to assess engageSPARK’s compliance with this DPA.

11. International Transfers

11.1 Customer acknowledges that engageSPARK is a United States company, that service data is hosted in Germany, and that Contact Personal Information may be accessed or processed internationally by authorized personnel and Subprocessors as necessary to provide the Services.

11.2 To the extent required by Applicable Data Protection Law, Restricted Transfers of Contact Personal Information will be governed by the applicable transfer mechanism set out in:

(a) Annex 4 for EU GDPR transfers; and

(b) Annex 5 for UK GDPR transfers.

(c) Annex 6 for Swiss FADP transfers.

11.3 engageSPARK will implement reasonable supplementary measures where required to support the relevant transfer mechanism.

12. Liability and Order of Precedence

12.1 The liability of each party under this DPA will be subject to the exclusions and limitations of liability set out in the Agreement.

12.2 In the event of a conflict between this DPA and the Agreement, this DPA will prevail with respect to its subject matter.

12.3 Except as expressly modified by this DPA, the Agreement remains in full force and effect.

13. Term

13.1 This DPA remains in effect for as long as engageSPARK Processes Contact Personal Information on Customer’s behalf under the Agreement.

13.2 Termination or expiration of this DPA will not relieve either party of obligations that by their nature are intended to survive, including confidentiality, deletion, liability, transfer, and assistance obligations relating to Processing that occurred during the term. The survival provisions of this DPA apply in addition to those of the Agreement with respect to the subject matter of this DPA.

14. Amendments to this DPA

14.1 The general amendment provisions of the Agreement do not apply to this DPA. This DPA may only be amended in accordance with this Section 14.

14.2 Amendments without Customer consent. engageSPARK may amend this DPA by written notice to Customer where the amendment is (a) required to comply with Applicable Data Protection Law or a binding decision of a supervisory authority, or (b) limited to changes to the Security Measures in Annex 2 that maintain or improve the overall level of protection.

14.3 Amendments with notice and termination right. For other amendments, engageSPARK will provide Customer with at least thirty (30) days’ prior written notice. If Customer reasonably objects in writing, supported by specific written reasons, on data protection grounds and the parties cannot resolve the objection in good faith, Customer may terminate the Agreement in accordance with Section 6.7 or engageSPARK may terminate the Agreement upon written notice, and Customer will receive a prorated refund of prepaid fees attributable to the period after the effective date of termination.

14.4 Amendments apply prospectively only.

15. Governing Law

15.1 This DPA will be governed by the governing law and dispute resolution provisions set out in the Agreement, except to the extent Annex 4, Annex 5, or Annex 6 expressly require otherwise for the applicable transfer mechanism.

16. California Personal Information

16.1 This section applies to the extent that Contact Personal Information includes “personal information” of California residents within the meaning of the CCPA.

16.2 The parties acknowledge and agree that, with respect to Contact Personal Information, Customer is a “business” and engageSPARK is a “service provider” as those terms are defined under the CCPA.

16.3 engageSPARK certifies that it understands and will comply with the following restrictions. engageSPARK will not:

(a) sell or share Contact Personal Information;

(b) retain, use, or disclose Contact Personal Information for any purpose other than the specific business purpose of performing the Services for Customer, including for any commercial purpose other than performing those Services, or as otherwise permitted by the CCPA;

(c) retain, use, or disclose Contact Personal Information outside the direct business relationship between engageSPARK and Customer; or

(d) combine Contact Personal Information with personal information that engageSPARK receives from or on behalf of any other person, or collects from its own interaction with consumers, except as permitted under the CCPA for service providers;

(e) use or disclose “sensitive personal information” within Contact Personal Information (which may include, for example, precise geolocation data submitted by Contacts) for purposes other than those permitted for service providers under the CCPA.

16.4 engageSPARK will provide reasonable assistance to Customer in responding to verifiable consumer requests under the CCPA relating to Contact Personal Information, consistent with Section 7 of this DPA.

16.5 engageSPARK will notify Customer if engageSPARK determines that it can no longer meet its obligations under the CCPA with respect to Contact Personal Information. Upon receipt of such notice, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Contact Personal Information.

Signatures

CUSTOMER

By: __________________________

Name: [INSERT NAME]

Title: [INSERT TITLE]

Date: [INSERT DATE]

ENGAGESPARK

By: __________________________

Name: [INSERT NAME]

Title: [INSERT TITLE]

Date: [INSERT DATE]

ANNEX 1

DETAILS OF PROCESSING

1. Parties

Controller / Customer

Name: [INSERT CUSTOMER LEGAL NAME]

Address: [INSERT CUSTOMER ADDRESS]

Contact: [INSERT CUSTOMER PRIVACY / LEGAL CONTACT]

Processor / engageSPARK

Name: engageSPARK, Inc.

Address: 16192 Coastal Highway, 19958 Lewes, DE, United States

Contact: privacy-requests@engagespark.com

Establishment: engageSPARK, Inc. maintains its principal European establishment in Portugal. engageSPARK is accordingly not required to designate a representative under Article 27 of the EU GDPR or Article 27 of the UK GDPR. Inquiries from supervisory authorities or Data Subjects in the European Union or United Kingdom relating to engageSPARK’s Processing of Contact Personal Information may be addressed to engageSPARK at privacy-requests@engagespark.com (or such other address as engageSPARK may publish on its website or in its Privacy Policy).

2. Subject Matter

engageSPARK provides a software-as-a-service platform and related support services for communications, engagement, data collection, surveys, messaging, campaign management, automation, and related workflows across one or more channels offered under the Services.

3. Duration

For the term of the Agreement and for any additional period during which engageSPARK Processes Contact Personal Information in accordance with the Agreement, this DPA, and engageSPARK’s deletion and backup retention schedules.

4. Nature and Purpose of Processing

engageSPARK Processes Contact Personal Information as necessary to:

(a) host, operate, secure, and maintain the Services;

(b) enable Customer to upload, download, store, organize, manage, send, receive, and analyze communications and campaign-related data;

(c) process contact records and associated custom fields provided by or on behalf of Customer;

(d) process messages, call records, survey responses, chatbot interactions, opt-in and opt-out events, delivery status information, and related metadata;

(e) provide customer support, troubleshooting, and technical assistance;

(f) monitor, prevent, and address abuse, fraud, security incidents, and unlawful use of the Services;

(g) perform backups, disaster recovery, logging, and system maintenance; and

(h) otherwise carry out Customer’s Documented Instructions consistent with the Agreement.

5. Categories of Data Subjects

As applicable to Customer’s use of the Services:

(a) Customer’s Contacts;

(b) Customer personnel, agents, and contractors, to the extent their information is included by Customer in support materials, campaign content, account configuration, or project records processed on Customer’s behalf.

6. Categories of Contact Personal Information

As applicable to Customer’s use of the Services:

(a) identifiers and contact information, such as phone numbers, names, email addresses, usernames, contact IDs, external IDs, and other contact details;

(b) demographic and profile information submitted by Customer or Contacts, such as age, gender, language preference, location, organization, segment, or custom fields;

(c) location data submitted by or about Contacts, including approximate and precise geolocation data where Contacts send location messages through channels that support them (for example, WhatsApp)

(d) communications content, such as SMS content, voice call content or recordings where enabled, WhatsApp or other messaging content, chatbot messages, survey questions and answers, and support materials submitted by Customer or Contacts;

(e) interaction and campaign metadata, such as message status, delivery events, timestamps, opt-in / opt-out records, call duration, survey progress, channel information, routing information, and campaign identifiers;

(f) technical and device-related information associated with Customer’s use of the Services, such as IP address, device type, browser type, and log information, to the extent processed on Customer’s behalf; and

(g) any other personal data submitted by Customer or Contacts to the Services or otherwise instructed by Customer for Processing.

7. Frequency of Processing / Transfers

Continuous, as initiated by Customer through its use of the Services or by Contacts who submit Contact Personal Information to the Services.

8. Storage Location / Operational Context

Hosting region for service data: Germany.

engageSPARK personnel and Subprocessors may access or process Contact Personal Information internationally as necessary to provide the Services and in accordance with this DPA and the applicable transfer mechanism.

ANNEX 2

SECURITY MEASURES

engageSPARK maintains technical and organizational measures designed to protect Contact Personal Information, including the following:

1. Governance and Access

1.1 engageSPARK applies the principles of least-privilege access, infrastructure standardization, and periodic review of access rights, accounts, and unused systems.

1.2 Access to Contact Personal Information is limited to personnel who require access to provide, support, secure, or maintain the Services.

1.3 Personnel authorized to access Contact Personal Information are subject to confidentiality obligations.

1.4 Administrative access is restricted and controlled through internal approval processes.

1.5 Personnel with access to Contact Personal Information complete data protection and security awareness training appropriate to their role on a periodic basis.

2. Infrastructure and Network Security

2.1 Core services are hosted using Google Cloud infrastructure and managed services, including Kubernetes-based workloads and PostgreSQL database services.

2.2 Platform services are hosted within a virtual private cloud environment with defined traffic rules.

2.3 Voice infrastructure is hosted on Google Cloud and Hetzner and is segregated from the main application environment. Voice servers do not have network access to the database and are protected through firewall restrictions.

2.4 The database is not accessible from the public internet.

3. Encryption

3.1 Data is encrypted at rest on workstations, in cloud environments, and in the database.

3.2 HTTP traffic into and out of the Services is encrypted using TLS.

3.3 Voice traffic is encrypted where supported by the relevant Channel Provider.

4. Vulnerability Management and Patching

4.1 Systems are updated at least weekly, and containerized workloads are updated with deployments.

4.2 Source code dependencies are monitored and scanned for vulnerabilities using automated tooling.

4.3 Containers and cloud environments are scanned for vulnerabilities using cloud-native security tooling.

4.4 Externally accessible systems are subject to external vulnerability scanning on a periodic basis and more frequently for newly disclosed vulnerabilities, as appropriate.

4.5 Anti-malware protections are used on Windows workstations.

5. Identity and Authentication Controls

5.1 Passwords are randomly generated, not reused, and stored in a centralized password manager.

5.2 Multi-factor authentication is used where supported for internal systems and tools.

5.3 Strong authentication protections, including hardware keys where implemented, are used for certain internal management tools.

5.4 Access is audit-logged where applicable.

6. Secure Development and Change Management

6.1 Source code is maintained in version control.

6.2 Infrastructure configuration is managed using infrastructure-as-code and configuration management tooling.

6.3 Changes are generally reviewed before deployment, subject to limited exceptions for urgent or low-risk changes.

6.4 A separate staging environment is used to test updates before production deployment.

7. Monitoring, Incident Response, and Recovery

7.1 engageSPARK maintains logging and monitoring practices appropriate for security, troubleshooting, and operational integrity.

7.2 engageSPARK maintains procedures for identifying, responding to, and remediating security incidents and Personal Data Breaches.

7.3 Backup and recovery processes are maintained, including soft-delete and backup retention processes described in this DPA.

8. Data Handling Controls

8.1 Internal practices emphasize avoiding unnecessary access to Contact Personal Information, minimizing collection and retention, and deleting data when no longer needed.

8.2 Contact Personal Information is intended to be stored by default in the application database, with limited temporary exceptions for approved workflows.

8.3 Sensitive data is not intended to remain on local workstations except when temporarily necessary for a specific task, after which it must be removed promptly.

8.4 Sensitive data is not intended to be stored in code repositories or unapproved communication channels.

9. Resilience and Continuity

9.1 engageSPARK maintains backup, recovery, and continuity processes designed to restore availability of and access to Contact Personal Information in the event of a physical or technical incident.

9.2 Recovery processes are tested on a periodic basis.

ANNEX 3

AUTHORIZED SUBPROCESSORS

See list of subprocessors at https://www.engagespark.com/legal/subprocessors

Note: Channel Providers are not Subprocessors of engageSPARK. See Section 6.8 of this DPA.

ANNEX 4

EU TRANSFER TERMS

This Annex 4 applies only to the extent that Contact Personal Information is subject to the EU GDPR and a Restricted Transfer occurs.

1. Transfer Mechanism

1.1 The parties agree that the European Commission’s standard contractual clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 (“EU SCCs”) are incorporated by reference into this DPA as follows:

(a) Module Two (Controller to Processor) applies to transfers from Customer to engageSPARK, where applicable.

(b) Module Three (Processor to Processor) applies to onward transfers from engageSPARK to Subprocessors, where applicable.

1.2 The optional docking clause shall NOT APPLY.

1.3 In Clause 17 of the EU SCCs, the governing law shall be the law of Portugal.

1.4 In Clause 18(b) of the EU SCCs, the courts shall be those of Porto, Portugal.

1.5 In Clause 13, where the data exporter is established in an EEA Member State, the supervisory authority of that Member State shall act as competent authority; where the data exporter is not established in the EEA but the EU GDPR applies to the data exporter under Article 3(2), and the data exporter has appointed an Article 27 representative, the supervisory authority of the Member State in which the representative is established; in any other case, the Comissão Nacional de Proteção de Dados (CNPD) of Portugal.

2. SCC Appendices

2.1 Annex I of the EU SCCs is populated by this DPA and Annex 1.

2.2 Annex II of the EU SCCs is populated by Annex 2.

2.3 Annex III of the EU SCCs is populated by Annex 3.

3. Conflict

If there is any conflict between this DPA and the EU SCCs, the EU SCCs will prevail to the extent of that conflict for the relevant Restricted Transfer.

4. Supplementary Measures

engageSPARK will implement reasonable supplementary technical, contractual, and organizational measures where required to support the lawfulness of the relevant Restricted Transfer.

ANNEX 5

UK TRANSFER TERMS

This Annex 5 applies only to the extent that Contact Personal Information is subject to the UK GDPR and a Restricted Transfer occurs.

1. Transfer Mechanism

1.1 The parties agree that the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office (the “UK Addendum”) shall apply to the EU SCCs incorporated under Annex 4, to the extent required for the relevant Restricted Transfer.

1.2 The parties intend that the required tables of the UK Addendum shall be completed using:

(a) the party details in this DPA;

(b) the processing details in Annex 1;

(c) the Security Measures in Annex 2;

(d) the Subprocessor information in Annex 3; and

(e) the EU SCC selections in Annex 4.

1.3 The parties may execute the UK Addendum in a separate signature page or attachment if requested by Customer.

2. UK Addendum Table Placeholders

Table 1 – Parties

Exporter: [INSERT CUSTOMER / UK EXPORTER DETAILS]

Importer: engageSPARK, Inc., 16192 Coastal Highway, 19958 Lewes, DE, United States

Table 2 – Selected SCCs

Relevant SCC modules: Module Two (Controller to Processor) and, where applicable, Module Three (Processor to Processor), as selected in Annex 4.

Table 3 – Appendix Information

Appendix information source: Annexes 1–3 of this DPA

Table 4 – Ending the Addendum when the approved Addendum changes

Selection: Importer only (i.e., engageSPARK).

3. Conflict

If there is any conflict between this DPA and the UK Addendum, the UK Addendum will prevail to the extent of that conflict for the relevant Restricted Transfer.

4. Supplementary Measures

engageSPARK will implement reasonable supplementary technical, contractual, and organizational measures where required to support the lawfulness of the relevant Restricted Transfer.

ANNEX 6

SWISS TRANSFER TERMS

This Annex 6 applies only to the extent that Contact Personal Information is subject to the Swiss Federal Act on Data Protection (“Swiss FADP”) and a Restricted Transfer occurs.

1. Transfer Mechanism

1.1 The parties agree that the EU SCCs incorporated under Annex 4 shall apply to Restricted Transfers subject to the Swiss FADP, subject to the modifications set out in this Annex 6 required to make the EU SCCs effective for transfers of personal data under the Swiss FADP.

1.2 The modifications referenced in Section 1.1 are made in accordance with guidance issued by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) and include the following:

(a) References to “Regulation (EU) 2016/679” or “EU GDPR” in the EU SCCs shall be interpreted as references to the Swiss FADP, to the extent the transfer is subject to the Swiss FADP.

(b) References to specific provisions of the EU GDPR shall be interpreted as references to the equivalent provisions of the Swiss FADP.

(c) References to “EU,” “Union,” “Member State,” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, to the extent the transfer is subject to the Swiss FADP.

(d) The competent supervisory authority under Clause 13 of the EU SCCs shall be the FDPIC, to the extent the transfer is subject to the Swiss FADP.

(e) The governing law under Clause 17 of the EU SCCs shall be Swiss law, to the extent the transfer is subject to the Swiss FADP.

(f) The competent courts under Clause 18(b) of the EU SCCs shall be the courts of Switzerland, to the extent the transfer is subject to the Swiss FADP.

(g) The EU SCCs shall also protect personal data of legal entities to the extent the Swiss FADP applies to such data.

1.3 Where a transfer is subject to both the EU GDPR and the Swiss FADP, the EU SCCs apply as set out in Annex 4 with respect to the EU GDPR, and as modified by this Annex 6 with respect to the Swiss FADP.

2. SCC Appendices

2.1 Annex I of the EU SCCs is populated by this DPA and Annex 1.

2.2 Annex II of the EU SCCs is populated by Annex 2.

2.3 Annex III of the EU SCCs is populated by Annex 3.

3. Conflict

If there is any conflict between this DPA and the EU SCCs, the EU SCCs will prevail to the extent of that conflict for the relevant Restricted Transfer.

4. Supplementary Measures

engageSPARK will implement reasonable supplementary technical, contractual, and organizational measures where required to support the lawfulness of the relevant Restricted Transfer.