Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions, which represent the contract between SmartReach AI LLC and the Client in relation to the provision of services through the Website (the "Agreement"). It reflects the parties' agreement regarding the processing of personal data.

In the execution of the Agreement, SmartReach AI LLC processes personal data in the name and on behalf of the Client, according to the Client's requirements provided by this DPA. Under this DPA, the Client acts as the controller, and SmartReach AI LLC acts as the processor.

SmartReach AI LLC and the Client are collectively referred to as the "Parties".

Section I — General Disposition

Clause 1. Purpose and Scope

(a) The controller and processor have agreed to this DPA in order to ensure compliance with the applicable laws.

(b) This DPA applies to the processing of personal data as specified in ANNEX I.

(c) Annexes I–III are an integral part of this DPA.

(d) This DPA is without prejudice to obligations to which the controller is subject by virtue of the applicable laws.

Clause 2. Invariability of the Clauses

(a) The Parties undertake not to modify this DPA, except for adding or updating information in the Annexes.

(b) This does not prevent the Parties from including these clauses in a broader contract or adding other safeguards that do not contradict the DPA. The processor may amend this DPA from time to time by posting a revised version on its website. For material amendments, the processor will inform the controller 10 days before the effective date. If the controller does not notify the processor of non-acceptance, the controller will be deemed to have accepted the revised DPA. Non-acceptance results in termination of the Agreement at the latest on the date of entry into force of the amendments.

Clause 3. Interpretation

(a) Terms defined in this DPA have the same meaning as in the applicable laws or the Agreement.

(b) This DPA shall be read and interpreted in light of the provisions of the applicable laws.

(c) This DPA shall not be interpreted in a way that runs counter to the rights and obligations provided in the applicable laws or prejudices the fundamental rights or freedoms of data subjects.

Clause 4. Hierarchy

Except as set out in Clause 2, in the event of a contradiction between this DPA and related agreements between the Parties, this DPA shall prevail.

For clarity, there is no contradiction between this DPA and the Agreement where the Agreement grants SmartReach AI LLC rights in Aggregated Data, De-Identified Data, Derived Data, anonymized data, statistical data, benchmarks, labels, classifications, taxonomies, model training datasets, or other non-identifying materials that are outside the scope of Personal Data processed by SmartReach AI LLC as processor on behalf of Client.

Section II — Obligations of the Parties

Clause 5. Description of Processing(s)

(a) The details of the processing operations — categories of personal data and purposes of processing — are specified in ANNEX I.

(b) Any other processing activities not specified in ANNEX I are carried out by the Processor as controller and do not fall under this Agreement; the Processor is directly responsible for the lawfulness of such activities.

(c) The Parties acknowledge that this DPA applies only to the processing of Personal Data by SmartReach AI LLC as processor on behalf of Client.

(d) This DPA does not apply to Aggregated Data, De-Identified Data, Derived Data, anonymized data, statistical data, benchmarks, labels, classifications, taxonomies, model training datasets, or other non-identifying materials created by SmartReach AI LLC from or in connection with the Services, provided such materials do not identify Client, any User, any Recipient, or any individual person.

Such non-identifying materials consist of SmartReach-created categories, labels, metadata, and outcome intelligence, and do not include raw personal data, raw client data, or raw third-party vendor records.

(e) SmartReach AI LLC may process, retain, use, license, commercialize, disclose, distribute, and otherwise exploit Aggregated Data, De-Identified Data, Derived Data, anonymized data, statistical data, benchmarks, labels, classifications, taxonomies, model training datasets, and other non-identifying materials as an independent controller, owner, or rights holder, as applicable, in accordance with the Agreement.

Clause 6. Obligations of the Parties

6.1. Instruction. (a) The processor shall process personal data only on documented instructions from the controller, unless required by law (in which case the processor shall inform the controller before processing, unless prohibited by law). Subsequent instructions shall always be documented. (b) The controller is responsible for determining applicable legal grounds and informing data subjects, including collecting consent where necessary. (c) The processor shall immediately inform the controller if instructions infringe applicable laws; if the Parties disagree on legality, they shall promptly discuss and find a compliant alternative.

6.1.1. The instruction requirement in this Clause applies only to Personal Data processed by SmartReach AI LLC as processor on behalf of Client. It does not apply to SmartReach AI LLC’s creation, retention, use, licensing, commercialization, disclosure, distribution, or other exploitation of Aggregated Data, De-Identified Data, Derived Data, anonymized data, statistical data, benchmarks, labels, classifications, taxonomies, model training datasets, or other non-identifying materials, provided such materials do not identify Client, any User, any Recipient, or any individual person.

6.2. Purpose limitation. The processor shall process the personal data only for the specific purpose(s) set out in ANNEX I, unless it receives further instructions from the controller.

6.2.1. For clarity, the purpose limitation in this Clause applies only to Personal Data processed by SmartReach AI LLC as processor on behalf of Client. It does not restrict SmartReach AI LLC’s rights to create, retain, use, license, commercialize, disclose, distribute, or otherwise exploit Aggregated Data, De-Identified Data, Derived Data, anonymized data, statistical data, benchmarks, labels, classifications, taxonomies, model training datasets, or other non-identifying materials as permitted under the Agreement.

6.3. Duration. Processing by the processor shall only take place for the duration specified in ANNEX I.

6.4. Security of processing. (a) The processor shall implement the technical and organizational measures specified in ANNEX II to ensure the security of personal data, taking into account the state of the art, costs, nature, scope, context and purposes of processing, and risks to data subjects. (b) The processor shall grant access only to personnel strictly necessary for the agreement, and shall ensure authorized persons are bound by confidentiality.

6.5. Sensitive data. If processing involves special categories of personal data, the processor shall apply specific restrictions and/or additional safeguards.

6.6. Documentation and compliance. (a) The Parties shall be able to demonstrate compliance with this DPA. (b) The processor shall promptly deal with the controller's inquiries. (c) The processor shall make available information necessary to demonstrate compliance and permit audits at reasonable intervals or where there are indications of non-compliance. (d) The controller may conduct the audit itself or mandate an independent auditor (covering all audit costs). Audits may include inspections at processor premises with reasonable notice. (e) Information and audit results shall be made available to the competent supervisory authority on request.

6.7. Use of sub-processors. (a) General written authorisation: The processor has the controller's general authorization to engage sub-processors from an agreed list. The processor shall inform the controller in writing of intended changes to the list at least 10 days in advance, giving the controller time to object. The list authorized at the date of concluding this DPA is in ANNEX III. (b) Where a sub-processor is engaged, the processor shall impose on the sub-processor, in substance, at least the same data protection obligations as those imposed on the processor. (c) The processor shall provide a copy of any sub-processor agreement on request (potentially redacted to protect business secrets). (d) The processor remains fully responsible to the controller for the sub-processor's performance and shall notify the controller of any failure to fulfil contractual obligations. (e) The processor shall agree a third-party beneficiary clause whereby — if the processor disappears, ceases to exist or becomes insolvent — the controller may terminate the sub-processor contract and instruct erasure or return of personal data.

6.8. International transfer. (a) Any transfer of data to a third country or international organization shall be done only on documented instructions from the controller or to fulfil a specific legal requirement, and shall comply with the applicable laws. (b) The Parties agree that this DPA is complemented by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), incorporated by reference, applied as follows:

• Module 2 (Controller to Processor) applies.
• The controller is the "data exporter"; the processor is the "data importer".
• Clause 7 (Docking clause) shall not apply.
• Clause 9 (Use of sub-processors) — general written authorization (option 2) shall apply with at least 10 days' notification.
• Clause 11 (Redress) — option (a) shall not apply.
• Clause 13 (Supervision) — point (a) shall apply according to controller's situation.
• Clause 17 (Governing law) — option 1 applies; the SCCs are governed by the law of Ireland.
• Clause 18 (Choice of forum and jurisdiction) — point (b) applies; courts of Ireland.
• Annex I, II, III of the SCCs are deemed completed with Annex I, II, III of this DPA respectively.

In the event of contradiction between this DPA and the SCCs, the SCCs prevail.

(c) Where the processor engages a sub-processor for processing activities that involve a transfer of personal data, the processor and sub-processor may ensure compliance by using standard contractual clauses adopted by competent authorities.

(d) The international transfer restrictions in this Clause apply only to Personal Data processed by SmartReach AI LLC as processor on behalf of Client. They do not apply to Aggregated Data, De-Identified Data, Derived Data, anonymized data, statistical data, benchmarks, labels, classifications, taxonomies, model training datasets, or other non-identifying materials that do not identify Client, any User, any Recipient, or any individual person.

Clause 7. Assistance of the Controller

(a) The processor shall promptly forward to the controller any request received from a data subject and shall not respond itself unless authorized.

(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects' requests, taking into account the nature of the processing, and shall comply with the controller's instructions.

(c) The processor shall also assist the controller in ensuring compliance with: (i) data protection impact assessments; (ii) prior consultation with the supervisory authority; (iii) ensuring data accuracy and informing the controller without delay if data is inaccurate or outdated; (iv) data security obligations under applicable laws.

(d) The Parties shall set out in ANNEX II the appropriate measures by which the processor assists the controller, and the scope of assistance required.

Clause 8. Notification of Personal Data Breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller in complying with its obligations.

8.1. Breach concerning data processed by the controller. The processor shall assist the controller in: (a) notifying the competent supervisory authority without undue delay (unless the breach is unlikely to result in a risk); (b) obtaining required information including the nature of the breach, categories and approximate numbers of data subjects/records, likely consequences, and measures taken or proposed; (c) communicating without undue delay to data subjects when the breach is likely to result in high risk.

8.2. Breach concerning data processed by the processor. The processor shall notify the controller without undue delay, with at least: (i) a description of the nature of the breach; (ii) the contact point for more information; (iii) likely consequences and measures taken or proposed.

Section III — Final Provision

Clause 9. Non-Compliance with the DPA and Termination

(a) If the processor is in breach of its obligations, the controller may instruct the processor to suspend processing until compliance is restored or the agreement is terminated. The processor shall promptly inform the controller if unable to comply.

(b) The controller is entitled to terminate the agreement insofar as it concerns processing under this DPA if: (i) processing has been suspended and compliance is not restored within one month; (ii) the processor is in substantial or persistent breach of this DPA or applicable laws; or (iii) the processor fails to comply with a binding decision of a competent court or supervisory authority.

(c) Where the controller insists on compliance with instructions the processor has flagged as infringing, and the Parties cannot identify a compliant solution, the processor is entitled to terminate the agreement insofar as it concerns processing under this DPA.

(d) Following termination, the processor shall — at the controller's choice — delete or return all personal data and certify deletion, unless law requires storage. Until deletion or return, the processor shall continue to ensure compliance with this DPA.

For clarity, deletion or return of Personal Data shall not require SmartReach AI LLC to delete Aggregated Data, De-Identified Data, Derived Data, anonymized data, statistical data, benchmarks, labels, classifications, taxonomies, model training datasets, or other non-identifying materials that do not identify Client, any User, any Recipient, or any individual person.

Clause 10. Governing Law and Choice of Jurisdiction

(a) The Parties agree to submit to the jurisdiction of and cooperate with the competent supervisory authority aimed at ensuring compliance with this DPA.

(b) The laws of the State of Wyoming, USA govern this DPA. Any dispute arising from this DPA — including disputes concerning its existence, validity, termination or consequences of annulment — shall be within the jurisdiction of the competent courts of the State of Wyoming, USA.

Annex I — Processing Description

Contact points:

• For controller — the contact details used for the user account.
• For processor — Data Protection Officer: privacy@ssc-digital.com.

Object of the processing: provision of the services provided in the Agreement between the Parties.

Nature of processing: collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, restriction, combination, erasure.

Purposes by subscription:

• Smart Data — market research and custom audience building.
• Smart Link — custom audience building and messaging.
• Smart Signal — market research and custom audience building.
• Smart Reach — market research and custom audience building, emailing and messaging, monitoring campaigns and data analytics.

Duration of the processing: throughout the performance of the Agreement between the Parties.

Categories of personal data processed:

Non-personal, aggregated, de-identified, or derived materials may include:

• Company industry
• Target title
• Target industry
• Employee count band
• Country
• Signal category
• Outreach channel
• Offer category
• Hook category
• CTA category
• Send day
• Send hour
• Reply status
• Reply sentiment category
• Booked meeting status
• Booking velocity
• Attendance outcome
• Labels
• Benchmarks
• Taxonomies
• Conversion patterns
• Statistical summaries
• Model training datasets

Such materials are not intended to include direct personal identifiers such as names, email addresses, phone numbers, LinkedIn profile URLs, or other direct identifiers.

Such materials consist of SmartReach-created categories, labels, metadata, and outcome intelligence, and do not include raw personal data, raw client data, or raw third-party vendor records.

Additional Purpose for Non-Identifying Materials

The Parties agree to submit to the jurisdiction of the supervisory authority in the country/state/territory in which the data subject has habitual residence.

Categories of data subjects:

For all subscriptions, SmartReach AI LLC may create Aggregated Data, De-Identified Data, Derived Data, anonymized data, statistical data, labels, classifications, benchmarks, taxonomies, model training datasets, and other non-identifying materials from or in connection with the Services, provided such materials do not identify Client, any User, any Recipient, or any individual person.

Such materials may be used as described in the Agreement, including for analytics, benchmarking, product development, artificial intelligence training, machine learning training, model evaluation, model fine-tuning, dataset creation, data licensing, and commercial data products.

Such materials consist of SmartReach-created categories, labels, metadata, and outcome intelligence, and do not include raw personal data, raw client data, or raw third-party vendor records.

Annex II — Physical, Technical and Organizational Measures

This annex describes the measures implemented by the processor to ensure an appropriate level of security of personal data.

Designation of personnel

• Designate a representative in the European Union, addressable by supervisory authorities and data subjects on issues related to GDPR processing.
• Designate a data protection officer to advise, monitor compliance, assist with DPIAs, cooperate with the supervisory authority, and act as contact point.
• Designate an IT security officer (or equivalent) to ensure development, implementation and monitoring of technical measures.

Data protection and IT security governance

• Define data protection principles and inform all relevant staff.
• Implement a process for verifying accuracy, completeness and currency of personal data, and allow rectification or destruction.
• Maintain a register of personal data processing activities.
• Document categories of information, storage limitations, retention requirements, safeguards, and rules for erasure/anonymization.
• Implement a process to address data subjects' requests.
• Embed data protection by design and by default.
• Maintain an inventory of all systems storing or processing personal data.
• Implement procedures for password creation, management, periodic updates and security.

De-Identification and External Dataset Controls

Where SmartReach AI LLC creates Aggregated Data, De-Identified Data, Derived Data, anonymized data, model training datasets, or other non-identifying materials for external licensing, benchmarking, analytics, artificial intelligence training, machine learning training, model evaluation, or commercial data products, SmartReach AI LLC will use commercially reasonable measures designed to reduce the risk that such materials identify Client, any User, any Recipient, or any individual person.

Such measures may include, as appropriate:

• Removing direct personal identifiers
• Removing names
• Removing email addresses
• Removing phone numbers
• Removing LinkedIn profile URLs
• Removing company names where needed
• Removing client names
• Removing raw replies
• Removing exact client-specific campaign copy
• Generalizing industries
• Using employee count bands
• Using country-level geography instead of city-level geography
• Using categorized signal types
• Using categorized offer types
• Using categorized CTA types
• Using send day and hour instead of full timestamps
• Using sentiment categories instead of raw message text
• Using outcome labels instead of identifiable event records

Physical measures

• Implement environmental controls in server rooms / data centers (air conditioning, temperature & humidity monitoring, fire alarm, etc.).

Staff access

• Limit and manage staff access to personal data on a strict need-to-know basis (least privilege).
• Revoke staff access when no longer necessary (termination, role change, etc.).
• Bind staff to secrecy and confidentiality concerning their tasks.
• Sign contracts with staff who access personal data stating the duty to comply with applicable policies and procedures.

Training

• Involve the ISO and/or DPO in preparing training materials.
• Conduct periodic training and awareness sessions on information security and personal data processing.
• Check staff knowledge after training sessions.

Access controls

• Formally approve and change access based on a clearly identified set of authorizations.
• Restrict access based on unique usernames and passwords.
• Control and record the addition and removal of users from systems and applications.

Encryption

• Encrypt data during storage to ensure a high level of security against unauthorized access.

Event logging and backups

• Perform regular data backups and ensure recovery as part of default procedures.
• Use database back-up systems that create, restore and maintain exact copies of personal data.
• Ensure that all system data is automatically backed up on a regular basis.
• Protect backups via physical security or encryption, both during storage and in transit.

Vulnerability and patches

• Periodically evaluate the implemented technical mechanisms' effectiveness and address vulnerabilities promptly.
• Keep systems and software applications up to date and promptly install available security patches.

Handling data breaches

• Document the process for identifying and handling data breaches.
• Maintain an updated security incident record (description, consequences, mitigation, remedial measures).
• Ensure dedicated staff such as the DPO and ISO are directly involved in breach assessment.
• Train staff to identify and manage data breaches, understand their obligations, and escalate appropriately.

Annex III — Authorized Sub-Processors

Sub-Processor ScopeThe sub-processors listed in this Annex may process Personal Data only as necessary to support the Services described in the Agreement and this DPA.

SmartReach AI LLC shall not include raw personal data obtained from sub-processors in externally licensed datasets unless permitted by applicable law, the Agreement, this DPA, and any applicable third-party terms.

For external data licensing, SmartReach AI LLC should use only Aggregated Data, De-Identified Data, Derived Data, anonymized data, statistical data, labels, benchmarks, taxonomies, model training datasets, or other non-identifying materials that do not identify Client, any User, any Recipient, or any individual person.

The following entities are authorized to carry out processing activities as sub-processors: