This Data Processing Addendum (“DPA”) sets forth the obligations of the Parties with respect to the Processing and security of Customer Personal Data (defined below) and is entered into by and between Supply Veins, Inc. (“Supply Veins”) and Customer and forms a part of the Terms and Conditions and any other written agreement(s) between the Parties pursuant to which Supply Veins Processes Customer Personal Data on behalf of Customer, together with any schedules, SOWs and other attachments thereto (collectively, the “Agreement”). Supply Veins and Customer are each a “Party” and, collectively, the “Parties.”

Supply Veins provides to Customer access to a platform and its related Software and services (“Services”), pursuant to the Agreement between the Parties. The Parties agree as follows:

1.1. The definitions set forth below will apply to this DPA.

(a) “Controller“ means the entity that alone or jointly with others determines the purposes and means of Processing of Personal Data.
(b) “Customer Personal Data” means any Personal Data relating to an identified or identifiable natural person that is Processed by Supply Veins or a Subprocessor in performing the Services.
(c) “Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise Processed; it does not include unsuccessful access attempts or similar activities that do not compromise the security of Customer Personal Data.
(d) “Data Protection Laws” means the applicable local, national or international laws, rules and regulations governing privacy, data protection or the Processing of Personal Data.
(e) “Data Subject” means the individual about whom Personal Data relates.
(f) “Personal Data” means information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, as well as other information defined as “personal data” or “personal information” under applicable Data Protection Laws.
(g) “Process,” “Processing” or “Processed” includes any operation which is performed on Personal Data, including and not limited to, collection, recording, organization structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(h) “Processor“ means an entity that Processes Personal Data on behalf of the Controller.
(i) “Subprocessor” means any person or third party, including Subcontractors, engaged by Supply Veins to Process Customer Personal Data; “Supervisory Authority“ means a data protection or other regulatory body or public agency with the jurisdiction to enforce the applicable Data Protection Laws.

1.2. Any capitalized terms used but not otherwise defined in this DPA will have the meanings ascribed to them in the Terms and Conditions.

2.1. The Parties will comply with their respective obligations under the applicable Data Protection Laws.

2.2. The Parties agree that Supply Veins is a Processor and Customer is a Controller. The Parties agree and intend that if applicable, Supply Veins is a “service provider” as defined under the California Consumer Privacy Act.

2.3. The subject matter of the Processing, and the nature and purpose of the Processing, of Personal Data is the performance of the Services pursuant to the Agreement for the duration of the Agreement. The types of Personal Data Processed are names, email addresses, mailing addresses, company information, and other Customer Personal Data provided by Customer and its Users. The categories of Data Subjects whose Personal Data are Processed hereunder are Users and Customer’s employees, personnel, agents, vendors, and other subcontractors.

2.4. Supply Veins will Process Customer Personal Data only on Customer’s documented instructions as set forth in this DPA and to the extent reasonably necessary to: (i) perform the requested Services; (ii) otherwise comply with the documented instructions of Customer; and (iii) to the extent otherwise necessary for Supply Veins’ compliance with applicable laws (including Data Protection Laws). Supply Veins will promptly notify Company if Supply Veins believes that Customer’s instructions would violate Data Protection Laws.

2.5. Supply Veins certifies that it is prohibited from: (a) selling Customer Personal Data or sharing Customer Personal Data for cross-context behavioral advertising; (b) combining Customer Personal Data with information received from any other source except as permitted by Data Protection Laws and the Agreement; or (c) collecting, retaining, using, disclosing, or otherwise Processing Customer Personal Data for a commercial purpose other than performing the Services pursuant to the Agreement and as permitted in the Agreement.

2.6. Between Supply Veins and Customer, Customer owns the Customer Personal Data. Customer will ensure that all required notices are provided to and all required consents obtained from Data Subjects related to the Processing of their Personal Data pursuant to the Services.  Supply Veins may maintain Aggregate Data as part of its own information or data, and such data is not subject to this DPA.

3.1. Customer instructs Supply Veins and authorizes Supply Veins to instruct each approved Subprocessor to Process Customer Personal Data in order to provide the Services, including: (i) to perform Supply Veins’ obligations under the Agreement, (ii) to carry out related requests by Customer (including regarding Customer’s account settings and actions requested or initiated via the Services), (iii) in response to customer service and support requests, and (iv) to perform any related technical support and as otherwise set forth in the Agreement, this DPA or other documented instructions of Customer.

3.2. Customer generally consents to Supply Veins’ engagement of Subprocessors. Supply Veins may engage any Supply Veins affiliate as a Subprocessor, may continue to use those other Subprocessors currently in use as of the date of this DPA, and may engage other third parties and Subprocessors as needed to provide Services. Supply Veins will exercise appropriate care in appointing and overseeing authorized Subprocessors.

4.1. Supply Veins will take appropriate steps to ensure the reliability of any employee, agent, contractor or any other personnel who may have access to the Personal Data, ensuring that such individuals are subject to confidentiality obligations.

4.2. Supply Veins will implement and maintain appropriate technical and organizational measures that are designed to provide a level of security appropriate to the risks presented by the Processing of the Customer Personal Data, in particular from a Data Breach, and meet the requirements set forth in this DPA and by Data Protection Laws applicable to Supply Veins.

4.3. Supply Veins will notify Customer without undue delay upon Supply Veins becoming aware of a Data Breach of Customer Personal Data, and such notice will at a minimum include, as available, information so that Customer can meet its obligations to report a Data Breach under the applicable Data Protection Laws.  Supply Veins will promptly investigate and take commercially reasonable steps to remediate the effects of the Data Breach, to the extent caused by Supply Veins or its Subprocessors.

5.1. Supply Veins will promptly notify Customer if Supply Veins receives a request from a Data Subject, Supervisory Authority, or other third party regarding Customer Personal Data unless prohibited by applicable laws. Supply Veins will, taking into account the nature of the Processing and information available to Supply Veins, provide Customer with reasonable assistance as necessary to Customer’s fulfilment of its obligations to respond to Data Subject requests, complete any privacy impact assessments or engage in any prior consultation with or notification of Supervisory Authorities, to the extent required by applicable Data Protection Laws.

6.1. Upon Customer’s reasonable request and to the extent required by applicable Data Protection Laws, Supply Veins will make available to Customer information necessary to demonstrate Supply Veins’ compliance with this DPA.

6.2. Customer will allow for and contribute to audits regarding the Processing of Customer Personal Data by Supply Veins, including inspections conducted by a qualified, independent third-party auditor, at the cost of Customer and approved by Supply Veins. Customer will give Supply Veins reasonable notice of any such audit or inspection to be conducted under this Section. Except as otherwise required by applicable law or a relevant Supervisory Authority, any audit or inspection will be conducted within normal business hours, no more than once in any calendar year.

7.1. Customer consents to the Processing and transfer of Customer Personal Data outside the jurisdiction in which it was collected. Customer acknowledges that as Supply Veins is located in the United States, Customer Personal Data will be Processed in the United States and other jurisdictions where Supply Veins, Supply Veins affiliates, and Subprocessors are located.

7.2. Where required, Parties will implement adequate cross-border data transfer mechanisms to the extent required by Data Protection Law, such as the standard contractual clauses.

8.1. At the conclusion of the Agreement, Supply Veins will delete or fully anonymize the Customer Personal Data within 180 days of the termination of the Agreement, unless continued Processing is subject to a new or amended agreement. Upon Customer’s request, Supply Veins will certify compliance in writing to the foregoing.

9.1. If any amendment to this DPA is required due to a change in Data Protection Laws, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes. The Parties will not unreasonably withhold consent or approval to amend this DPA pursuant to this Section 9 or otherwise.

9.2. In the event of a conflict between any terms of this DPA and any other term of the Agreement, the terms of this DPA will control; in the event of a conflict with the terms of this DPA and the terms of the relevant standard contractual clauses (to the extent applicable), the terms of the standard contractual clauses will apply.

9.3. Any claims brought under, or in connection with, this DPA, including indemnity, shall be subject to the exclusions and limitations of liability set forth in the Terms and Conditions.

Last revised: 01/2026