# OwnersPal Data Processing Addendum **Effective Date:** 14 May 2026 (last updated) This Data Processing Addendum (**"DPA"**) forms part of the agreement between **VIVE AI, Inc.** ("**OwnersPal**", "Processor") and the customer identified in the related OwnersPal subscription account ("**Customer**", "Controller") for the use of the OwnersPal service (the "**Service**"). It governs the processing of personal data carried out by OwnersPal on Customer's behalf in connection with the Service. By using the Service, Customer accepts the terms of this DPA. Customer may also counter-sign and return a copy to `privacy@ownerspal.app` if their internal policies require a fully-executed instrument. --- ## 1. Scope and Roles 1.1 In the course of providing the Service, OwnersPal will process certain personal data on Customer's behalf. Customer is the **controller** of that personal data; OwnersPal is the **processor**. 1.2 This DPA applies only to processing of personal data subject to the European Union General Data Protection Regulation 2016/679 ("**GDPR**"), the United Kingdom Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("**CCPA/CPRA**"), and other comparable data protection laws to the extent they apply to Customer's use of the Service. 1.3 This DPA does **not** apply to personal data that OwnersPal processes as a controller in its own right — including Customer's billing contact, account login, and product analytics relating to Customer's use of the Service. Those activities are described in OwnersPal's published Privacy Policy. ## 2. Subject Matter, Duration, Nature and Purpose 2.1 **Subject matter:** Personal data submitted to or generated within the Service by Customer or by Customer's end users. 2.2 **Duration:** For the term of the underlying subscription agreement, plus any post-termination retention required to fulfil deletion / export obligations under Section 10. 2.3 **Nature and purpose:** Provision of the Service — including content generation, ad-campaign management, review monitoring and replies, lead capture, listing sync, analytics, and any auxiliary processing strictly necessary to deliver those features. 2.4 **Categories of data subjects:** Customer's customers and prospects (people who leave reviews, fill in lead-capture forms, interact with Customer's ads, etc.) and Customer's own personnel who use the Service. 2.5 **Categories of personal data:** Names, email addresses, phone numbers, postal addresses, lead-form free text, public review content, public business listing metadata, ad-campaign identifiers and ad-platform access tokens granted by Customer. OwnersPal does not require Customer to submit special categories of personal data and Customer must not submit such categories without prior written agreement. 2.6 **Aggregate site statistics (not personal data):** The Service also produces aggregate usage statistics for Customer's published website — daily counters of page views and button taps together with a coarse traffic source (a referring domain or "direct"). These counters use no cookies and no device identifiers, retain no IP addresses, and are not linkable to any natural person; they are therefore not personal data within the meaning of this DPA. The counters are retained for 13 rolling months and then deleted. ## 3. Customer Instructions 3.1 OwnersPal will only process personal data on Customer's documented instructions, including with regard to transfers of personal data outside the EEA, UK, or Switzerland. 3.2 The Service configuration set by Customer through the OwnersPal dashboard, including platform connections, audience definitions, post-approval rules, and any administrative actions Customer takes, constitute Customer's documented instructions for the purposes of GDPR Article 28(3)(a). 3.3 OwnersPal will inform Customer promptly if, in its opinion, an instruction infringes applicable data protection law, but is not obliged to give legal advice. ## 4. Subprocessors 4.1 Customer authorises OwnersPal to engage subprocessors as listed at (the "**Subprocessors Page**"), which is the single, authoritative list and is updated whenever a new subprocessor is added. 4.2 OwnersPal will provide at least **30 days'** notice of any new subprocessor by updating the Subprocessors Page. Customer may object in writing within that period; if the parties cannot agree, Customer may terminate the affected portion of the Service for material breach. 4.3 OwnersPal remains liable to Customer for the acts and omissions of its subprocessors as if OwnersPal had performed them itself. ## 5. Security Measures 5.1 OwnersPal will implement and maintain appropriate technical and organisational measures to protect personal data, including: - Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 or equivalent); - Strict access controls — production data is accessible only to a limited group of OwnersPal personnel on a least-privilege basis, with audit logging; - Annual review of security policies and quarterly access reviews; - Personnel under written confidentiality obligations and trained on data protection; - Vulnerability scanning, dependency monitoring (Dependabot or equivalent), and patch management; - Backup and disaster-recovery procedures suitable for a SaaS service of this scale. 5.2 The technical and organisational measures described above represent OwnersPal's commitments as of the Effective Date and may be updated from time to time; updates will not materially diminish the protection afforded. ## 6. Personal Data Breach 6.1 OwnersPal will notify Customer without undue delay — and in any event within **72 hours** — after becoming aware of a confirmed personal data breach affecting Customer personal data. 6.2 Notification will include, to the extent then known: the nature of the breach, categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach. ## 7. Data Subject Requests 7.1 Taking into account the nature of the processing, OwnersPal will provide reasonable assistance to enable Customer to respond to requests from data subjects to exercise their rights under applicable data protection law (access, rectification, erasure, restriction, portability, objection). 7.2 If OwnersPal receives a data subject request directly relating to Customer's data, OwnersPal will promptly forward it to Customer and will not respond to it on Customer's behalf unless legally required. ## 8. International Transfers 8.1 Where OwnersPal transfers personal data outside the EEA, UK, or Switzerland in the course of providing the Service, OwnersPal will use a valid transfer mechanism — including, where applicable, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference. 8.2 Customer hereby enters into the appropriate set of those clauses with OwnersPal in the relevant module(s) (controller-to-processor) and authorises OwnersPal to enter into them with any subprocessor on Customer's behalf. ## 9. Audit 9.1 OwnersPal will make available to Customer the information necessary to demonstrate compliance with this DPA, including by responding in writing to reasonable security and privacy questionnaires. 9.2 If a recognised industry-standard certification or third-party audit report (e.g., SOC 2, ISO 27001) becomes available, Customer's audit right under GDPR Article 28(3)(h) will be satisfied by OwnersPal providing a copy under NDA. 9.3 In the absence of such a report, Customer may, no more than once per twelve-month period and on at least 30 days' prior written notice, conduct an on-site audit during normal business hours and at Customer's expense. Customer will minimise disruption and will not be entitled to access other customers' data. ## 10. Return and Deletion of Data 10.1 Upon termination or expiry of the underlying subscription, OwnersPal will, at Customer's choice and within **45 days**: - return all Customer personal data in a commonly used, machine-readable format; or - delete all Customer personal data from the Service and certify deletion in writing. 10.2 OwnersPal may retain personal data to the extent and for the duration required by applicable law, in which case OwnersPal will continue to protect it in accordance with this DPA. 10.3 Where OwnersPal retains hashed or otherwise de-identified records strictly for audit, abuse-prevention, or legal-defence purposes (for example, the salted-hash record OwnersPal keeps to satisfy account-deletion audit obligations under Section 13.3 of CCPA-Cal Civ Code § 1798.130), such records do not constitute personal data of the deleted data subject. ## 11. Term 11.1 This DPA takes effect on the Effective Date and continues for the term of the underlying subscription agreement. 11.2 Sections 6, 7, 9, 10, and any provisions which by their nature should survive, will survive termination of this DPA. --- ## Signatures (optional) Customer may execute by counter-signing below and returning a scanned copy to `privacy@ownerspal.app`. OwnersPal will counter-sign and return within five business days. Use of the Service constitutes acceptance regardless of whether a wet signature is exchanged. **For Customer (Controller):** Name: _____________________________ Title: _____________________________ Company: _____________________________ Date: _____________________________ Signature: _____________________________ **For VIVE AI, Inc. (Processor):** Name: Vivekananda Adepu Title: Founder Date: _____________________________ Signature: _____________________________