Data Processing Addendum (DPA)

Controller means the natural or legal person that determines the purposes and means of the processing of Personal Data. For the purpose of this DPA, the Controller is the Customer.

Processor means the natural or legal person that processes Personal Data on behalf of the Controller. For the purpose of this DPA, the Processor is Magistry.

Personal Data means any information relating to an identified or identifiable natural person that is processed by Magistry on behalf of Customer in connection with the Service.

Sub-processor means any third-party processor engaged by Magistry to process Personal Data on its behalf in connection with the Service.

Data Protection Lawsmeans all data-protection and privacy laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (the “GDPR”) and equivalent national implementations.

The parties acknowledge that with respect to the processing of Personal Data in connection with the Service, Customer acts as Controller and Magistry acts as Processor. Each party will comply with its obligations under Data Protection Laws.

Customer instructs Magistry to process Personal Data only (i) as described in the Terms of Service and this DPA, including Annex A, (ii) as further documented in any other written instruction agreed between the parties from time to time, and (iii) as required to comply with applicable law.

Customer warrants that it has all necessary rights and consents under Data Protection Laws to allow Magistry to process Personal Data as contemplated by this DPA. Customer remains responsible for the accuracy, quality, and lawfulness of the Personal Data and the means by which it was acquired.

Magistry will:

• Process Personal Data only on documented instructions from Customer.
• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under a statutory duty of confidentiality.
• Implement the technical and organisational measures set out in Annex B.
• Respect the conditions for engaging Sub-processors set out in Section 6.
• Taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures in fulfilling Customer’s obligations to respond to requests from data subjects exercising their rights.
• Assist Customer in ensuring compliance with the obligations to maintain security of processing, notify breaches, conduct data-protection impact assessments, and consult prior with supervisory authorities where required.
• At Customer’s choice, delete or return all Personal Data after the end of the provision of the Service as set out in Section 11.
• Make available to Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits as set out in Section 10.

Magistry will inform Customer if, in its opinion, an instruction from Customer infringes Data Protection Laws. Magistryis not obliged to monitor or evaluate Customer’s instructions for legal compliance but will not act on instructions that are manifestly unlawful.

Magistry will implement and maintain the technical and organisational measures described in Annex B of this DPA, designed to ensure a level of security appropriate to the risk of the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

Magistry may update the measures in Annex B from time to time provided that the updated measures do not materially decrease the overall level of protection of Personal Data.

Customer grants Magistry general authorisation to engage Sub-processors, subject to the conditions in this Section 6. The current list of Sub-processors is set out in Annex C and is reproduced below.

Magistry will impose data-protection terms on its Sub-processors that provide at least the same level of protection for Personal Data as those set out in this DPA, including obligations to implement appropriate technical and organisational measures.

Magistry will notify Customer at least thirty (30) days in advance of any intended changes concerning the addition or replacement of Sub-processors. Customer may object on reasonable data-protection grounds within fifteen (15) days of the notice. If the parties cannot resolve the objection in good faith, Customer may terminate the affected subscription by written notice and receive a pro-rata refund of any prepaid fees attributable to the period following termination.

Magistry remains liable to Customer for the acts and omissions of its Sub-processors to the same extent as if those acts and omissions were those of Magistry.

Customer authorises Magistryto transfer Personal Data to countries outside the European Economic Area or the United Kingdom where necessary to provide the Service. Where such transfers occur to a country that has not received an adequacy decision from the European Commission, the parties agree that the European Commission’s Standard Contractual Clauses of 4 June 2021 (Decision (EU) 2021/914) apply, with Module Two (controller-to-processor) incorporated by reference into this DPA.

Where Customer is itself a processor and Magistry acts as sub-processor with respect to a particular flow, the parties agree that Module Three (processor-to-processor) of the Standard Contractual Clauses applies.

The optional docking clause is selected. Clause 7 (docking), Clause 9 (Option 2, general written authorisation) with the change-notification period set in Section 6, and Clause 17 (Option 1, governing law of the Netherlands) apply. Clause 18 places the forum in the Netherlands. The annexes to the SCCs are deemed populated with the corresponding information in Annexes A, B, and C of this DPA.

Magistry maintains transfer-impact assessments for each non-EEA transfer and will make them available to Customer on reasonable request.

Taking into account the nature of the processing, Magistrywill assist Customer by appropriate technical and organisational measures, in so far as this is possible, in fulfilling Customer’s obligation to respond to requests from data subjects exercising their rights under Data Protection Laws, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection.

If Magistry receives a request directly from a data subject, Magistry will, unless legally prohibited, promptly forward the request to Customer and will not respond directly except to acknowledge receipt and to inform the data subject that their request has been forwarded to the Controller.

Magistry will notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification will describe, to the extent known at the time and supplemented as further information becomes available:

• The nature of the breach, including, where possible, the categories and approximate number of data subjects and Personal Data records concerned.
• The likely consequences of the breach.
• The measures taken or proposed by Magistry to address the breach and to mitigate its possible adverse effects.
• The name and contact details of the Magistry point of contact for further information.

Magistry will cooperate with Customer in good faith to investigate the breach and assist Customer in any notifications required to be made to supervisory authorities and affected data subjects.

Magistry will make available to Customer the information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, including its latest SOC 2 report (Type II once available), penetration-test summary, and the measures listed in Annex B.

Customer may, no more than once per twelve-month period and on at least thirty (30) days’ prior written notice, audit Magistry’s compliance with this DPA. The audit must be conducted during regular business hours, with reasonable care not to disrupt Magistry’s operations, and subject to a confidentiality agreement. Where Customer engages a third-party auditor, the auditor must not be a competitor of Magistry.

Each party bears its own costs of an audit, except that Customer will bear Magistry’s reasonable costs where the audit reveals no material breach of this DPA or where it is conducted at a frequency exceeding the once-per- twelve-month limit.

Following expiry or termination of the Service, Magistrywill, at Customer’s choice, delete or return all Personal Data processed on behalf of Customer and delete any existing copies, unless retention is required by Union or Member State law.

Magistry will make Customer Data available for export in a structured, commonly used, machine-readable format for thirty (30) days after termination. After that period, Personal Data will be deleted from active systems within thirty (30) days and from backups within ninety (90) days, except where retention is required by law (for example, billing records) or technically infeasible (for example, immutable append-only audit logs).

This DPA takes effect on the date Customer accepts the Terms of Service or the date the parties sign an applicable Order Form, whichever is earlier, and continues until Magistry ceases all processing of Personal Data on behalf of Customer. Provisions that by their nature should survive termination will survive, including those relating to confidentiality, liability, return and deletion of Personal Data, and audit rights.

This DPA is governed by the laws of the Netherlands without regard to its conflict-of-laws principles. Disputes arising out of or in connection with this DPA are subject to the exclusive jurisdiction of the District Court of Amsterdam, without prejudice to any mandatory jurisdiction of supervisory authorities or courts under Data Protection Laws.

Subject matter. Provision of the Magistry autonomous control plane for multi-channel commerce, including catalog, campaign, and customer-service agents.

Nature and purpose. Ingesting Customer Data from Connected Services, applying agent reasoning, writing decisions back to those Connected Services, and producing audit and reporting outputs for Customer.

Duration. For the term of the Service plus the post-termination retention period set out in Section 11.

Categories of data subjects. Customer’s end customers, prospective customers, and Customer’s employees authorised to use the Service.

Categories of Personal Data. Contact details, transaction records, ad interactions, support communications, session identifiers, and any Personal Data otherwise present in catalog, performance, inbox, or customer-record data flowing through the Connected Services.

Special categories. None intended. Customer must not submit special categories of data without prior written agreement.

Access control. Role-based access control with least-privilege defaults. Production access requires two-factor authentication, an approved access request, and is logged in an immutable audit trail.

Encryption. TLS-1.3 for all data in transit. AES-256 encryption at rest for primary data stores. Secrets are held in a Vault-encrypted column, decrypted only at job runtime.

Network security. Cloudflare-fronted ingress with DDoS protection. Private VPC for database and worker traffic. No direct internet exposure of stateful services.

Logging and monitoring. Application-level logging via Sentry. Decision-log entries are append-only and tamper-evident.

Personnel. Background checks where permitted by law. Mandatory security training and confidentiality agreements for every employee with access to production systems.

Vendor management. Written data-protection agreements with every Sub-processor, reviewed annually.

Resilience. Daily encrypted backups, point-in-time recovery for the primary Postgres database, and documented incident-response procedures with annual tabletop exercises.

Certifications. SOC 2 Type II in progress; ISO 27001 on the roadmap.