Data Processing Addendum

Effective Date: December 19, 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer," "Controller," or "you") and Inflowence ("Processor," "we," "us," or "our").

This DPA governs the processing of Personal Data by Inflowence on behalf of Customer in connection with the Services, as required by applicable Data Protection Laws.

1. Definitions

"Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Utah Consumer Privacy Act (UCPA)
• Other applicable US state privacy laws

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Inflowence in connection with the Services.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, transmission, erasure, or destruction.

"Sub-processor" means any third-party service provider engaged by Inflowence to process Personal Data on Customer's behalf (see Subprocessors List).

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Controller" means the entity that determines the purposes and means of processing Personal Data.

"Processor" means the entity that processes Personal Data on behalf of a Controller.

"Services" means the Inflowence platform and all related services as described in the Terms of Service.

2. Roles and Scope

2.1 Roles of the Parties

Customer as Controller:

• Customer is the Controller of Personal Data submitted to the Services
• Customer determines the purposes and means of processing Personal Data
• Customer is responsible for compliance with Data Protection Laws in its role as Controller

Inflowence as Processor:

• Inflowence acts as a Processor processing Personal Data on Customer's behalf
• Inflowence processes Personal Data only in accordance with Customer's documented instructions
• Inflowence will not sell Customer's Personal Data

2.2 Scope of Processing

Types of Personal Data processed:

• Contact information (names, email addresses, phone numbers, addresses)
• Business information (company names, job titles, business addresses)
• Communication content (emails, SMS messages, voice call recordings, direct messages)
• Engagement data (opens, clicks, responses, website visits)
• Social media profile information
• Transaction and billing information
• Technical data (IP addresses, device information, usage logs)

Categories of Data Subjects:

• Customer's employees and authorized users
• Customer's clients, leads, and prospects
• Customer's customers and end-users

Purpose of Processing:

• Providing the Services as described in the Terms of Service
• Marketing automation and communication management
• CRM and customer relationship management
• AI-powered content generation and voice services
• Analytics and reporting
• Technical support and service improvement

Duration of Processing:

• For the duration of the Services agreement
• As specified in our data retention policies
• See Privacy Policy for retention details

3. Customer's Obligations

3.1 Lawfulness of Processing

Customer represents and warrants that:

• It has a lawful basis for processing Personal Data under Data Protection Laws
• It has obtained all necessary consents and authorizations from Data Subjects
• Processing instructions provided to Inflowence comply with Data Protection Laws
• It has the right to transfer Personal Data to Inflowence for processing

3.2 Processing Instructions

Customer's instructions to Inflowence include:

• Use of the Services in accordance with the Terms of Service
• Configuration and settings chosen within the Services
• Data import, export, and deletion requests
• Technical support requests
• Other written instructions mutually agreed upon

Inflowence will:

• Process Personal Data only in accordance with documented instructions
• Immediately inform Customer if instructions violate Data Protection Laws (in our reasonable opinion)
• Not process Personal Data for any purpose other than as instructed

3.3 Data Subject Rights

Customer is responsible for:

• Responding to Data Subject requests (access, rectification, erasure, etc.)
• Providing Data Subjects with required notices and disclosures
• Obtaining necessary consents for processing
• Managing opt-outs and unsubscribe requests

4. Inflowence's Obligations

4.1 Confidentiality

Inflowence shall:

• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to personnel who need access to perform Services
• Not disclose Personal Data to third parties except as authorized

4.2 Security Measures

Inflowence implements appropriate technical and organizational measures to protect Personal Data, including:

Technical Measures:

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest
• Access control and authentication (multi-factor authentication)
• Network security and firewalls
• Regular security patching and updates
• Intrusion detection and prevention systems

Organizational Measures:

• Security policies and procedures
• Employee security training and awareness
• Background checks for personnel with data access
• Incident response and breach notification procedures
• Regular security audits and assessments
• Third-party security certifications (SOC 2, ISO 27001)

4.3 Security Incident Notification

In the event of a Personal Data breach, Inflowence will:

• Notify Customer without undue delay upon becoming aware
• Provide reasonable information about the breach
• Take reasonable steps to mitigate harm and prevent future breaches
• Cooperate with Customer's investigation and regulatory notifications

Notification includes:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Contact for Breaches: security@inflowence.ai

4.4 Assistance with Data Subject Requests

Inflowence will provide reasonable assistance to help Customer respond to Data Subject requests:

Access Requests: Tools to export Personal Data Rectification: Tools to update or correct Personal Data Erasure: Tools to delete Personal Data upon request Portability: Data export in machine-readable formats Objection/Restriction: Configuration options to limit processing

Response Time: Inflowence will respond to assistance requests within 10 business days.

Customer's Role: Customer is responsible for responding directly to Data Subjects. Inflowence provides tools and assistance only.

5. Sub-processors

5.1 Authorization

Customer authorizes Inflowence to engage Sub-processors to process Personal Data, subject to the terms of this DPA.

Current Sub-processors: See Subprocessors List

5.2 Sub-processor Obligations

Inflowence ensures that Sub-processors:

• Are bound by written agreements imposing substantially the same obligations as this DPA
• Implement appropriate security measures
• Process Personal Data only as authorized
• Maintain confidentiality

5.3 Changes to Sub-processors

Inflowence will:

• Provide 30 days' advance notice of new Sub-processors for material processing
• Maintain an up-to-date list at Inflowence Subprocessors
• Allow Customer to object to new Sub-processors

Objection Process:

• Customer must object in writing within 30 days of notice
• Inflowence will work in good faith to provide an alternative solution
• If no alternative is available, Customer may terminate the affected Services without penalty

5.4 Liability

Inflowence remains liable for the acts and omissions of Sub-processors to the same extent as if Inflowence performed the services directly.

6. Data Location and Storage

6.1 Primary Data Location

Personal Data is primarily stored and processed in:

• United States (AWS, Supabase)
• May be cached or processed globally through CDN and edge networks

6.2 Data Residency

All customer data is stored within the United States. For customers with specific data residency requirements:

• Contact sales@inflowence.ai for custom arrangements
• Enterprise plans may offer dedicated regional hosting options
• Additional fees may apply for dedicated infrastructure

7. Data Retention and Deletion

7.1 Retention

Inflowence will retain Personal Data:

• For the duration of the Services agreement
• As necessary to provide the Services
• As required by law or regulation
• As specified in our Privacy Policy

7.2 Deletion

Upon termination or expiration of the Services agreement:

• Customer may export Personal Data for 30 days after termination
• Inflowence will delete or anonymize Personal Data within 90 days of termination
• Exception: Data required to be retained by law or for legitimate business purposes (e.g., billing records)

Deletion Process:

• Customer may request immediate deletion by contacting support
• Deletion confirmation provided upon request
• Backups may be retained for an additional 90 days per backup retention policies

8. Audits and Compliance

8.1 Audit Rights

Customer may audit Inflowence's compliance with this DPA:

Standard Audit Information:

• Inflowence will provide copies of relevant security certifications (SOC 2, ISO 27001)
• Available annually upon written request
• No cost for standard documentation

On-Site Audits:

• Available to Enterprise customers or upon mutual agreement
• Requires 60 days' advance notice
• Conducted during business hours with minimal disruption
• Customer pays reasonable costs
• Subject to confidentiality agreement

8.2 Certifications

Inflowence maintains the following certifications (where applicable):

• SOC 2 Type II examination
• ISO 27001 certification
• Privacy Shield (historical, for legacy contracts)

Requesting Certificates: compliance@inflowence.ai

8.3 Compliance Assistance

Inflowence will provide reasonable assistance with:

• Data protection impact assessments (DPIAs)
• Consultations with supervisory authorities
• Regulatory inquiries and investigations
• Customer's compliance obligations

Additional Fees: May apply for extensive compliance assistance beyond standard services.

9. Liability and Indemnification

9.1 Limitation of Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service.

Exception: Neither party limits liability for:

• Data breaches caused by that party's negligence or willful misconduct
• Violations of Data Protection Laws by that party
• As prohibited by applicable law

9.2 Indemnification

Inflowence Indemnifies Customer for:

• Claims arising from Inflowence's breach of this DPA
• Inflowence's violations of Data Protection Laws in its role as Processor
• Unauthorized processing by Inflowence

Customer Indemnifies Inflowence for:

• Claims arising from Customer's processing instructions
• Customer's violations of Data Protection Laws in its role as Controller
• Customer's failure to obtain necessary consents

10. Term and Termination

10.1 Term

This DPA takes effect on the date Customer first uses the Services and continues for the duration of the Services agreement.

10.2 Effect of Termination

Upon termination:

• Inflowence will cease processing Personal Data (except for deletion)
• Customer may export Personal Data during the post-termination period
• Inflowence will delete or return Personal Data as directed
• Provisions requiring ongoing performance will survive (e.g., confidentiality, deletion)

11. Conflict and Precedence

In the event of conflict between this DPA and the Terms of Service:

• This DPA prevails for data protection matters
• Terms of Service prevail for other matters

12. Amendments

Inflowence may update this DPA:

• To reflect changes in Data Protection Laws
• To reflect changes in our Services or Sub-processors
• For clarification or improved readability

Notice of Changes:

• Material changes: 30 days' advance notice via email
• Non-material changes: Posted on website, effective immediately

13. Governing Law

This DPA is governed by the same law as the Terms of Service, except where Data Protection Laws require otherwise.

14. Contact Information

Data Protection Officer

For data protection inquiries:

• Email: dpo@inflowence.ai
• Mail: [To be provided upon request]

General Inquiries

• Privacy Questions: privacy@inflowence.ai
• Security Questions: security@inflowence.ai
• Legal Questions: legal@inflowence.ai
• Compliance Questions: compliance@inflowence.ai

15. Acceptance

By using the Services, Customer agrees to the terms of this DPA.

For customers requiring a signed DPA:

• Contact legal@inflowence.ai
• Executed DPA available for Enterprise customers
• Standard DPA incorporated into Terms of Service for all customers

Related Documents

• Terms of Service
• Privacy Policy
• Subprocessors List
• Acceptable Use Policy

Exhibits

Exhibit A: Details of Processing

Nature of Processing: Marketing automation, CRM, communication management, AI services

Purpose: Providing the Services to Customer

Duration: Duration of Services agreement + retention period

Data Subjects: Customer's employees, users, clients, leads, prospects, customers

Categories of Data: Contact info, communications, engagement data, social profiles, business data

Exhibit B: Security Measures

See Section 4.2 (Security Measures) above and our Security Overview (available upon request).

Exhibit C: Sub-processors

See Subprocessors List

Last Updated: December 19, 2025

This DPA is effective as of the date Customer first uses the Services or accepts the Terms of Service, whichever is earlier.

For questions or to request an executed copy, contact: legal@inflowence.ai