Terms and Conditions of Use

1. Scope

1.1 These Terms and Conditions ("Terms") govern access to, and use of, the Campaign Management Platform ("Platform") provided by Backwell Tech Corp. Europe GmbH ("Company"). By registering for or using the Platform, the Customer agrees to be legally bound by these Terms. The Platform is intended exclusively for business users (B2B).

2. Definitions

2.1 For the purposes of these Terms, the following definitions apply:

• "Company" means Backwell Tech Corp. Europe GmbH, a company registered in Germany, with registered office at Potsdamer Platz - Kemperplatz 1, Berlin, BE, 10785, registration number DE370556501.
• "Customer" means the business entity registered to use the Platform.
• "User" means an individual authorized by the Customer to access the Platform on its behalf.
• "Credits" means prepaid usage units purchased by the Customer that enable access to specific Platform features.
• "Trial Credits" means complimentary Credits granted by the Company for evaluation purposes, subject to the conditions set out in Clause 4.2.
• "Campaign" means a marketing communication campaign created and dispatched via the Platform, whether by email, physical post, or other available channel.
• "Third-Party Providers" means the independent service providers engaged by the Company to deliver parts of the Platform, including the following services: print and postal dispatch; automated email campaign infrastructure; transactional email notifications.
• "Third-Party Data" means data obtained from or made available via Third-Party Providers.
• "Personal Data" and "Processing" have the meanings defined under Regulation (EU) 2016/679 ("GDPR").
• "DPA" means the Data Processing Agreement attached as Annex A to these Terms. The DPA is automatically incorporated into and forms an integral and binding part of these Terms upon the Customer's electronic acceptance of the Terms. No separate signature shall be required unless expressly agreed in writing.
• "Confidential Information" means any non-public information disclosed by one Party to the other in connection with the Platform that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. It does not include information that: (a) is or becomes publicly available through no breach of these Terms; (b) was already known to the receiving Party prior to disclosure; (c) is independently developed by the receiving Party without reference to the disclosing Party's information; or (d) is required to be disclosed by law or competent authority.
• "Effective Date" means the date on which the Customer completes registration and accepts these Terms electronically.

3. Eligibility (B2B Only)

3.1 The Platform is for business use only. The Customer represents and warrants that: (a) it is a legal entity duly organized and validly existing under applicable law; (b) the individual accepting these Terms is duly authorized to bind the Customer; and (c) the Customer's use of the Platform will at all times comply with applicable laws, including but not limited to GDPR, the Directive 2002/58/EC (ePrivacy Directive, as amended or replaced), and any sector-specific marketing regulations applicable in the Customer's jurisdiction.

4. Credit-Based Usage Model

4.1 Purchase of Credits

The Platform operates on a prepaid Credit basis. Credits are not sold on a subscription basis; the Customer may purchase Credits freely at any time. Credits must be purchased in advance and are deducted upon feature usage. Credits are non-refundable unless required by applicable law or under the circumstances expressly described in Clauses 4.5 and 15.

4.2 Trial Credits

Trial Credits are granted at the Company's sole discretion for evaluation purposes. Trial Credits: (a) expire 30 days from the date of grant or otherwise agreed with the Customer on a separate contract; (b) carry no monetary value and are not redeemable for cash; (c) are not transferable; (d) may be revoked by the Company at any time without notice.

4.3 Expiration of Purchased Credits

Purchased Credits expire twelve (12) months after the date of purchase, unless a different period is agreed in writing. The Company will provide the Customer with email notification at least thirty (30) days prior to the expiration of Credits. Expired Credits are forfeited without compensation and shall no longer be considered "remaining Credits" for any purpose under these Terms.

4.4 Country-Based Credit Calculation

Credit usage per letter, email, or Campaign may vary depending on the destination country, regulatory requirements, operational costs, and Third-Party Provider charges. The applicable Credit cost will be clearly displayed at the checkout step before the Customer confirms dispatch. The Company reserves the right to adjust Credit pricing upon thirty (30) days' written notice to the Customer.

4.5 Credit Balance on Termination

Upon termination of the Customer's account for any reason, any remaining, non-expired, purchased (non-Trial) Credits will be refunded on a pro-rata basis within sixty (60) days, except where termination results from the Customer's material breach of these Terms, in which case such Credits are forfeited.

5. Account Registration & Security

5.1 Customers must provide accurate and complete registration information and maintain such information up to date. Customers are solely responsible for maintaining the confidentiality of their access credentials and for all activities that occur under their account. The Customer must promptly notify the Company of any unauthorized access to or use of its account. The Company is not responsible for any losses arising from the Customer's failure to safeguard its credentials, provided the Company has not contributed to such failure by its own acts or omissions.

6. Permitted Use & Acceptable Use Policy

6.1 The Platform may only be used for lawful business purposes. The Customer is solely responsible for the content of all communications dispatched via the Platform and for any direct or indirect damage caused by such content.

6.2 The following uses are strictly prohibited:

• Sending unlawful, abusive, derogatory, racist, pornographic, or sexually explicit content;
• Threats, blackmail, harassment, insults, slander, or defamation;
• Dissemination of information that is knowingly false, misleading, or deceptive in violation of applicable law;
• Content that infringes religious or sexual integrity;
• Unjustified or fraudulent claims or demands;
• Sending marketing communications to individuals or addresses registered with applicable opt-out or advertising-block registers (e.g., Robinson List, or addresses with a "star entry");
• Impersonation, use of false identities, or sending communications on behalf of a third party without lawful authorization (including trademark or copyright infringement);
• Resale, sublicensing, or provision of Platform access to third parties without the Company's prior written consent;
• Uploading or processing personal data for purposes incompatible with the Customer's lawful basis under GDPR;
• Sending unsolicited commercial communications (spam) in violation of the ePrivacy Directive or applicable national anti-spam laws;
• Any use that materially impairs the performance or availability of the Platform for other Customers.

6.3 The Company does not actively monitor or pre-screen the content of communications dispatched via the Platform. However, the Company reserves the right to investigate, suspend, or terminate access where it has reasonable grounds to suspect a breach of this Clause 6.

7. Third-Party Providers

7.1 The Company integrates Third-Party Providers as subcontractors for the performance of certain services under these Terms. The Customer acknowledges that such providers operate under their own terms and policies. The Company's responsibility is limited to the diligent selection and appropriate instruction of Third-Party Providers. The Company is responsible for the performance of its contractual obligations, including those performed through Third-Party Providers, subject to the limitations set out in Clause 14.

7.2 The Customer accesses all Third-Party Provider services through the Company's accounts and does not enter into a direct contractual relationship with any Third-Party Provider.

7.3 The Company is not liable for the acts or omissions of Third-Party Providers, including service downtime, data inaccuracies, or suspension of services, except to the extent such liability cannot be excluded by applicable law. However, liability arising from acts or omissions of Third-Party Providers shall be limited in accordance with Clause 14 of these Terms.

7.4 The Company shall use commercially reasonable efforts to notify Customers of material Third-Party Provider service disruptions and to seek alternative solutions where practicable.

7.5 To the extent that Third-Party Providers process Personal Data on behalf of the Customer, they shall be deemed Sub-Processors under the DPA and shall be engaged in accordance with the sub-processor provisions set out therein.

8. Email Delivery Disclaimer

8.1 The Company does not guarantee inbox placement, deliverability rates, Campaign performance, open rates, click-through rates, or business outcomes. Email deliverability depends on external infrastructure, recipient mail server configurations, and sender reputation factors beyond the Company's control. The Customer is responsible for maintaining list hygiene, honoring opt-outs and unsubscribes, and complying with applicable anti-spam laws.

9. Printing and Postal Delivery Service

9.1 Where physical dispatch is enabled:

• The Company's obligation is fulfilled upon confirmed transmission to the print provider.
• Physical delivery is performed by independent postal operators and is subject to their terms and timelines.
• Delivery timelines are not guaranteed and may be affected by postal disruptions, customs procedures, or inaccuracies in the address data provided by the Customer.
• The Customer warrants that: (i) all recipient addresses are accurate and complete; (ii) recipients have not exercised any applicable opt-out right in respect of postal marketing; and (iii) recipient personal data has been collected and is being used on a lawful basis under GDPR.

The Company accepts no liability for non-delivery due to incorrect, incomplete, or non-compliant address data provided by the Customer.

9.2 Liability for failed or delayed delivery is limited in accordance with Clause 14 and shall not exceed the Credit amount charged for the affected item.

10. Third-Party Data & Enrichment

10.1 Where the Platform incorporates data obtained from Third-Party Providers ("Third-Party Data"), the Company does not guarantee the accuracy, completeness, or legal compliance of such data. The Customer must independently verify that its use of Third-Party Data complies with GDPR, applicable national data protection laws, and any licensing conditions attached to such data. The Customer is solely responsible for establishing a lawful basis for processing any personal data contained in Third-Party Data, obtaining any required consents, and complying with data subject rights obligations.

11. Data Protection & GDPR

11.1 For the purposes of GDPR, the Customer acts as Data Controller in respect of personal data contained in Campaigns, and the Company acts as Data Processor. The Company processes personal data on behalf of the Customer solely in accordance with the Customer's documented instructions.

11.2 Processing of Personal Data is governed exclusively by the Data Processing Agreement attached as Annex A. Acceptance of these Terms constitutes acceptance of the DPA. The Parties agree that no separate execution is required for the DPA to be legally binding.

11.3 International transfers are subject to appropriate safeguards under GDPR Article 46 or adequacy decisions. Where the Platform involves transfers of personal data to Third-Party Providers established outside the European Economic Area (EEA), the following transfer mechanisms apply: (a) transfers to the United States are governed by Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to GDPR Article 46(2)(c); (b) transfers to Switzerland are made in reliance on the European Commission's adequacy decision in respect of Switzerland, which the Company will monitor for any changes. The Company shall ensure that equivalent safeguards remain in place for the duration of any processing.

12. Fees, Payments & VAT

12.1 All fees and Credit prices are exclusive of VAT and other applicable taxes unless expressly stated otherwise. Where the Customer holds a valid EU VAT identification number and is established in a different EU Member State from the Company, the reverse charge mechanism applies and the Customer is responsible for accounting for VAT in its own jurisdiction. The Customer is solely responsible for compliance with all tax obligations in its jurisdiction arising from its use of the Platform. Invoices will be issued electronically to the email address provided during registration.

13. Disclaimer of Warranties

13.1 The Platform is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, express or implied, to the maximum extent permitted by applicable law. Without limiting the foregoing, the Company makes no warranty that: (a) the Platform will be error-free or uninterrupted; (b) results obtained via the Platform will meet the Customer's expectations; or (c) any defects will be corrected within a specific timeframe.

14. Limitation of Liability

14.1 The Company shall not be liable for indirect, incidental, consequential, special, or punitive damages, including loss of profits, revenue, data, goodwill, or regulatory fines, arising from the Customer's misuse of the Platform or breach of these Terms. Where a regulatory fine or penalty is imposed on the Customer as a result of the Customer's own acts, omissions, or non-compliance, such fines or penalties are not recoverable from the Company.

14.2 The Company's aggregate cumulative liability arising out of or in connection with these Terms, whether in contract, tort (including negligence), strict liability, or otherwise, shall not exceed the lesser of: (a) the total fees paid by the Customer in the twelve (12) months preceding the event giving rise to the claim; or (b) €20,000.

14.3 For claims arising from print, postal, or other Third-Party Provider services, liability shall in no event exceed the amount recoverable from the relevant Third-Party Provider in respect of the same event.

14.4 Nothing in these Terms limits or excludes liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) any other liability that cannot be excluded or limited under applicable law, including mandatory provisions of German law.

14.5 In the event of breach of essential contractual obligations (Kardinalpflichten), liability shall be limited to foreseeable and typically occurring damages, subject to the cap set out in Clause 14.2.

14.6 Liability arising under the DPA shall be subject to the limitations set out in this Clause 14, except where such limitation is not permitted under applicable law.

14.7 These limitations form an essential basis of the agreement and apply regardless of the legal theory asserted.

15. Force Majeure

15.1 Neither Party shall be liable for any failure or delay in performing its obligations under these Terms (excluding payment obligations for services already rendered) to the extent such failure or delay is caused by events beyond its reasonable control, including but not limited to:

• Natural disasters, fire, flood, or earthquake;
• War, terrorism, civil unrest, or governmental actions;
• Labour disputes or strikes (other than involving the affected Party's own employees);
• Cyberattacks, DDoS attacks, or ransomware incidents;
• Internet, cloud infrastructure, or telecommunications network failures;
• Suspension or termination of Third-Party Provider services;
• Postal service disruptions or strikes;
• Pandemics or epidemics declared by competent public health authorities.

15.2 In the event of a Force Majeure event, the affected Party shall: (a) promptly notify the other Party in writing; (b) suspend performance for the duration of the event; and (c) use commercially reasonable efforts to mitigate the effects and resume performance as soon as reasonably practicable.

15.3 If a Force Majeure event continues for more than thirty (30) consecutive days, either Party may terminate the affected services upon written notice without further liability, except for payment obligations accrued prior to the event. In such case, the Company shall refund any unused non-expired Credits to the Customer within sixty (60) days of the termination notice, by bank transfer to the account details provided by the Customer.

16. Communications via Email

16.1 By registering on the Platform, the Customer consents to receiving order confirmations, invoices, Credit expiry notices, status updates, and other service notifications exclusively to the email address provided during registration or subsequently updated by the Customer.

16.2 The Customer is responsible for: (a) ensuring the registered email address remains active and deliverable; and (b) whitelisting the Company's email domains to prevent notifications from being filtered as spam. There is no entitlement to re-delivery of notifications where non-delivery results from the Customer's own email infrastructure or configuration. The Customer may update its registered email address at any time via the Platform settings.

16.3 To stop receiving service notifications, the Customer must delete its account.

17. Indemnification

17.1 The Customer agrees to indemnify, defend, and hold harmless the Company, its officers, directors, employees, and agents from and against any claims, damages, fines, penalties, costs, and expenses (including reasonable legal fees) arising from: (a) the Customer's breach of these Terms; (b) unlawful marketing practices or the sending of unsolicited communications; (c) violations of GDPR or other applicable data protection laws; (d) misuse of Third-Party Data; or (e) the content of communications dispatched by the Customer via the Platform.

18. Termination

18.1 Termination by the Company. The Company may suspend or terminate the Customer's access: (a) immediately, upon material breach by the Customer (including breach of Clause 6); or (b) upon ten (10) days' written notice, for non-payment or where continuation of the contractual relationship is objectively unreasonable, taking into account the legitimate interests of both Parties. Written notice includes notification by email to the Customer's registered address.

18.2 Termination by the Customer. The Customer may terminate its account at any time by deleting the account via the Platform settings or by providing written notice to the Company. Termination by the Customer takes effect upon confirmation by the Company, which shall not be unreasonably withheld or delayed.

18.3 Effect of Termination. Upon termination: (a) the Customer's access to the Platform is immediately revoked; (b) all pending Campaign dispatches may be cancelled at the Company's discretion, to the extent technically feasible and not yet transmitted to a Third-Party Provider; (c) personal data processed on behalf of the Customer will be deleted or returned in accordance with the DPA within thirty (30) to sixty (60) days, unless a longer retention period is required by applicable law.

18.4 Credit Refund on Termination. Any Credit refund due upon termination shall be governed by Clause 4.5.

19. Governing Law & Jurisdiction

19.1 These Terms and any dispute or claim arising out of or in connection with them (including non-contractual disputes) shall be governed by and construed in accordance with the laws of Germany, excluding its conflict-of-law rules. Disputes shall be subject to the exclusive jurisdiction of the courts of Berlin, Germany.

19.2 For the avoidance of doubt, nothing in this Clause limits the Customer's right to bring proceedings in the courts of the Customer's domicile where mandatory local law so requires.

20. Amendments

20.1 The Company reserves the right to amend these Terms at any time. The Customer will be notified of material amendments by email at least thirty (30) days before the changes take effect. Continued use of the Platform after the effective date of amended Terms constitutes the Customer's acceptance of the revised Terms. If the Customer does not accept the amended Terms, it may terminate its account before the effective date without penalty, and any unused purchased Credits will be refunded in accordance with Clause 4.5.

21. Intellectual Property

21.1 All intellectual property rights in the Platform remain the exclusive property of the Company.

21.2 The Customer receives a limited, non-exclusive, non-transferable right to use the Platform for internal business purposes.

21.3 Reverse engineering, derivative works, and competitive use are prohibited.

21.4 The Customer retains all intellectual property rights in the content it creates or uploads to the Platform ("Customer Content"). The Customer grants the Company a limited, non-exclusive licence to process and transmit Customer Content solely as necessary to provide the Platform services. The Company makes no claim of ownership over Customer Content. The Customer warrants that it holds all rights necessary to use and transmit Customer Content via the Platform.

22. Confidentiality

22.1 Each Party shall: (a) hold the other Party's Confidential Information in strict confidence; (b) not disclose Confidential Information to any third party without the prior written consent of the disclosing Party, except to employees, contractors, or advisors who need to know such information and are bound by confidentiality obligations at least as protective as those set out herein; and (c) use the other Party's Confidential Information solely for the purposes of performing its obligations or exercising its rights under these Terms.

22.2 If a Party is required by law, regulation, or court order to disclose Confidential Information, it shall, to the extent permitted by law: (a) promptly notify the disclosing Party; (b) cooperate with the disclosing Party in seeking a protective order or equivalent; and (c) disclose only that portion of the Confidential Information that it is legally required to disclose.

22.3 These confidentiality obligations shall survive termination of these Terms for a period of five (5) years from the date of the relevant disclosure.

23. No Service Level Agreement

23.1 No service level agreement (SLA) or specific uptime guarantee applies to the Platform unless separately agreed in writing between the Parties. The Company will use commercially reasonable efforts to maintain Platform availability but makes no binding commitment as to any specific availability percentage or response time.

24. No Generative AI or Automated Profiling

24.1 The current version of the Platform does not incorporate generative artificial intelligence systems or automated decision-making or profiling within the meaning of GDPR Article 22. If such features are introduced in future releases, these Terms and the DPA will be updated prior to their activation.

25. Miscellaneous

25.1 Entire Agreement. These Terms, together with the DPA and any written order confirmation, constitute the entire agreement between the Parties with respect to the Platform and supersede all prior agreements, representations, and understandings.

25.2 Severability. If any provision of these Terms is found to be invalid, unlawful, or unenforceable by a court of competent jurisdiction, that provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force and effect.

25.3 Waiver. Failure by either Party to enforce any provision of these Terms at any time shall not constitute a waiver of that Party's right to enforce such provision in the future.

25.4 Assignment. The Customer may not assign or transfer its rights or obligations under these Terms without the Company's prior written consent. The Company may assign these Terms in connection with a merger, acquisition, or sale of all or substantially all of its assets. In such case, the Customer will be notified within thirty (30) days of the assignment and may terminate the account without penalty within thirty (30) days of receiving such notice if the assignment materially affects the Customer's rights.

25.5 Notices. All formal notices required or permitted under these Terms shall be made in writing. Notice by email to the registered email address of the receiving Party shall be deemed received on the next business day following transmission, provided no delivery error is received. The Company may update its notice address by posting the change on the Platform or by email to registered Customers.

25.6 Future Global Expansion. The Platform is currently available in the European Union. As the Company expands to additional territories, supplementary terms or jurisdiction-specific addenda may be issued to address applicable local legal requirements.

1. Parties

This Data Processing Agreement ("DPA") forms Annex A to the Terms and Conditions of Use of the Campaign Management Platform ("Terms") and is entered into between:

• Backwell Tech Corp. Europe GmbH, a company registered in Germany, with registered office at Potsdamer Platz - Kemperplatz 1, Berlin, BE, 10785 ("Processor"); and
• The Customer, as identified in the Platform registration ("Controller").

Each a "Party" and together the "Parties". This DPA is incorporated automatically and becomes legally binding upon the Customer's electronic acceptance of the Terms. No separate signature is required unless expressly agreed in writing.

2. Scope & Relationship of the Parties

2.1 This DPA governs all Processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the Platform.

2.2 The Controller determines the purposes and means of Processing. The Processor processes Personal Data solely on documented instructions from the Controller, unless required to do otherwise by applicable law, in which case the Processor shall inform the Controller of such requirement before Processing, unless prohibited by law on grounds of public interest.

2.3 This DPA satisfies the requirements of Article 28(3) GDPR and constitutes the written contract required thereunder.

3. Description of Processing

3.1 Subject Matter: Provision of the Campaign Management Platform, including email campaign dispatch, transactional email notifications, print and postal dispatch, and related infrastructure services.

3.2 Duration: Processing shall continue for the duration of the Terms and, where applicable, for any retention period required by applicable law following termination.

3.3 Nature & Purpose of Processing:

• Hosting and transmission of Campaign content
• Email campaign creation and dispatch
• Transactional notification emails (account activation, password reset, invoicing)
• Print file generation and transmission to postal provider
• Account management and customer support
• Security monitoring and fraud prevention

3.4 Categories of Data Subjects:

• Prospects and marketing recipients identified by the Controller
• Customers of the Controller
• Business contacts of the Controller
• Employees and authorized Users of the Controller (account management)

3.5 Categories of Personal Data:

• Identity data: name, job title
• Contact data: email address, postal address, company name
• Communication content: Campaign text and attachments
• Technical metadata: IP addresses, timestamps, delivery logs
• Account credentials (stored in hashed form only)

Special Categories of Personal Data (Article 9 GDPR): The Controller shall not upload, submit, or include Special Categories of Personal Data in any Campaign or data set processed via the Platform without the prior written consent of the Processor. In the event of unauthorized submission of such data, the Controller bears full and exclusive responsibility for that processing. The Processor shall not be liable for any consequence arising therefrom.

4. Processor Obligations

The Processor shall:

4.1 Process Personal Data only on the Controller's documented instructions and for no other purpose, unless required by applicable law.

4.2 Ensure that all persons authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

4.3 Implement and maintain appropriate technical and organisational measures as set out in Annex I, ensuring a level of security appropriate to the risk.

4.4 Assist the Controller, by appropriate technical and organisational measures insofar as possible, in fulfilling the Controller's obligations to respond to data subject rights requests under Chapter III GDPR — including rights of access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), and objection (Article 21) — within a timeframe that allows the Controller to meet its own response obligations under applicable law. See also Clause 8.

4.5 Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing and information available to the Processor.

4.6 Notify the Controller of a Personal Data Breach without undue delay and in accordance with Clause 9 of this DPA.

4.7 Maintain records of processing activities as required under Article 30(2) GDPR and make such records available to the Controller or a competent supervisory authority upon request.

4.8 Inform the Controller immediately if, in the Processor's opinion, an instruction infringes GDPR or other applicable Union or Member State data protection law.

5. Security Measures

5.1 The Processor shall implement the technical and organisational security measures described in Annex I, as required under Article 32 GDPR.

5.2 Security measures may evolve over time to reflect technological developments, provided that the overall level of protection afforded to Personal Data is not materially reduced. The Processor shall notify the Controller of any material reduction in security measures.

6. Sub-Processors

6.1 The Controller grants general authorization for the Processor to engage Sub-Processors, subject to the conditions set out in this Clause 6.

6.2 The current Sub-Processors engaged by the Processor are:

Last updated: March 2026

The list of Sub-Processors is up-to-date, and shall be updated prior to any change taking effect.

6.3 Before engaging a new Sub-Processor or replacing an existing one, the Processor shall notify the Controller in writing at least thirty (30) days in advance, with sufficient detail to allow the Controller to assess the data protection implications of the change.

6.4 The Controller may object to the engagement of a new Sub-Processor within thirty (30) days of receiving notification, provided the objection is based on reasonable and documented data protection grounds. If the Controller raises a legitimate objection and the Parties are unable to resolve the matter within a further thirty (30) days, the Controller may terminate the affected services without penalty. Any unused non-expired Credits shall be refunded in accordance with Clause 4.5 of the Terms.

6.5 The Processor shall impose on each Sub-Processor data protection obligations substantially equivalent to those set out in this DPA, including in particular the obligations under Articles 28 and 32 GDPR. The Processor shall remain fully responsible to the Controller for the performance of each Sub-Processor's obligations.

7. International Transfers

7.1 Transfers to Switzerland rely on the European Commission adequacy decision pursuant to Article 45 GDPR. The Processor shall monitor the continuing validity of this decision and shall implement alternative safeguards without delay in the event that it is revoked, suspended, or materially amended.

7.2 Transfers to the United States rely on Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914 of 4 June 2021).

7.3 The applicable SCC Modules are as follows:

• Module 2 (Controller to Processor) applies to transfers from the Controller to the Processor where the Processor is established outside the EEA.
• Module 3 (Processor to Processor) applies to transfers from the Processor to Sub-Processors established outside the EEA, including Instantly and Mailgun.

7.4 Where SCCs apply:

• (a) German law governs the SCCs where permitted under the applicable module;
• (b) the information in this DPA and Annex I shall be deemed to complete the relevant Annexes to the SCCs;
• (c) the competent supervisory authority is the data protection authority of the Member State in which the Controller is established, or where applicable the German supervisory authority.

7.5 The Processor shall conduct transfer impact assessments (TIAs) where required under applicable EDPB guidance and shall implement supplementary measures if necessary to ensure an essentially equivalent level of protection to that guaranteed within the EEA.

8. Data Subject Rights Assistance

The Processor shall assist the Controller in responding to data subject rights requests as follows:

• Provide technical functionality enabling the identification, retrieval, correction, restriction, and deletion of Personal Data held within the Platform;
• Notify the Controller without undue delay, and in any event within five (5) business days, upon receiving a direct request from a data subject, and shall not respond to such a request independently unless legally required to do so;
• Provide assistance with requests relating to: access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), and objection (Article 21);
• Provide such assistance within a timeframe that allows the Controller to meet its own response deadlines under applicable law (generally one month from receipt of the request pursuant to Article 12 GDPR).

9. Personal Data Breach

9.1 The Processor shall notify the Controller of a Personal Data Breach without undue delay and, where feasible, within forty-eight (48) hours of becoming aware of the breach, so as to allow the Controller sufficient time to fulfill its notification obligations under Article 33 GDPR (which requires notification to the competent supervisory authority within seventy-two (72) hours of becoming aware).

9.2 The notification shall include, to the extent available at the time of notification:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of data subjects and personal data records affected;
• The name and contact details of the Processor's data protection contact point;
• The likely consequences of the Personal Data Breach;
• The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

9.3 Where all required information is not available at the time of initial notification, the Processor shall provide such information in phases without undue further delay.

9.4 The Processor shall cooperate fully with the Controller in the investigation, mitigation, and remediation of the breach, and in any required notifications to supervisory authorities or affected data subjects.

10. Audit Rights

10.1 The Controller may request documentation and information from the Processor demonstrating compliance with this DPA and applicable data protection law, including the obligations under Article 28 GDPR.

10.2 Standard audits are subject to the following conditions:

• Maximum one (1) audit per calendar year;
• Conducted during normal business hours with minimum disruption to the Processor's operations;
• With at least thirty (30) days' prior written notice;
• At the Controller's expense, unless the audit reveals material non-compliance attributable to the Processor, in which case costs shall be borne by the Processor.

10.3 Where available, third-party certifications (e.g., ISO 27001, SOC 2) or independent audit reports may be provided by the Processor in satisfaction of an audit request, at the Processor's reasonable discretion.

10.4 In the event of a Personal Data Breach or an investigation by a competent supervisory authority, the Controller may request an additional audit with reasonable shorter notice, proportionate to the urgency of the circumstances.

11. Deletion or Return of Data

11.1 Upon termination of the Terms or upon the Controller's written request, the Processor shall, at the Controller's choice:

• Delete all Personal Data processed on behalf of the Controller and provide written confirmation of such deletion; or
• Return all Personal Data to the Controller in a commonly used, machine-readable format.

11.2 Such deletion or return shall be completed within thirty (30) to sixty (60) days of termination or the Controller's written request.

11.3 Backup copies containing Personal Data shall be deleted within the Processor's standard backup retention cycles, provided such deletion does not conflict with applicable legal retention obligations.

11.4 Where applicable law requires the Processor to retain certain Personal Data beyond termination, the Processor shall notify the Controller in writing and shall restrict processing of such data solely to the purposes required by such law.

12. Liability

12.1 Liability under this DPA is subject to the limitations set out in Clause 14 of the Terms, except where such limitation is not permitted under applicable law.

12.2 In accordance with Article 82(2) GDPR, each Party shall be liable for damage caused by processing in breach of this DPA or applicable data protection law to the extent that it is responsible for such breach. Where both Parties contribute to a breach, each shall be liable in proportion to their respective responsibility for the damage caused.

12.3 Nothing in this Clause limits liability where such limitation is prohibited under GDPR or other applicable mandatory law.

13. Governing Law

13.1 This DPA is governed by the laws of Germany, consistent with Clause 19 of the Terms. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Berlin, Germany.

The Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

1. Access Control

• Role-based access control (RBAC) ensuring Personal Data is accessible only to personnel with a legitimate operational need;
• Least privilege principle applied to all system and administrative accounts;
• Multi-factor authentication (MFA) required for all administrative and privileged accounts;
• Technically enforced password policies (minimum complexity, rotation requirements);
• Access rights reviewed and revoked promptly upon change of role or termination of employment;
• Access logs maintained and subject to periodic review.

2. Data Transmission Security

• TLS 1.2 or higher enforced for all data in transit across all Platform interfaces;
• Encrypted API connections for all Platform integrations and Sub-Processor communications;
• Secure file transfer protocols applied to all data transmitted to Sub-Processors;
• Certificate lifecycle management to prevent use of expired or invalid certificates.

3. Data Storage Security

• Encryption at rest using AES-256 or equivalent standard for all stored Personal Data;
• Logical segregation of Customer environments to prevent cross-tenant data access;
• Secure key management, including physical and logical separation of encryption keys from encrypted data;
• Pseudonymisation applied where technically feasible and proportionate to the processing purpose.

4. Network Security

• Firewalls and network segmentation to restrict unauthorized internal and external access;
• Intrusion detection and prevention systems (IDS/IPS);
• DDoS mitigation mechanisms implemented at infrastructure level;
• Regular vulnerability scanning and penetration testing of public-facing systems.

5. Organisational Measures

• Confidentiality and data protection obligations incorporated into all employment and contractor agreements;
• Regular data protection training for all personnel with access to Personal Data;
• Designated data protection contact point responsible for DPA compliance oversight;
• Internal access logging with anomaly detection for unauthorized access attempts;
• Documented incident response plan reviewed at least annually;
• Data protection impact assessments (DPIAs) conducted for high-risk processing activities.

6. Backup & Business Continuity

• Regular encrypted backups of Personal Data and system configurations;
• Backup integrity verified through periodic restoration tests;
• Documented disaster recovery procedures with defined recovery time objectives (RTO) and recovery point objectives (RPO);
• Business continuity plan addressing scenarios including loss of key Sub-Processor services.

7. Data Minimisation & Purpose Limitation

• Processing limited to the categories of data and data subjects described in Annex A, Clause 3;
• No collection or retention of Personal Data beyond what is necessary for the stated processing purposes;
• Automated data retention policies applied to limit storage duration in accordance with the Terms.

Note: The current version of the Platform does not incorporate automated decision-making or profiling within the meaning of Article 22 GDPR, consistent with Clause 24 of the Terms and Conditions.

8. Endpoint & Device Security

• Company-managed devices used by personnel with access to production systems are subject to device management policies;
• Remote wipe capability enabled for devices with access to Personal Data;
• Full-disk encryption and screen lock enforced on all company-managed devices.

9. Monitoring & Testing

• Periodic security assessments conducted by internal or qualified external parties;
• Patch management processes ensuring timely application of security updates to all systems;
• Centralized logging and real-time anomaly detection for security-relevant events;
• Annual review of TOMs to assess continued adequacy against the current threat landscape and applicable regulatory guidance.