DATA PROCESSING ADDENDUM (DPA)

Last Update: 12/18/2025

This Data Processing Addendum (“DPA”) forms part of the Terms of Use entered into between Popupsmart Inc. (“Processor”, “Popupsmart”, “we”) and the customer using the Service (“Controller”, “Customer”, “you”).

This DPA applies to the extent Popupsmart processes Personal Data on behalf of the Customer in the course of providing the Service, in accordance with applicable Data Protection Laws, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

1. Roles of the Parties

1.1 Controller. The Customer is the Data Controller with respect to Customer Data and determines the purposes and means of the processing.

1.2 Processor. Popupsmart acts as a Data Processor, processing Personal Data solely on behalf of and in accordance with the Customer’s documented instructions, this DPA, the Terms of Use, and the Privacy Policy.

2. Scope of Processing

2.1 Subject Matter. Processing of Personal Data submitted to or collected via the Service by the Customer.

2.2 Duration. For the duration of the Customer’s use of the Service and any additional period required under applicable law or as described in Popupsmart’s data retention practices.

2.3 Nature and Purpose.

Providing, maintaining, securing, supporting, and improving the Popupsmart Service, including campaign delivery, analytics, customer support, billing, and system security.

2.4 Types of Personal Data.

May include (depending on Customer configuration):

• Contact details (e.g. email address)
• Online identifiers (e.g. cookies, IP address)
• Campaign interaction data
• Technical and usage data

2.5 Categories of Data Subjects.

• Customer’s website visitors
• Leads and end users
• Customer representatives and account users

3. Processing Instructions

3.1 Popupsmart shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to third countries, unless required by applicable law.

3.2 If Popupsmart believes an instruction violates Data Protection Laws, it shall inform the Customer without undue delay.

4. Confidentiality

Popupsmart ensures that all persons authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

5. Security Measures (TOMs)

5.1 Popupsmart implements appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

5.2 Such measures include, where appropriate:

• Access controls and least-privilege principles
• Encryption in transit where applicable
• Network and infrastructure security
• Monitoring and incident detection
• Employee confidentiality and security training

Further details may be described in Popupsmart’s internal security documentation.

6. Sub-processors

6.1 The Customer grants Popupsmart general authorization to engage sub-processors to assist in providing the Service.

6.2 Popupsmart ensures that any sub-processor is subject to data protection obligations no less protective than those set out in this DPA.

6.3 A current list of sub-processors may be provided upon request or published on Popupsmart’s website.

6.4 Popupsmart remains fully responsible for the performance of its sub-processors.

7. International Data Transfers

7.1 Where Personal Data is transferred outside the EEA, Popupsmart ensures appropriate safeguards in accordance with Data Protection Laws, including:

• Standard Contractual Clauses approved by the European Commission, where applicable; or
• Other lawful transfer mechanisms.

7.2 Upon request, Popupsmart will provide information regarding applicable transfer safeguards.

8. Data Subject Requests

8.1 Popupsmart shall, to the extent legally permitted, promptly notify the Customer of any request received directly from a Data Subject relating to Personal Data.

8.2 Popupsmart shall reasonably assist the Customer in fulfilling Data Subject rights requests, taking into account the nature of the processing and information available.

9. Personal Data Breach

9.1 Popupsmart shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data.

9.2 The notification shall include, to the extent available:

• Description of the breach
• Likely consequences
• Measures taken or proposed to mitigate effects

9.3 Popupsmart shall cooperate with the Customer in complying with breach notification obligations.

10. Deletion or Return of Data

10.1 Upon termination or expiration of the Service, Popupsmart shall delete or anonymize Customer Data in accordance with its retention practices, unless retention is required by law.

10.2 At the Customer’s request and where technically feasible, Popupsmart will provide a reasonable opportunity to export Customer Data prior to deletion.

11. Audits

11.1 Upon reasonable written request, Popupsmart shall make available information necessary to demonstrate compliance with this DPA.

11.2 Any audit shall:

• be limited to once per year unless required by law;
• be subject to confidentiality obligations;
• not unreasonably disrupt Popupsmart’s operations.

12. Liability

12.1 Liability under this DPA is subject to the limitations of liability set forth in the Terms of Use, unless prohibited by applicable law.

13. Governing Law

This DPA shall be governed by the same governing law and jurisdiction as the Terms of Use.

14. Order of Precedence

In the event of a conflict:

1. This DPA
2. Privacy Policy
3. Terms of Use

shall prevail in that order, solely with respect to data protection matters.

15. Contact

For data protection inquiries related to this DPA:

Email: [email protected]

ANNEX III – LIST OF SUB-PROCESSORS

Popupsmart may engage the following sub-processors to assist in providing the Service. Each sub-processor is subject to contractual data protection obligations no less protective than those set out in this DPA.