This Data Processing Agreement ("DPA") forms part of the Terms and Conditions ("Agreement") entered into between Advertia LLC ("Owner", "Processor", or "We") and the User of www.fondaro.com (the "Customer" or "Controller"). It applies to the extent that the Owner Processes Personal Data on behalf of the Customer in the course of providing the Service.

If you are a User to whom data protection law applies, in particular the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection ("FADP") or comparable laws, this DPA is automatically incorporated into your Agreement and applies whenever you use the Service. No signature is required: by using the Service, you accept this DPA on behalf of your organization.

A countersigned copy of this DPA is available on request from privacy@fondaro.com.

Owner and Processor

Advertia LLC 8 The Green, Suite A Dover, DE 19901 United States

General contact: support@fondaro.com Privacy contact: privacy@fondaro.com

Introduction

The Customer makes use of the Service to host, manage and process information about its leads, clients, employees and other contacts ("Customer Personal Data"). Some of that information is Personal Data within the meaning of Data Protection Law. With respect to such Personal Data:

The Customer acts as the Controller (or, where applicable, as a Processor on behalf of a third-party Controller).
The Owner acts as the Processor (or sub-Processor) and Processes Personal Data only on the Customer's documented instructions.

This DPA sets out the terms on which the Owner Processes Customer Personal Data on the Customer's behalf, in compliance with Article 28 of the GDPR and equivalent provisions of other applicable Data Protection Laws.

This DPA does not apply to:

Personal Data that the Customer provides to the Owner about the Customer's own representatives, such as account administrators, which the Owner Processes as an independent Controller and which is governed by the Privacy Policy.
Aggregate or de-identified usage data that does not directly or indirectly identify any natural person.

Order of Precedence

In the event of a conflict between this DPA and the Terms and Conditions or any other agreement between the parties, the following order of precedence applies, from highest to lowest:

The Standard Contractual Clauses (where incorporated by reference under the "International Data Transfers" section), in respect of matters they govern
This DPA
The Terms and Conditions and Privacy Policy
Any order form, online sign-up flow or other ancillary document

Roles of the Parties

The parties acknowledge and agree that, with respect to Customer Personal Data:

The Customer is the Controller. The Customer determines the purposes and means of the Processing, including the lawful basis on which Personal Data is collected from data subjects, the content of communications sent to data subjects, and how the Customer's organization uses the Service.
The Owner is the Processor. The Owner Processes Personal Data on the Customer's behalf and only as instructed under this DPA, the Agreement and the configuration of the Service.

If the Customer is itself acting as a Processor on behalf of a third-party Controller, for example where the Customer is an agency processing data on behalf of a downstream client, the Customer represents and warrants that it has the authority of that Controller to engage the Owner as a sub-Processor and to bind that Controller to the terms of this DPA.

Subject Matter, Duration, Nature and Purpose

The subject matter of the Processing is the provision of the Service as described in the Agreement, namely the operation of the Fondaro customer relationship management ("CRM") platform, lead delivery, hosted website services, telephony and call recording, AI-assisted workflows, marketing automation and related functionality.

The duration of the Processing is the period during which the Customer has an active account and continues for a reasonable post-termination period as set out in the "Return and Deletion of Customer Personal Data" section of this DPA.

The nature and purpose of the Processing is to provide, maintain, secure, support and improve the Service for the Customer, including:

Hosting and serving the Customer's CRM and hosted website
Storing, retrieving, organizing and routing leads and contacts
Sending communications, such as email, SMS and voice, that are initiated by the Customer or by automation that the Customer has configured
Recording, transcribing and storing telephony interactions where enabled by the Customer
Providing analytics, reporting and AI-powered features that act on Customer Personal Data
Carrying out billing, support, abuse prevention, security monitoring and legal compliance activities

A more detailed description of the Processing, including categories of data subjects and types of Personal Data, is set out in Annex 1.

Customer Instructions

The Owner shall Process Customer Personal Data only on the documented instructions of the Customer, except where required to do otherwise by Union or Member State law to which the Owner is subject. Where such legal requirement applies, the Owner shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

The Customer's documented instructions consist of:

The Agreement, including this DPA and the Privacy Policy
The features, settings and configurations of the Service that the Customer activates, modifies or uses
Any specific written instructions agreed between the parties

If the Owner believes that any Customer instruction infringes Data Protection Law, the Owner will inform the Customer without undue delay. The Owner is not obligated to perform a legal assessment of the Customer's instructions but will use reasonable judgment to flag instructions that, on their face, appear to be unlawful.

The Customer is responsible for ensuring that:

It has a valid lawful basis for the Processing of Personal Data through the Service
It has provided all required notices to data subjects
Its instructions to the Owner comply with applicable Data Protection Law
The Personal Data it uploads or causes to be Processed through the Service does not include categories of data that the Service is not designed to handle, such as payment card data, government-issued identifiers other than as provided for in the Service, or special categories of Personal Data, unless expressly supported

Confidentiality

The Owner shall ensure that all personnel authorized to Process Customer Personal Data:

Are bound by appropriate written confidentiality obligations or are under a statutory duty of confidentiality
Have received training on the confidentiality and security of Personal Data
Access Customer Personal Data only on a need-to-know basis to perform their duties under the Agreement

The Owner shall not disclose Customer Personal Data to any third party except:

To Sub-processors authorized under this DPA
As required by applicable law, in which case the Owner shall, where lawful, give the Customer prior notice and the opportunity to seek a protective order
With the Customer's prior written consent

The Owner shall not access, use, disclose or otherwise Process Customer Personal Data for the Owner's own commercial purposes, including for the purposes of marketing the Owner's products to data subjects, training general-purpose machine-learning models, or building data products derived from a single Customer's data.

Security of Processing

The Owner shall implement appropriate technical and organizational measures ("TOMs") to ensure a level of security appropriate to the risk of the Processing, including, as appropriate:

The pseudonymization and encryption of Personal Data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services
The ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing and evaluating the effectiveness of the TOMs

A description of the Owner's current TOMs is set out in Annex 3. The Owner may update these measures from time to time, provided that the updated measures do not materially decrease the overall level of security.

The Customer is responsible for the security of Personal Data within its own environment, including the protection of account credentials, the configuration of access controls within the Service, and the secure transmission of Personal Data into the Service.

Sub-Processors

General Authorization

The Customer grants the Owner a general written authorization to engage Sub-processors to Process Customer Personal Data, subject to the conditions set out in this section.

The Owner currently uses the Sub-processors listed in Annex 2 for the activities described therein. An up-to-date list of Sub-processors is available on request to privacy@fondaro.com.

Notification of New Sub-Processors

The Owner shall provide the Customer with reasonable advance notice of the addition or replacement of any Sub-processor. Notice will be provided by email to the address designated in the Customer's account or by publication on the Owner's website. The notice period shall be no less than thirty (30) days, except in cases of urgent operational need, in which case the Owner shall provide notice as soon as reasonably practicable.

Right to Object

The Customer may object to the engagement of a new Sub-processor on reasonable grounds related to Data Protection Law by providing written notice to the Owner within thirty (30) days of the notification. If the Customer objects, the parties shall work in good faith to resolve the concern. If no resolution can be reached within a reasonable period, the Customer's exclusive remedy is to terminate the affected portion of the Service for which the Sub-processor is used, with a pro-rata refund of any prepaid fees for the unused portion of the term. Termination on this basis is not deemed a breach by either party.

Sub-Processor Obligations

The Owner shall enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA, in compliance with Article 28(4) GDPR. The Owner remains fully liable to the Customer for the performance of each Sub-processor's obligations under such agreement.

International Data Transfers

The Owner is established in the United States. By using the Service, the Customer acknowledges that Personal Data will be transferred to and Processed in the United States and, depending on the Sub-processors involved, in other jurisdictions outside the European Economic Area, the United Kingdom and Switzerland.

Standard Contractual Clauses (EU)

Where the Processing of Personal Data subject to the GDPR involves a transfer of that Personal Data to a country outside the European Economic Area that is not the subject of an adequacy decision by the European Commission, the parties hereby incorporate by reference the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 ("EU SCCs"), as follows:

Module Two (Controller to Processor) applies where the Customer is a Controller and the Owner is a Processor.
Module Three (Processor to Sub-Processor) applies where the Customer is itself a Processor acting on behalf of a third-party Controller and the Owner is a Sub-Processor.

For the purposes of the EU SCCs:

The Customer is the "data exporter" and the Owner is the "data importer".
Clause 7 (Docking Clause) is included.
Clause 9, Option 2 (general written authorization for Sub-processors), applies, with the time period for prior notice of Sub-processor changes set to thirty (30) days.
Clause 11 does not include the optional independent dispute resolution language.
Clause 17 (Governing Law), Option 1, applies, governed by the law of Ireland.
Clause 18 (Choice of forum and jurisdiction) refers disputes to the courts of Ireland.
The Annexes of the EU SCCs are populated by reference to Annex 1 (Description of the Processing), Annex 2 (Sub-processors) and Annex 3 (Technical and Organizational Measures) of this DPA. The competent supervisory authority is the supervisory authority of the EU/EEA member state in which the Customer is established or, where the Customer is not established in the EU/EEA, the Irish Data Protection Commission.

UK International Data Transfer Addendum

Where the Processing of Personal Data subject to the UK GDPR involves a transfer of that Personal Data outside the United Kingdom to a country not the subject of an adequacy decision, the parties incorporate by reference the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses ("UK Addendum") issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018, in force from 21 March 2022.

For the purposes of the UK Addendum:

The EU SCCs as incorporated under this DPA form the "Approved EU SCCs" referenced in the UK Addendum.
The "Start Date" is the date the Customer first accepted this DPA.
Tables 1 to 4 of the UK Addendum are populated by reference to the parties, the Annexes of this DPA, and the choices set out above.
Either party may end the UK Addendum as set out in Section 19 of the UK Addendum.

Switzerland

For transfers of Personal Data subject to the Swiss FADP from Switzerland to a third country not the subject of an adequacy decision recognized by Switzerland, the EU SCCs as incorporated under this DPA apply with the following modifications:

References to the GDPR are deemed to include the FADP.
References to the European Commission and EU member-state supervisory authorities are deemed to include the Swiss Federal Data Protection and Information Commissioner ("FDPIC") to the extent the transfer is governed by the FADP.
References to "Member State" are interpreted to include Switzerland and to allow data subjects in Switzerland to exercise their rights in their place of habitual residence.
The governing law for transfers exclusively subject to the FADP is Swiss law.

Onward Transfers

The Owner shall not transfer Customer Personal Data to any further recipient outside the EEA, UK or Switzerland (as applicable) unless: (a) such transfer is subject to an adequacy decision; (b) the recipient has entered into the EU SCCs, or an equivalent valid transfer mechanism, with the Owner; or (c) another lawful transfer mechanism applies, such as binding corporate rules or a derogation under Article 49 GDPR.

Transfer Impact Assessment

The Owner has carried out a transfer impact assessment in respect of transfers of Personal Data to the United States. The assessment, including supplementary measures, is available to the Customer on request to privacy@fondaro.com.

Assistance with Data Subject Rights

The Owner shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from data subjects exercising their rights under Data Protection Law, including rights of access, rectification, erasure, restriction, portability and objection.

The Owner provides standard self-service tools within the Service that enable the Customer to retrieve, correct, export and delete Personal Data without the Owner's intervention. To the extent these tools are not sufficient to allow the Customer to fulfill a data subject request, the Owner will provide reasonable additional assistance on request.

If a data subject contacts the Owner directly with a request relating to Personal Data Processed on behalf of the Customer, the Owner will:

Promptly forward the request to the Customer
Not respond to the request other than to acknowledge receipt and direct the data subject to the Customer, except as required by law

The Customer is responsible for handling and responding to data subject requests in accordance with Data Protection Law.

Personal Data Breach Notification

The Owner shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include, to the extent then known, the information required by Article 33(3) GDPR, including:

A description of the nature of the Breach, including, where possible, the categories and approximate number of data subjects and Personal Data records affected
The name and contact details of the Owner's data protection contact
A description of the likely consequences of the Breach
A description of the measures taken or proposed to be taken to address the Breach and to mitigate its possible adverse effects

The Owner shall provide ongoing updates to the Customer as additional information becomes available.

The Owner's notification of, or response to, a Personal Data Breach under this section is not an acknowledgment of fault or liability with respect to the Breach.

The Customer is solely responsible for notifying its supervisory authority and affected data subjects to the extent required by Data Protection Law.

Data Protection Impact Assessments

The Owner shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under Article 35 or 36 GDPR, taking into account the nature of the Processing and the information available to the Owner.

The Owner may charge a reasonable fee for assistance that goes beyond the support available through standard documentation, the Service's self-service tools, or the Customer's account team.

Audit Rights

The Owner shall make available to the Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

The Customer agrees that audit rights under this DPA and the EU SCCs are satisfied by the Owner providing one or more of the following:

Existing third-party certifications, audit reports or attestations, such as SOC 2, ISO 27001 or ISO 27701, covering the Service
Written responses to reasonable security and compliance questionnaires
Such other information as the Owner reasonably considers sufficient to demonstrate compliance

If, after reviewing the materials above, the Customer reasonably believes that further audit is required to verify compliance with this DPA, the Customer may request an on-site audit, subject to the following conditions:

The audit shall be conducted not more than once per year, except where required by a supervisory authority or following a confirmed Personal Data Breach
The Customer shall provide the Owner with at least sixty (60) days' prior written notice
The auditor shall be a mutually agreed independent third party bound by confidentiality obligations no less protective than those in this DPA, and shall not be a competitor of the Owner
The audit shall take place during business hours, shall not unreasonably interfere with the Owner's operations, and shall be conducted in accordance with the Owner's reasonable safety, security and confidentiality requirements
The audit shall not require access to information of any other customer of the Owner or to information that the Owner is legally prohibited from disclosing
The Customer shall bear the costs of the audit, including reimbursement of the Owner's reasonable costs incurred in supporting the audit, except in the case of a confirmed material breach of this DPA by the Owner
The Customer shall provide the Owner with a copy of the audit report, which shall be the Confidential Information of both parties

Return and Deletion of Customer Personal Data

Upon termination or expiration of the Agreement, or upon the Customer's earlier request, the Owner shall, at the Customer's choice:

Return all Customer Personal Data Processed under this DPA in a structured, commonly used and machine-readable format reasonably available within the Service; or
Delete all Customer Personal Data Processed under this DPA

unless storage of the Personal Data is required by Union or Member State law to which the Owner is subject. The Owner shall complete deletion within ninety (90) days of termination or the Customer's instruction, except for backup copies, which shall be deleted in accordance with the Owner's standard backup retention schedule, currently no longer than twelve (12) months, and which shall remain isolated from production systems and protected from further Processing during that period.

The Owner is not obligated to retain or provide access to Customer Personal Data after termination beyond the periods set out above. The Customer is responsible for exporting any Personal Data it requires before termination using the export tools provided in the Service.

Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Any limitation of the parties' liability under the Agreement applies in aggregate to the parties' liability under both the Agreement and this DPA, and not separately to each.

For the avoidance of doubt, this section does not limit either party's liability to data subjects under the third-party-beneficiary clauses of the EU SCCs.

Term and Termination

This DPA shall remain in effect for the duration of the Agreement and, with respect to provisions that by their nature are intended to survive, including those relating to confidentiality, return and deletion of Personal Data, audit, liability and governing law, shall survive termination for so long as the Owner Processes Customer Personal Data.

This DPA terminates automatically on termination or expiration of the Agreement. Termination of this DPA does not affect the parties' obligations with respect to Customer Personal Data that the Owner is required to retain by law.

Updates to This DPA

The Owner may update this DPA from time to time:

To reflect changes in Data Protection Law or guidance from supervisory authorities
To reflect changes in the Service, the Owner's Sub-processors or its security measures
To improve clarity, fix errors or harmonize language across customer agreements

The Owner will notify the Customer of material changes by email or by posting an updated version on the Owner's website with a revised "Last updated" date. Continued use of the Service after the effective date of an updated DPA constitutes acceptance of the updated terms. Where required by Data Protection Law, the Owner will obtain the Customer's affirmative consent before applying material changes to the Customer.

The Owner shall not update this DPA in a way that materially decreases the protections afforded to Customer Personal Data without the Customer's consent.

Governing Law

The governing law of this DPA is the law of the State of Delaware, United States, except:

Where Data Protection Law otherwise requires, for example the EU SCCs are governed by the law of Ireland
Where the Customer is established in the European Union, this DPA shall be governed by the law of the country in which the Customer is established
Where the Customer is established in the United Kingdom, this DPA shall be governed by the laws of England and Wales

Definitions

Capitalized terms used in this DPA but not defined herein have the meanings set out in the Terms and Conditions, the Privacy Policy or in Data Protection Law.

Controller has the meaning given in Article 4(7) GDPR.
Customer Personal Data means Personal Data that the Owner Processes on behalf of the Customer in the course of providing the Service.
Data Protection Law means all laws and regulations applicable to the Processing of Personal Data, including the GDPR, the UK GDPR, the Swiss FADP, the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA") and any other applicable law.
EU SCCs means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.
GDPR means Regulation (EU) 2016/679 (General Data Protection Regulation).
Personal Data has the meaning given in Article 4(1) GDPR.
Personal Data Breach has the meaning given in Article 4(12) GDPR.
Process / Processing / Processed has the meaning given in Article 4(2) GDPR.
Processor has the meaning given in Article 4(8) GDPR.
Sub-processor means any third party engaged by the Owner to Process Customer Personal Data on behalf of the Customer.
Supervisory Authority has the meaning given in Article 4(21) GDPR.

Annex 1: Description of the Processing

A. Categories of Data Subjects

Personal Data Processed under this DPA may relate to the following categories of data subjects:

The Customer's leads, prospective clients and clients
The Customer's employees, contractors, agents and authorized users of the Service
Individuals who interact with the Customer's hosted website, forms or marketing campaigns
Individuals who are parties to telephone calls placed or received through the Service where the Customer has enabled telephony features
Other individuals whose Personal Data is uploaded to or generated within the Service by the Customer

B. Categories of Personal Data

The Customer determines the categories of Personal Data Processed in the course of using the Service. These typically include:

Identification and contact data, such as name, email, phone and address
Demographic and geographic data, such as city, state, country and language
Lead-qualification data, such as budget, timeline, property preferences and similar information provided by the data subject
Communications data, such as email content, SMS content, call recordings, voicemails, transcripts, chat messages and AI-generated drafts
Account and authentication data for authorized users, such as user IDs, login timestamps and role assignments
Usage and activity data within the Service, such as pages viewed, actions taken and integrations used
Behavioral and engagement data, such as campaign opens, clicks, replies and status changes
Technical data, such as IP address, device and browser metadata and cookie identifiers

The Customer shall not Process special categories of Personal Data within the meaning of Article 9 GDPR, or Personal Data relating to criminal convictions and offenses within the meaning of Article 10 GDPR, through the Service unless the Service has been configured to support such Processing and the Customer has a valid lawful basis to do so.

C. Nature and Purpose of the Processing

The nature and purpose of the Processing is the operation of the Fondaro CRM and related Services, as further described in the body of this DPA and in the Terms and Conditions.

D. Frequency and Duration

The Processing is continuous for the duration of the Agreement. Personal Data is retained for the duration of the Customer's use of the Service and is deleted in accordance with the "Return and Deletion of Customer Personal Data" section of this DPA.

E. Subject Matter of the Processing by Sub-Processors

Each Sub-processor Processes Personal Data only for the purposes set out in Annex 2.

Annex 2: Sub-Processors

The Owner engages the Sub-processors listed below to support the provision of the Service. The Customer's authorization to use these Sub-processors is granted upon acceptance of this DPA. An up-to-date list is available on request to privacy@fondaro.com.

Sub-processor	Activity	Location
Vercel Inc.	Frontend hosting and edge delivery	United States
DigitalOcean, LLC	Backend infrastructure: managed Kubernetes, databases and object storage (Spaces)	European Union (Frankfurt)
Cloudflare, Inc.	Content delivery network, DDoS protection and bot management	Global edge with US headquarters
Clerk, Inc.	User authentication and identity management	United States
Stripe, Inc.	Payment processing and billing	United States
Twilio Inc.	Telephony, SMS, voice routing and call recording infrastructure	United States
Resend, Inc.	Transactional email delivery	United States
Anthropic, PBC	Large language model services for AI-assisted features	United States
Google LLC	Generative AI (Gemini), Maps, web analytics (Google Analytics 4)	United States
Sanity ApS	Content management system for marketing content	European Union (Denmark)
Functional Software, Inc. (Sentry)	Error monitoring and performance telemetry	United States
Meta Platforms, Inc.	Marketing pixel and conversion tracking on the Owner's marketing website	United States

The Customer acknowledges that some Sub-processors are located in countries outside the EEA, UK or Switzerland and that transfers to those Sub-processors are governed by the "International Data Transfers" section of this DPA.

Annex 3: Technical and Organizational Measures

The Owner implements and maintains the following technical and organizational measures to protect Customer Personal Data. Specific measures may be updated from time to time, provided that the overall level of security is not materially decreased.

Encryption

Encryption in transit using TLS 1.2 or higher for all communications between the Service and Customer endpoints, and between Service components
Encryption at rest for production databases, object storage and backups using industry-standard algorithms such as AES-256

Access Control

Role-based access control within the Service, with permissions assigned on the principle of least privilege
Multi-factor authentication required for production system access by Owner personnel
Access to Customer Personal Data limited to personnel with a documented business need
Centralized identity provider for Owner personnel, with prompt deprovisioning on role change or termination
Periodic review of access rights

Network Security

Segmentation of production, staging and corporate networks
Web application firewall and DDoS protection at the edge
Intrusion detection and monitoring on production infrastructure
Hardened operating-system images and regular patching

Application Security

Secure software development lifecycle, including peer code review and automated static analysis
Dependency scanning and timely patching of known vulnerabilities
Input validation and protection against the OWASP Top 10 categories of vulnerabilities
Penetration testing of the Service performed periodically and following material changes

Logging and Monitoring

Centralized logging of authentication events, administrative actions and security-relevant events
Continuous monitoring of system health and security signals
Tamper-resistant retention of logs for a defined retention period

Backup and Disaster Recovery

Regular automated backups of production databases
Geographically separated backup storage
Periodic testing of backup restoration
Documented disaster-recovery and business-continuity procedures

Personnel Security

Background checks for personnel with access to production systems, where permitted by law
Mandatory information security and privacy training on hire and at least annually thereafter
Written confidentiality obligations binding all personnel

Incident Response

Documented incident-response plan covering detection, triage, containment, eradication, recovery and post-incident review
Defined escalation paths for incidents involving Personal Data
Customer notification procedures consistent with the "Personal Data Breach Notification" section of this DPA

Vendor and Sub-Processor Management

Risk-based assessment of Sub-processors before engagement
Written data-processing terms with each Sub-processor that handles Personal Data
Periodic review of Sub-processor performance and security posture

Physical Security

Production infrastructure hosted in data centers operated by Sub-processors that maintain industry-standard physical security controls, such as ISO 27001 or SOC 2 certified facilities
Physical access to corporate offices restricted to authorized personnel

Data Minimization and Purpose Limitation

Service features designed to collect and Process only the Personal Data necessary for the relevant purpose
Tools provided to Customers to delete or export Personal Data on request

This Data Processing Agreement relates solely to this Application, if not stated otherwise within this document.

Data Processing Agreement