Data Processing Agreement

1. Definitions

“Applicable Data Protection Laws” means all laws applicable to the Processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and the comprehensive privacy laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, New Hampshire, Nebraska, Minnesota, Maryland, Rhode Island, Indiana, Tennessee, Kentucky, and any analogous law in effect.

“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Special Categories of Personal Data” have the meanings given in the GDPR. “Sale,” “Share,” “Service Provider,” “Business,” and “Sensitive Personal Information” have the meanings given in the CCPA/CPRA.

“Customer Personal Data” means Personal Data that the Processor Processes on behalf of the Controller in providing the Services, as described in Annex I.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (controller-to-processor).

“UK Addendum” means the International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner's Office.

“Subprocessor” means any third party engaged by the Processor to Process Customer Personal Data on behalf of the Controller.

2. Roles and Scope

The Parties acknowledge that with respect to Customer Personal Data: (a) the Controller is the controller (or “business” under CCPA/CPRA); (b) the Processor is the processor (or “service provider” under CCPA/CPRA); and (c) each Party shall comply with its respective obligations under Applicable Data Protection Laws.

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex I.

This DPA applies only to Processing carried out by the Processor on behalf of the Controller in the course of providing the Services. It does not apply to Personal Data that the Processor processes as a controller in its own right (for example, account administration, billing, security, and marketing of its own services), which is governed by the Privacy Policy at userevenueos.com/privacy.

3. Processor Obligations

The Processor shall:

(a) Process Customer Personal Data only on the documented instructions of the Controller. The Agreement, this DPA, the Order Form, and the Controller's lawful configuration and use of the Services constitute the Controller's documented instructions. The Processor shall notify the Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws (without obligation to monitor for compliance);

(b) Ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations;

(c) Implement and maintain the technical and organizational measures set out in Annex II to ensure a level of security appropriate to the risk, including the measures referred to in GDPR Article 32;

(d) Engage Subprocessors only in accordance with Section 5;

(e) Taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Laws;

(f) Assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of Processing and the information available to the Processor;

(g) At the choice of the Controller, delete or return all Customer Personal Data after the end of the provision of the Services relating to Processing, and delete existing copies unless retention is required by law (see Section 9);

(h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this DPA, and allow for and contribute to audits conducted by the Controller or another auditor mandated by the Controller, subject to Section 7.

4. CCPA/CPRA Service Provider Certification

To the extent the Processor Processes Personal Information (as defined in the CCPA/CPRA) on behalf of the Controller, the Processor certifies that it shall not:

(a) Sell or Share the Personal Information;

(b) Retain, use, or disclose the Personal Information for any purpose other than the specific purpose of performing the Services specified in the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the Services;

(c) Retain, use, or disclose the Personal Information outside of the direct business relationship between the Processor and the Controller; or

(d) Combine the Personal Information that the Processor receives from or on behalf of the Controller with Personal Information that it receives from or on behalf of another person, or that it collects from its own interaction with a Data Subject, except as expressly permitted by the CCPA/CPRA.

The Processor shall notify the Controller promptly if it determines that it can no longer meet its obligations under the CCPA/CPRA. The Controller has the right to take reasonable and appropriate steps under the CCPA/CPRA to ensure that the Processor uses Personal Information in a manner consistent with the Controller's obligations.

5. Subprocessors

The Controller authorizes the Processor to engage the Subprocessors listed at userevenueos.com/subprocessors (the “Subprocessor List”).

The Processor shall: (a) impose on each Subprocessor data protection obligations no less protective than those in this DPA, by way of a written contract; and (b) remain fully liable to the Controller for the performance of each Subprocessor's obligations.

The Processor shall provide at least thirty (30) days' advance notice of any intended addition or replacement of a Subprocessor by updating the Subprocessor List. The Controller may subscribe to notifications at userevenueos.com/subprocessors. The Controller may object to a new Subprocessor on reasonable data protection grounds by providing written notice to support@jordanstupar.com within the notice period. If the Processor cannot reasonably accommodate the objection, the Controller may terminate the affected portion of the Services without penalty as the sole remedy, and the Processor shall refund any prepaid, unused fees for the affected portion.

6. International Data Transfers

To the extent the Processor Processes Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland and transfers it to a country not deemed adequate by the European Commission (or equivalent authority), the Parties agree that:

(a) The Standard Contractual Clauses (Module Two: controller-to-processor) are hereby incorporated into this DPA by reference and apply to such transfers, with the Controller as data exporter and the Processor as data importer. The optional Clause 7 (docking) is included. Clause 9(a) Option 2 (general written authorization) applies, with the time period for prior notice of Subprocessor changes set at thirty (30) days. Clause 11(a) optional language is not included. The governing law under Clause 17 is the law of Ireland. The competent supervisory authority under Clause 18(b) is the Irish Data Protection Commission. Annex I.A, I.B, I.C, II, and III to the SCCs are populated by Annexes I and II of this DPA.

(b) For transfers subject to the UK GDPR, the UK Addendum is incorporated by reference and supplements the SCCs as applied to UK transfers.

(c) For transfers subject to Swiss data protection law, the SCCs apply with the following modifications: references to the GDPR are deemed to include the Swiss Federal Act on Data Protection; the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; the governing law under Clause 17 is Swiss law; and Data Subjects in Switzerland are entitled to the same protections.

(d) The Processor shall: (i) promptly notify the Controller of any legally binding request for disclosure of Customer Personal Data by a law enforcement or governmental authority, unless prohibited by law; (ii) challenge any such request that is not in accordance with applicable law; and (iii) make available transparency information sufficient for the Controller to assess transfer risk on request.

(e) The Processor maintains supplementary technical, organizational, and contractual measures to support the level of protection of transferred Personal Data, as described in Annex II.

In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

7. Audits

The Controller, or an independent auditor mandated by the Controller, may audit the Processor's compliance with this DPA, subject to the following conditions:

(a) Audits shall be conducted at the Controller's expense, on at least thirty (30) days' prior written notice, during regular business hours, in a manner that does not unreasonably interfere with the Processor's operations, and subject to the Processor's reasonable confidentiality and security requirements;

(b) Audits shall not occur more than once per twelve-month period, except where required by a supervisory authority or where reasonably justified by a confirmed security incident affecting Customer Personal Data;

(c) The auditor must not be a competitor of the Processor and must enter into a written confidentiality agreement reasonably acceptable to the Processor;

(d) Audit reports are the Confidential Information of both Parties and may not be disclosed to any third party except as required by law or to a supervisory authority;

(e) Before exercising audit rights, the Controller shall first review any third-party audit reports, penetration test summaries, security certifications, and compliance documentation made available by the Processor, which the Parties agree shall be sufficient to demonstrate compliance unless they fail to address the specific subject of the audit;

(f) Audit findings shall be discussed in good faith between the Parties, and any remediation shall be subject to commercially reasonable terms.

8. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall, to the extent known at the time, include:

(a) The nature of the Personal Data Breach, including categories and approximate number of Data Subjects and records concerned;

(b) The likely consequences of the breach;

(c) The measures taken or proposed by the Processor to address the breach and mitigate its possible adverse effects;

(d) The name and contact details of a point of contact for further information.

The Processor may provide information in phases as facts become known. The Processor shall reasonably assist the Controller in fulfilling its own breach notification obligations to supervisory authorities and Data Subjects. Notification of a Personal Data Breach is not an admission of fault or liability by the Processor.

9. Return or Deletion of Customer Personal Data

Upon termination or expiration of the Services, the Processor shall, at the Controller's written election, delete or return all Customer Personal Data within sixty (60) days of the request. The Processor shall thereafter delete all existing copies, except to the extent retention is: (a) required by Applicable Data Protection Laws or other applicable law; (b) necessary to defend legal claims; or (c) contained in routine backups, which shall be overwritten in the ordinary course and protected from unauthorized access during the interim. The Processor shall, upon written request, certify deletion.

10. Data Protection Impact Assessments

The Processor shall, taking into account the nature of Processing and the information available, provide reasonable assistance to the Controller with any data protection impact assessment and prior consultation with supervisory authorities required under GDPR Articles 35 and 36. The Processor may charge reasonable fees for assistance that goes materially beyond responding to the Controller's request for documentation already maintained by the Processor.

11. Data Subject Requests

The Processor shall, taking into account the nature of Processing and to the extent technically feasible, assist the Controller by appropriate technical and organizational measures for the fulfilment of the Controller's obligation to respond to Data Subject requests under Applicable Data Protection Laws. Where a Data Subject submits a request directly to the Processor, the Processor shall, where possible, refer the Data Subject to the Controller.

12. Liability

The liability of each Party under and in connection with this DPA shall be governed by, and subject to, the limitations and exclusions of liability set forth in the Agreement. For the avoidance of doubt, the liability cap in the Agreement applies in the aggregate to all claims arising under the Agreement and this DPA combined, including any claim arising under the SCCs to the maximum extent permitted by law.

The Parties agree that any monetary compensation due to a Data Subject under the SCCs or applicable law shall be a recoverable damage subject to the liability framework of the Agreement, not in addition to it.

13. Term and Termination

This DPA takes effect on the later of: (a) the effective date of the Agreement; or (b) the date of click-to-execute or signed acceptance of this DPA. It remains in effect for the duration of the Agreement and survives termination to the extent necessary to complete the return or deletion of Customer Personal Data and to enforce obligations that by their nature survive.

14. Order of Precedence

In the event of conflict between the documents governing the Parties' relationship, the order of precedence is: (i) the SCCs (where they apply); (ii) this DPA; (iii) the Agreement; (iv) the Privacy Policy; (v) the Subprocessor List.

15. Governing Law and Disputes

Except for the SCCs (which are governed by the laws specified in Clause 17 thereof), this DPA is governed by the law of the State of Wisconsin and disputes are subject to the dispute resolution provisions of the Agreement.

16. Miscellaneous

This DPA, together with the Agreement, constitutes the entire agreement of the Parties with respect to the Processing of Customer Personal Data. If any provision is held invalid or unenforceable, it shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall remain in full force. Headings are for convenience only.

Annex I — Description of Processing

A. List of Parties

Data Exporter (Controller): The Customer entity identified at execution.

Data Importer (Processor): Stupar Enterprises LLC, a Wisconsin limited liability company, United States.

B. Description of Transfer

Categories of Data Subjects

The Customer's Authorized Users (sales representatives, managers, owners, administrators) and any natural persons whose Personal Data is included in Customer Content (including prospects, customers, and end users of the Customer whose communications are recorded, transcribed, or analyzed through the Services).

Categories of Personal Data

• Identification and contact data (name, work email, phone, job title);
• Account credentials (hashed passwords, session tokens);
• Employment and organizational data (role, manager assignments, team structure);
• Communications and content data (call audio, transcripts, messages, training submissions, role play recordings);
• Usage and analytics data (logins, feature usage, performance metrics, Compliance Scores);
• CRM-derived data (contact, deal, and activity data from connected CRMs);
• Technical data (IP addresses, device identifiers, browser data, logs).

Special Categories of Personal Data

The Services are not designed to Process Special Categories of Personal Data. The Controller shall not upload Special Categories of Personal Data except where strictly necessary, with appropriate safeguards consistent with Applicable Data Protection Laws, and on advance written notice to the Processor.

Frequency of Transfer

Continuous, for the duration of the Agreement.

Nature of Processing

Hosting, storage, transmission, transcription (audio-to-text), AI scoring and analysis, indexing, retrieval, display, deletion.

Purpose

Provision of the Services as described in the Agreement, including sales coaching, compliance scoring, training management, call analysis, role play scoring, messaging, and CRM-linked analytics.

Retention

Audio recordings are retained for ninety (90) days from upload. Transcripts and other Customer Personal Data are retained for the duration of the Agreement and deleted in accordance with Section 9 of this DPA, subject to legal retention requirements.

C. Competent Supervisory Authority

For transfers from the EEA: the Irish Data Protection Commission.
For transfers from the UK: the UK Information Commissioner's Office.
For transfers from Switzerland: the Swiss Federal Data Protection and Information Commissioner.

Annex II — Technical and Organizational Measures

The Processor implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk:

1. Pseudonymization and Encryption

• TLS 1.2 or higher for all data in transit;
• Encryption at rest for all stored Personal Data via database and storage layer (AES-256 or equivalent);
• Hashed and salted password storage; no plaintext password retention;
• Secret management via dedicated secret stores; secrets not stored in source control;
• Constant-time comparison for secret-bearing endpoints (cron, webhook).

2. Confidentiality, Integrity, Availability, and Resilience

• Row-Level Security on every multi-tenant database table to enforce organization isolation;
• Role-based access controls; least-privilege provisioning for personnel;
• Multi-factor authentication required for administrative access;
• HMAC-SHA256 signature verification on all inbound webhooks from third-party services;
• Daily automated backups of production data; point-in-time recovery available;
• Geographically redundant infrastructure via Vercel and Supabase production tiers;
• Monitoring and alerting on application performance, error rates, and security events.

3. Process for Regularly Testing, Assessing, and Evaluating

• Annual security audit covering API authentication, RLS policies, npm dependency CVEs, secret exposure, input validation, HTML sanitization, and atomic operations;
• Continuous dependency vulnerability scanning;
• Regular penetration testing scope reviewed annually;
• Quarterly review of access controls and personnel authorization.

4. Measures for Identifying Vulnerabilities and Personal Data Breaches

• Centralized error and security event logging;
• Audit trail for administrator and security-relevant events;
• Breach response runbook with named owner and 72-hour Controller notification commitment.

5. Measures for Data Quality, Minimization, and Storage Limitation

• Configurable data retention by tier; audio default 90 days with automated deletion;
• Subprocessor list maintained at userevenueos.com/subprocessors with 30-day advance notice for changes;
• De-identification and aggregation where used for analytics, benchmarking, and product improvement.

6. Measures for Accountability

• Designated point of contact for Data Subject and Controller requests: support@jordanstupar.com;
• Data Processing Agreement with each Subprocessor imposing equivalent protections;
• Records of Processing activities maintained internally.

7. Transfer Mechanism Supplementary Measures

• US-only Processing infrastructure;
• Contractual challenge of unlawful government requests;
• Transparency reporting on legally binding access requests, subject to legal restrictions.