This Data Processing Addendum ("DPA") supplements the Kitbees Terms and Conditions and any applicable order form or written agreement between Kitbees Inc., a Delaware C Corporation ("Kitbees"), and the applicable customer entity ("Customer"). This DPA applies only when Kitbees processes Customer Personal Data on behalf of Customer as a processor, service provider, or contractor.

If there is a conflict between this DPA and the Terms regarding Customer Personal Data, this DPA controls to the extent of the conflict. This DPA does not apply to Kitbees' independent-controller processing described in the Privacy Policy, including public or licensed creator intelligence, billing, fraud prevention, security, product analytics, deidentified analytics, and Kitbees' own business operations.

1. Definitions

"Customer Personal Data" means Personal Data that Kitbees processes on behalf of Customer through the Services.
"Data Protection Law" means applicable laws governing the processing of Customer Personal Data under this DPA, including where applicable the GDPR, UK GDPR, Swiss FADP, and U.S. state privacy laws.
"Security Incident" means an actual or reasonably suspected breach of Kitbees' security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data. Security Incidents do not include unsuccessful attempts or activities that do not compromise Customer Personal Data.
"Subprocessor" means a third party engaged by Kitbees to process Customer Personal Data on behalf of Customer.

Capitalized terms not defined in this DPA have the meanings given in the Terms.

2. Roles and Scope

Customer is the controller, business, or equivalent party for Customer Personal Data unless Data Protection Law states otherwise. Kitbees acts as Customer's processor, service provider, or contractor for Customer Personal Data covered by this DPA.

Customer is responsible for determining whether the Services are appropriate for Customer's intended processing, providing required notices, obtaining required rights, consents, permissions, and lawful bases, ensuring Customer Personal Data is accurate and limited to what is necessary, and responding to data-subject requests and regulatory inquiries except to the extent Kitbees must assist under this DPA.

3. Customer Instructions

Kitbees will process Customer Personal Data only to provide, maintain, secure, support, and improve the Services; perform Customer-authorized workflows; prevent fraud, abuse, spam, or Security Incidents; comply with law; and as otherwise permitted by this DPA and Data Protection Law.

Customer's documented instructions include the Terms, this DPA, any order form, Service configuration, support requests, and other written communications accepted by Kitbees. Customer must not instruct Kitbees to process Customer Personal Data in violation of Data Protection Law.

If Kitbees believes a Customer instruction violates Data Protection Law, Kitbees will notify Customer unless legally prohibited. If Kitbees is required by law to process Customer Personal Data outside Customer's documented instructions, Kitbees will notify Customer of that legal requirement before processing unless the law prohibits notice on important public-interest grounds.

4. Confidentiality and Personnel

Kitbees will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and receive access only to the extent reasonably necessary for their role.

5. Security Measures

Kitbees will maintain reasonable technical, administrative, and organizational safeguards designed to protect Customer Personal Data, taking into account the nature of the processing and risks involved. Current measures are summarized in Annex 2. Kitbees may update its measures from time to time, provided the overall level of protection is not materially reduced.

6. Subprocessors

Customer grants Kitbees general written authorization to engage Subprocessors to process Customer Personal Data in connection with the Services. Kitbees will impose data-protection obligations on each Subprocessor that are at least as protective as the obligations in this DPA in substance, taking into account the nature of the Subprocessor's services. Kitbees remains responsible for its Subprocessors' performance of those obligations to the extent required by Data Protection Law.

Key Subprocessors and feature-dependent vendors are listed in Annex 3. Kitbees may update that list as vendors, features, or infrastructure change. Subject to Data Protection Law, Kitbees may add, replace, or remove Subprocessors at its discretion and is not required to provide advance notice or obtain Customer approval before doing so. Customer may review relevant Subprocessor information in Annex 3 or any replacement DPA Subprocessor list Kitbees makes available.

7. Data Subject Requests

Taking into account the nature of the processing and information available to Kitbees, Kitbees will provide commercially reasonable assistance with data-subject requests where Customer cannot reasonably complete the request without Kitbees' help.

If Kitbees receives a request from an individual relating to Customer Personal Data for which Customer is responsible, Kitbees may direct the requester to Customer, notify Customer, or respond directly only where required by law.

8. Assistance and Compliance Support

Taking into account the nature of processing and information available to Kitbees, Kitbees will provide commercially reasonable assistance with Customer's obligations relating to security, data-protection impact assessments, and supervisory-authority consultations where required by Data Protection Law and where Customer cannot reasonably satisfy the obligation without Kitbees' assistance. Kitbees may charge reasonable fees for unusually burdensome, repetitive, or out-of-scope assistance.

9. Security Incidents

Kitbees will notify Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident affecting Customer Personal Data. Notification will include, to the extent reasonably available, the nature of the incident, affected data categories, likely consequences, measures taken or proposed, and follow-up contact information. Kitbees will provide reasonable updates as additional material information becomes available. Notification is not an admission of fault or liability.

10. Deletion and Return

Upon expiration or termination of the applicable Services, Kitbees will, at Customer's choice and subject to the Terms, return or make available for export Customer Personal Data, delete Customer Personal Data, or both, unless continued retention is required by law or otherwise permitted by Data Protection Law. Customer may request return or export during the subscription term and for up to thirty (30) days after termination unless the Terms or an order form provides a longer period.

After the applicable export period or verified deletion instruction, Kitbees will delete active production copies of Customer Personal Data within a commercially reasonable period, typically no later than ninety (90) days, unless retention is required by law, reasonably necessary for security, fraud prevention, dispute resolution, or otherwise permitted by Data Protection Law. Kitbees may retain archived or backup copies until overwritten in the ordinary course, typically no later than one hundred eighty (180) days, provided those copies are protected by the measures in Annex 2 and are not restored to active processing except for backup restoration, security, legal, or compliance needs.

Kitbees may retain logs and security records needed for security or audit purposes, billing records required by law, and deidentified or aggregated data that does not identify Customer or any individual as the source.

11. Information Rights

Kitbees will make available information reasonably necessary to demonstrate compliance with this DPA, which may include security summaries, written responses, policies, certifications, or third-party audit reports where available.

If Customer reasonably believes additional verification is required by Data Protection Law, Kitbees may satisfy that requirement through recent third-party materials, written responses, policies, certifications, security summaries, or other reasonable documentation, subject to confidentiality, security, and operational restrictions.

12. International Transfers

Customer authorizes Kitbees to process Customer Personal Data in the United States and other countries where Kitbees, its affiliates, or Subprocessors operate.

Where required by Data Protection Law, the parties will use lawful transfer mechanisms, including the transfer terms in Annex 4 where applicable. If Customer Personal Data subject to the GDPR, UK GDPR, or Swiss FADP is transferred to Kitbees or a Subprocessor in a country that does not benefit from an applicable adequacy decision or equivalent lawful transfer basis, the parties incorporate by reference the applicable Standard Contractual Clauses and related transfer terms in Annex 4.

13. U.S. State Privacy Terms

To the extent U.S. state privacy law applies and Kitbees acts as Customer's service provider, contractor, processor, or similar party:

the limited and specified business purposes are the processing activities described in Annex 1, Customer's documented instructions, and the Service features Customer enables, including hosting, authentication, storage, outbound outreach sending, campaign workflow, tracking, reporting, payment workflow, support, security, debugging, fraud prevention, deidentification, and related platform operations;
Kitbees will not sell or share Customer Personal Data or process Customer Personal Data for targeted advertising except as instructed by Customer and permitted by law;
Kitbees will not retain, use, or disclose Customer Personal Data for any purpose outside the limited and specified business purposes described in this DPA or for a commercial purpose other than those business purposes, except as permitted by law;
Kitbees will not retain, use, or disclose Customer Personal Data outside the direct business relationship between Customer and Kitbees except as permitted by law and this DPA;
Kitbees will not combine Customer Personal Data with personal data it receives from another person except as permitted by law;
Kitbees will comply with applicable obligations under U.S. state privacy laws for Customer Personal Data and provide the same level of privacy protection required of service providers, contractors, processors, or similar parties under those laws;
Kitbees will assist Customer with consumer requests relating to Customer Personal Data as described in Section 7;
Customer may take reasonable and appropriate steps to help ensure Kitbees uses Customer Personal Data consistently with Customer's obligations under applicable U.S. state privacy laws, including through the information rights in Section 11;
Kitbees will notify Customer if it determines it can no longer meet its obligations under this Section and will take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data; and
Kitbees will require Subprocessors that process Customer Personal Data under this Section to agree to restrictions that are at least as protective in substance as this Section.

14. Liability

This DPA is subject to the limitations of liability, exclusions, and risk-allocation provisions in the Terms unless Data Protection Law requires otherwise.

Annex 1. Details of Processing

Subject matter: Kitbees' provision of the Services to Customer.

Duration: For the subscription term or other period during which Kitbees processes Customer Personal Data on Customer's behalf, plus any limited retention period permitted by the Terms, this DPA, or applicable law.

Nature and purpose: Hosting, storing, organizing, transmitting, reporting on, securing, supporting, and otherwise processing Customer Personal Data as needed to provide creator workflow, outbound outreach sending, campaign, tracking, reporting, payment, and related platform features.

Categories of data subjects:

Customer personnel and authorized users;
creators, campaign contacts, outreach recipients, and creator representatives submitted or contacted by Customer;
Customer's clients or brand representatives where Customer uses the Services on their behalf; and
other individuals whose data Customer submits to the Services.

Categories of Customer Personal Data:

account, organization, and user identifiers;
contact information and business profile information;
outbound outreach content, sender and recipient data, send logs, and related metadata;
campaign, CRM, notes, status, deliverable, and reporting data;
tracking and attribution data submitted by or connected by Customer;
billing workflow metadata where processed on Customer's behalf;
uploaded files, prompts, generated assets, and related organization content; and
any other Personal Data Customer chooses to submit through the Services consistent with the Terms and this DPA.

Annex 2. Technical and Organizational Measures

Kitbees will maintain at least the following technical and organizational measures, taking into account the nature, scope, context, and risk of the processing:

access controls and least-privilege permissions;
authentication controls for user and administrative access, including multi-factor authentication for privileged administrative access where supported by the relevant system;
logical separation of customer organizations and role-based authorization for organization data;
encryption in transit using TLS or equivalent protections and encryption at rest through application, database, storage, or cloud-provider controls where appropriate;
secret, credential, OAuth token, and integration-token protection, including encryption or managed secret storage where implemented;
logging, monitoring, and alerting for security and reliability;
backup, restoration, and business-continuity measures, including periodic review or validation of restore procedures;
vulnerability management, dependency review, patching, and secure configuration practices appropriate to the Services;
change-management practices designed to reduce production security and availability risk;
incident-response procedures for triage, containment, investigation, notification, and remediation;
personnel confidentiality obligations;
vendor and Subprocessor review before onboarding vendors that process Customer Personal Data;
support and production-access controls designed to limit human access to Customer Personal Data to authorized personnel with a business need; and
AI-feature data handling controls designed to send Customer Personal Data to AI Subprocessors only as needed for enabled features, support, safety, abuse prevention, or legal compliance. Kitbees does not authorize AI Subprocessors to use Customer Personal Data to train their general-purpose models except as expressly instructed by Customer or disclosed for the relevant feature.

Annex 3. Key Subprocessors

The following list identifies current key public-facing Subprocessors and feature-dependent vendors. Vendors used only for Kitbees' independent-controller creator intelligence, internal research, internal operations, or non-customer-specific infrastructure are not listed as Subprocessors for Customer Personal Data unless they process Customer Personal Data for a Customer-enabled feature or Customer instruction.

Vendor	Role	Function
Supabase	Core Subprocessor	Core database, authentication, file storage, and related infrastructure
Stripe	Core or feature-dependent Subprocessor	Billing, checkout, subscriptions, invoices, payment processing, saved payment methods, and Stripe Connect workflows
Google	Feature-dependent Subprocessor	Gmail connection, OAuth identity, and send-only email integration
PostHog	Feature-dependent Subprocessor	Product analytics and feature measurement
Sentry	Operational Subprocessor	Error monitoring, tracing, and incident diagnostics
Shopify	Feature-dependent Subprocessor	E-commerce integration, discount code management, and order synchronization

Annex 4. International Transfer Terms

For transfers of Customer Personal Data subject to the GDPR from the European Economic Area to Kitbees or a Subprocessor in a country without an applicable adequacy decision, the parties incorporate the European Commission Standard Contractual Clauses for international transfers under Commission Implementing Decision (EU) 2021/914 ("EU SCCs") as follows:

Module Two applies where Customer is a controller and Kitbees is a processor.
Module Three applies where Customer is a processor and Kitbees is a subprocessor.
Clause 7 docking is not used unless the parties agree otherwise in writing.
Clause 9(a) general written authorization for subprocessors applies, with the Subprocessor authorization and list in Section 6 and Annex 3.
Clause 11 optional redress language is not used.
Clause 17 governing law is the law of Ireland.
Clause 18 forum and jurisdiction are the courts of Ireland.
Annex I is completed by the parties' identities in the Terms, order form, or account records; the processing details in Annex 1; the transfer frequency as continuous for the duration of the Services; and the competent supervisory authority determined under the GDPR.
Annex II is completed by the measures in Annex 2.
Annex III is completed by the Subprocessors in Annex 3 as updated under Section 6.

For transfers of Customer Personal Data subject to the UK GDPR, the EU SCCs apply as amended by the UK International Data Transfer Addendum, with the parties, selected modules, and annexes completed as described above. For transfers subject to the Swiss FADP, the EU SCCs apply with references to the GDPR adapted to the Swiss FADP, references to the competent supervisory authority adapted to the Swiss Federal Data Protection and Information Commissioner where required, and references to EU Member State law adapted as needed for Swiss transfer requirements.

Kitbees will maintain reasonable supplementary measures for international transfers, including the technical and organizational measures in Annex 2, and will respond to reasonable Customer requests for information needed to assess transfer risk. If Kitbees receives a legally binding government access request for Customer Personal Data, Kitbees will notify Customer where legally permitted and will take reasonable steps to challenge or narrow the request where Kitbees reasonably believes the request is unlawful or overbroad.

Changes to This DPA

We may update this DPA from time to time to reflect changes in law, guidance, technology, vendors, Services, or business practices. When we do, we will revise the "Last Updated" date above and take any additional steps required by applicable law.

Kitbees Information and Contact

If you have questions about this DPA or Kitbees' data processing practices, please contact:

Kitbees Inc., Delaware C Corporation
131 Continental Dr Suite 305
Newark, DE 19713
United States
Email: privacy@kitbees.com