Data Processing Agreement.

This Data Processing Agreement (“DPA”) supplements and forms part of the Master Services Agreement (the “Agreement”) between Digital1010 LLC, a Florida limited liability company (“Digital1010,” “Processor”), and the customer identified in the Agreement (“Customer,” “Controller”). It governs the Processing of Personal Data by Digital1010 on behalf of Customer in the course of providing the Services.

In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the EU Standard Contractual Clauses incorporated under Section 8, the Standard Contractual Clauses control.

Capitalized terms not defined in this DPA have the meaning given them in the Agreement. The following definitions apply:

• Applicable Data Protection Law means each statute, regulation, executive order, or other rule applicable to the Processing of Personal Data under this DPA, including (as the case may be) the EU General Data Protection Regulation 2016/679 (“GDPR”), the United Kingdom General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”), the California Consumer Privacy Act and California Privacy Rights Act (“California Privacy Laws”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Florida Information Protection Act (F.S. § 501.171), and any successor or analogous statute.
• Controller, Processor, Sub-processor, Personal Data, Process / Processing, Data Subject, and Personal Data Breach have the meanings given them in Applicable Data Protection Law. Where California Privacy Laws apply, “Personal Data” includes “personal information” and Digital1010 acts as a “Service Provider.”
• Restricted Transfer means a transfer of Personal Data subject to the cross-border transfer restrictions of Applicable Data Protection Law, including transfers from the European Economic Area, the United Kingdom, or Switzerland to a country not the subject of an adequacy decision.
• Standard Contractual Clauses or SCCs means (i) the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the European Commission's Decision (EU) 2021/914 of 4 June 2021, Module 2 (Controller to Processor), and (ii) for transfers subject to UK GDPR, the United Kingdom International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office (the “UK Addendum”).

Customer is the Controller (or a Processor acting on behalf of another controller) of Personal Data submitted to or generated by Digital1010 in the course of providing the Services. Digital1010 is the Processor (or, where Customer is itself a Processor, a Sub-processor) of that Personal Data and will Process it solely on Customer's documented instructions and as set forth in this DPA.

For the purposes of California Privacy Laws, Customer is a “Business” and Digital1010 is a “Service Provider.” Digital1010 will not (i) sell or share Personal Data, (ii) retain, use, or disclose Personal Data outside the direct business relationship between the parties or for any purpose other than the specific business purpose of providing the Services, or (iii) combine Personal Data received from Customer with personal information received from any other source, except as expressly permitted by California Privacy Laws. Digital1010 certifies that it understands and will comply with these restrictions.

• Subject matter: the provision of the Services described in the Agreement, which may include marketing strategy, web platform development, hosting and operations, search and answer-engine optimization, paid media management, marketing automation and CRM integration, creative production, analytics and reporting, and AI-augmented marketing operations.
• Duration: the term of the Agreement, plus any post-termination period during which Digital1010 retains Personal Data in accordance with Section 11.
• Nature and purpose: Digital1010 will Process Personal Data as necessary to provide the Services and to comply with the Agreement and Applicable Data Protection Law.
• Categories of Data Subjects: Customer's website visitors, prospects, leads, customers, and authorized contacts, and any other natural persons whose Personal Data Customer or its end users submit through the Services.
• Categories of Personal Data: identifiers (name, email, phone, address, online identifiers), commercial information (transactions and inquiries), internet and electronic activity (browsing, ad interactions, search queries, attribution data), geolocation (general region from IP address), professional information (company, role, vertical), and any other category of Personal Data Customer chooses to submit. Digital1010 does not require, and will not knowingly Process, special categories of Personal Data unless the parties expressly agree in writing.

Digital1010 will:

• Process on instructions only. Process Personal Data only on Customer's documented instructions, including with regard to transfers to a third country, unless required to do otherwise by EU or Member State law to which Digital1010 is subject. In the latter case, Digital1010 will inform Customer of the legal requirement before Processing, unless that law prohibits the disclosure on important grounds of public interest.
• Confidentiality. Ensure that personnel authorized to Process Personal Data are bound by an obligation of confidentiality, whether contractual or statutory, and have received appropriate training on the handling of Personal Data.
• Security. Implement and maintain the technical and organizational measures described in Annex II (Section 12) and otherwise required by Article 32 of GDPR.
• Sub-processor management. Engage Sub-processors only in accordance with Section 7.
• Assistance with Data Subject rights. Promptly notify Customer of any Data Subject request received directly, and assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to Data Subject access, deletion, correction, restriction, portability, and objection requests under Applicable Data Protection Law.
• Assistance with assessments. Provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities required by Articles 35 and 36 of GDPR.
• Records. Maintain a written record of all categories of Processing activities carried out on behalf of Customer, as required by Article 30(2) of GDPR, and make it available to Customer or a competent supervisory authority on request.
• Audit. Make available to Customer all information necessary to demonstrate compliance with this DPA, and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in accordance with Section 10.

Digital1010 will notify Customer without undue delay, and in any event no later than 48 hours after becoming aware, of any Personal Data Breach affecting Personal Data Processed under this DPA. The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, the measures taken or proposed to address the breach and mitigate adverse effects, and a contact point for further information. Digital1010 will supplement the notification as additional information becomes available.

Digital1010 will cooperate with Customer in any breach notifications Customer is required to make to supervisory authorities or Data Subjects under Applicable Data Protection Law, including the Florida Information Protection Act (F.S. § 501.171), the GDPR, and applicable state breach notification statutes. Customer is responsible for fulfilling any notification obligations to Data Subjects and regulators for which Customer is the Controller.

Customer authorizes Digital1010 to engage the Sub-processors listed in Annex III (Section 13) for the Processing activities described there, subject to the conditions of this Section 7.

Digital1010 will impose data protection obligations on each Sub-processor, by written contract or other binding instrument, that are no less protective than those imposed on Digital1010 under this DPA, including the obligations of Article 28(3) of GDPR. Digital1010 remains liable to Customer for the acts and omissions of its Sub-processors with respect to the Processing of Personal Data under this DPA.

Notice of changes. Digital1010 will give Customer prior written notice (which may be by email to the account contact, or by posting an updated list at this URL) of the addition or replacement of any Sub-processor at least fourteen (14) days before the change takes effect, except where the change is required to address a security or service-continuity emergency, in which case Digital1010 will notify Customer promptly thereafter. If Customer reasonably objects to a proposed Sub-processor on data-protection grounds, the parties will work in good faith to find a commercially reasonable alternative; if no alternative is available, Customer may terminate the affected Services on written notice without penalty.

Where Digital1010's Processing of Personal Data involves a Restricted Transfer, the parties agree that the SCCs apply to the transfer and are incorporated into this DPA by reference, with the following population:

• Module 2 (Controller to Processor) applies where Customer is the Controller. Module 3 (Processor to Sub-processor) applies where Customer is itself a Processor.
• Clause 7 (docking clause) is included.
• Clause 9: Option 2 (general written authorization). Notice period for changes is fourteen (14) days, as set forth in Section 7 of this DPA.
• Clause 11: the optional language permitting Data Subjects to lodge complaints with an independent dispute resolution body is not included.
• Clause 17: governing law of the SCCs is the law of the Republic of Ireland.
• Clause 18: the courts of Ireland have exclusive jurisdiction with respect to the SCCs.
• Annex I.A (parties): Customer is the data exporter; Digital1010 is the data importer.
• Annex I.B (description of transfer): as described in Section 4 of this DPA.
• Annex I.C (competent supervisory authority): the supervisory authority of the Member State in which the data exporter is established, or as otherwise determined under Clause 13.
• Annex II (technical and organizational measures): as set forth in Section 12 of this DPA.
• Annex III (Sub-processors): as set forth in Section 13 of this DPA.

For Restricted Transfers subject to UK GDPR, the UK Addendum applies, with Tables 1, 2, and 3 populated by reference to the corresponding sections and Annexes above and Table 4 completed to indicate that neither party may end the UK Addendum.

For Restricted Transfers subject to Swiss data protection law, the parties incorporate the SCCs with the modifications required by the Swiss Federal Data Protection and Information Commissioner's guidance (references to GDPR also refer to the Swiss Federal Act on Data Protection; references to the supervisory authority also include the FDPIC).

Customer represents and warrants that (i) it has provided all required notices and obtained all required consents, authorizations, and rights to enable Digital1010 to Process the Personal Data as contemplated by the Agreement and this DPA; (ii) its instructions to Digital1010 comply with Applicable Data Protection Law; and (iii) it will not submit to Digital1010 any special category data, payment-card data, government-issued identifiers, or protected health information unless the parties have first executed a separate written agreement covering such data.

Once per twelve-month period, on at least thirty (30) days' prior written notice and during ordinary business hours, Customer (or an independent third-party auditor bound by appropriate confidentiality obligations and not a competitor of Digital1010) may audit Digital1010's compliance with this DPA, provided the audit (i) is reasonable in scope, (ii) does not unreasonably interfere with Digital1010's business, (iii) is conducted at Customer's expense, and (iv) does not require Digital1010 to disclose the data of other customers, trade secrets, or any information that Digital1010 is contractually or legally required to keep confidential. Digital1010 may satisfy its audit obligations by providing Customer with a copy of its most recent third-party security audit report (e.g. SOC 2, ISO 27001 certification, or substantially equivalent), where available.

Where required by Applicable Data Protection Law (including GDPR Article 28(3)(h)), Digital1010 will additionally permit and contribute to audits and inspections by Customer or a competent supervisory authority.

On termination or expiration of the Agreement, Digital1010 will, at Customer's written election, return to Customer or delete all Personal Data Processed on Customer's behalf, unless Applicable Data Protection Law or another binding legal obligation requires storage of all or part of the Personal Data. Digital1010 will complete the return or deletion within ninety (90) days of termination, except for backup copies that age out of rolling backup retention according to Digital1010's standard schedule (currently up to thirty-five (35) days), which will be deleted at the end of that retention period.

On Customer request, Digital1010 will certify in writing that it has complied with this Section 11.

Digital1010 implements and maintains the following measures, which it may update from time to time provided the level of protection of Personal Data is not materially diminished:

• Pseudonymization and encryption. Personal Data in transit is encrypted using TLS 1.2 or higher. Personal Data at rest in our hosting environments is encrypted using AES-256 or substantially equivalent cipher. Application secrets are stored in an encrypted key vault and never logged.
• Confidentiality, integrity, availability, and resilience. Production systems run on hardened, actively patched cloud infrastructure (DigitalOcean, Cloudflare). Application traffic passes through a Web Application Firewall with rate limiting, bot mitigation, and DDoS protection. Database backups are taken at least daily with cross-region redundancy.
• Restoration of availability. Production services maintain a documented disaster-recovery plan with target RTO of 24 hours and target RPO of 24 hours. Backups are tested for restorability on a defined cadence.
• Access control. Role-based access to Personal Data is granted on a least-privilege basis to authorized personnel only. Multi-factor authentication is required for all production system access. Access is reviewed on a quarterly basis and revoked promptly on role change or separation.
• Logging and monitoring. Production systems generate access and security event logs that are retained for at least ninety (90) days and monitored for anomalies.
• Personnel. All personnel with access to Personal Data are bound by written confidentiality obligations, receive periodic training on data protection and security, and are subject to background checks where permitted by law.
• Physical security. Production infrastructure is hosted in third-party data centers that maintain SOC 2 Type II or substantially equivalent certifications. Digital1010 personnel work from secured premises and corporate-managed devices with full-disk encryption.
• Vendor management. Digital1010 evaluates Sub-processors for security and data protection posture before engagement and on a periodic basis thereafter.
• Incident response. Digital1010 maintains a written incident-response plan addressing detection, triage, containment, eradication, recovery, notification, and post-incident review, and tests the plan periodically.

The following Sub-processors are engaged by Digital1010 in the provision of the Services as of the date set forth at the top of this page. Customer authorizes their use under Section 7. Digital1010 will update this list and notify Customer of changes in accordance with Section 7.

To subscribe to email notifications when this list changes, email support@digital1010.com with the subject line “Sub-processor notifications.”

Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations of liability and exclusions of damages set forth in the Agreement. Where the Agreement is silent, each party's aggregate liability under this DPA is capped at the amounts paid or payable by Customer to Digital1010 under the Agreement during the twelve (12) months preceding the event giving rise to liability.

Nothing in this DPA limits or excludes either party's liability that cannot be limited or excluded under Applicable Data Protection Law.

This DPA takes effect on the effective date of the Agreement and continues until the later of (i) termination of the Agreement and (ii) Digital1010's return or deletion of all Personal Data Processed under the Agreement in accordance with Section 11. The provisions of this DPA that by their nature should survive termination shall survive, including Sections 9 (Customer obligations), 11 (return or deletion), 12 (technical and organizational measures, with respect to retained Personal Data), 14 (liability), and 15 (this Section).

In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the SCCs, the SCCs control with respect to Restricted Transfers.

This DPA is governed by the laws of the State of Florida, without regard to conflict-of-laws rules, except that the SCCs are governed by the law of the Republic of Ireland (or the law specified in the SCCs). Disputes are subject to the dispute resolution provisions of the Agreement.

For DPA-related correspondence, including Sub-processor notifications, audit requests, and breach reports, contact support@digital1010.com with the subject line “DPA · [topic].”

Mail: Digital1010 LLC, Jacksonville, FL · full mailing address provided on request.