Data Processing Agreement (DPA)

This agreement governs the processing of personal data on behalf of the controller in accordance with Art. 28 GDPR in the context of using MABTED. The processor processes personal data exclusively on behalf of and according to documented instructions from the controller. Processing begins with the conclusion of the usage contract (Terms of Service) and continues for the duration of use of the service.

Purpose: Management of influencer collaborations, campaigns, and performance metrics Type of data: - Contact data (name, email address, company name if applicable) - Influencer data (names, social media handles, follower counts, niches, contact information) - Brand data (company names, contact persons) - Campaign and engagement data (contracts, budgets, periods, deliverables, metrics) - Performance metrics (TKP, ROAS, engagement rates, revenue data) - Shopify account data and revenue information - Gmail account data and email threads Categories of data subjects: - Employees of customers - Influencers whose data is managed by customers - Brand contact persons

The controller is responsible for the lawfulness of data processing. They may issue instructions for processing at any time, request changes, or demand deletion of data. They are obligated to fulfill data subject rights (e.g., access, deletion, rectification) independently.

The processor commits to: - processing personal data exclusively on instruction from the controller - ensuring confidentiality of all employees - implementing appropriate technical and organizational measures (TOMs) to protect data - supporting data subjects in exercising their rights - immediately reporting data protection breaches - contractually obligating all sub-processors to comply with GDPR

The processor ensures data security through: - TLS encryption in transit and AES-256 at rest - role-based access system - encrypted API tokens and access keys - logging of all access - regular security updates - hosting on servers within the EU (Frankfurt/Amsterdam)

| Provider | Location | Purpose | Legal Basis | |---------------------|-----------------|-----------------|------------------------------| | Supabase Inc. | EU (Frankfurt/Amsterdam) | Hosting, database, authentication | Art. 28 GDPR | | Vercel Inc. | EU/USA | Frontend hosting | Art. 28 GDPR | | Stripe Payments Europe Ltd. | Ireland | Payment processing | Art. 28 GDPR | | Google Ireland Ltd. | Ireland | Gmail integration | Art. 28 GDPR | | Shopify Inc. | Canada | Shopify integration | Art. 28 GDPR | The processor informs the controller of planned changes to sub-processors.

After termination of the contractual relationship, personal data will be automatically deleted or anonymized after 30 days; deleted or exported earlier upon written request from the controller. Backup copies will be deleted after expiration of the legal retention period.

The controller is entitled to verify compliance with this DPA. The processor provides information upon request about the technical and organizational measures taken and may provide evidence (e.g., penetration tests, audit reports).

Liability is governed by the provisions of the main contract (Terms of Service). In case of violations of data protection regulations, each party is liable within the scope of their responsibility.

This agreement is deemed concluded from the moment of acceptance of the Terms of Service. It is part of the main contract and applies to all processing operations that occur in the context of using MABTED. German law applies. The place of jurisdiction is Hamburg, insofar as legally permissible.