Data Processing Addendum

This Data Processing Addendum ("DPA") forms Annex A to the Terms of Service between you (the Controller) and Onviqa Inc. (the Processor) for the Surfient service. Capitalised terms not defined here take the meaning given in the Terms or the EU GDPR.

Where this DPA conflicts with the Terms on a data-protection matter, this DPA prevails.

You are the Controller of the personal data submitted to Surfient. Onviqa Inc. is the Processor. Onviqa Inc.'s subprocessors (listed in the Privacy Policy §8) are sub-processors within the meaning of GDPR Art. 28(2).

Subject matter: provision of the Surfient AI indexing platform.

Duration: for the term of the Terms plus the retention window in Privacy Policy §5.

Nature and purpose: collecting, storing, processing, and transmitting merchant account data + Shopify catalog metadata to deliver audits, fixes, and ongoing indexing.

Categories of personal data: merchant account data (name, email, store domain), support messages, telemetry tied to merchant IDs. We explicitly do not process shopper personal data.

Categories of data subjects: merchant staff who administer the store and interact with Surfient.

The full list of Technical and Organisational Measures (TOMs) lives on the security page. They include:

• TLS 1.2+ in transit, AES-256 at rest;
• role-based access control with hardware 2FA for production;
• append-only audit logs for admin actions;
• annual external penetration test + ongoing Cloudflare WAF;
• breach notification within 72 hours of awareness;
• documented incident-response plan with severity tiers.

You authorise the sub-processors listed in Privacy Policy §8. We give you at least 30 days' prior written notice of any addition or replacement. You may object by emailing [email protected]; if we can't accommodate, you may terminate the affected portion of the service with a pro-rated refund.

Where we transfer personal data out of the European Economic Area, United Kingdom, or Switzerland, the following apply:

• EU SCCs 2021/914 (Module 2 — Controller-to-Processor) are incorporated by reference with Onviqa Inc. as the data importer.
• UK IDTA (version A1.0, 21 March 2022) applies to UK-controlled data.
• Swiss revFADP amendments apply to Swiss-resident data subjects.

Annex I (list of parties), Annex II (TOMs), and Annex III (sub-processors) to the SCCs are populated by the Privacy Policy §1, this DPA §4, and Privacy Policy §8 respectively.

We will — taking into account the nature of the processing — provide reasonable assistance for you to fulfil your obligations under GDPR Art. 12–23, including via self-serve export and deletion tools in the admin panel. Bulk requests that require engineering work may be chargeable at our then-current professional-services rate, but we'll tell you before starting.

You may audit our compliance with this DPA:

• Annually by receiving our SOC 2 Type II report, penetration test summary, and any other relevant attestations under NDA;
• On-site with 30 days' prior written notice, no more than once per calendar year, during business hours, at your cost, scoped to Surfient systems and not disruptive to other customers.

On termination of the Terms, Onviqa Inc. will, at your option, return or delete personal data as set out in Privacy Policy §5. Residual copies held in backups are deleted on the normal 30-day backup rotation.