Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between Clippable Labs Inc. (“Clippable,” “Processor”) and the entity or individual (“Customer,” “Controller”) that has agreed to Clippable's Terms of Service.

This DPA governs the processing of personal data by Clippable on behalf of the Customer in connection with Clippable's influencer marketing platform and related services (the “Services”). It is incorporated into and forms part of the Terms of Service.

This DPA applies where and to the extent that Clippable processes personal data that is subject to the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”), or other applicable data protection laws on behalf of the Customer.

1. Definitions

2. Scope and Nature of Processing

Clippable processes personal data solely for the purpose of providing the Services to the Customer. The subject matter, nature, purpose, and duration of processing, as well as the types of personal data and categories of data subjects, are described below:

3. Clippable's Obligations as Processor

Clippable shall:

• Process personal data only on documented instructions from the Customer, including as set out in this DPA and the Terms of Service, unless required to do otherwise by applicable law.
• Ensure that persons authorized to process personal data are under appropriate confidentiality obligations.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6 of this DPA.
• Not engage sub-processors without the Customer's prior general or specific authorization, and flow down equivalent data protection obligations to any approved sub-processors.
• Assist the Customer, insofar as possible, in responding to data subject rights requests, taking into account the nature of the processing.
• Assist the Customer in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• At the choice of the Customer, delete or return all personal data upon termination of the Services, unless retention is required by applicable law.
• Make available to the Customer all information necessary to demonstrate compliance with this DPA.
• Promptly notify the Customer if, in Clippable's opinion, an instruction infringes applicable data protection law.

4. Customer's Obligations as Controller

The Customer shall:

• Ensure that it has a lawful basis for processing personal data and that data subjects have been provided with appropriate privacy notices before submitting personal data to Clippable.
• Ensure that any personal data submitted to Clippable is accurate and up to date.
• Only instruct Clippable to process personal data in accordance with applicable data protection law.
• Be responsible for the legality of any campaign content requirements and instructions given to Clippable.
• Comply with its own obligations under applicable data protection laws, including maintaining a record of processing activities where required.

5. Sub-processors

The Customer hereby grants Clippable general authorization to engage the following categories of sub-processors in connection with the Services:

Clippable will notify the Customer of any intended changes to this sub-processor list by updating this DPA or through email notification to registered account holders, allowing the Customer a reasonable opportunity to object. Clippable imposes data protection obligations on all sub-processors equivalent to those set out in this DPA.

6. Security Measures

Clippable implements and maintains the following technical and organizational security measures to protect personal data:

• Encryption: Personal data is encrypted in transit (TLS 1.2+) and at rest using industry-standard encryption.
• Access Controls: Role-based access controls limit personal data access to authorized personnel only. All access is logged.
• Authentication: Multi-factor authentication is required for administrative access to production systems.
• Vulnerability Management: Regular security reviews and dependency updates are performed to address known vulnerabilities.
• Incident Response: A documented incident response process is in place, including procedures for breach detection, containment, and notification.
• Data Minimization: We collect and retain only the personal data necessary to provide the Services.
• Vendor Security: Sub-processors are assessed for their security practices prior to engagement.

7. Security Incident Notification

In the event of a confirmed Security Incident involving personal data processed on behalf of the Customer, Clippable will:

• Notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the incident.
• Provide the Customer with sufficient information to fulfill any data breach notification obligations under applicable law, including: the nature of the incident, categories and approximate number of data subjects affected, categories and approximate number of personal data records affected, likely consequences of the breach, and measures taken or proposed to address the breach.
• Cooperate with the Customer's reasonable requests in connection with the investigation, mitigation, and remediation of the incident.

Notification of a Security Incident shall be delivered to the primary contact email address associated with the Customer's account.

8. International Data Transfers

Clippable is headquartered in the United States. If you are a Customer located in the European Economic Area, United Kingdom, or Switzerland, personal data you submit to Clippable will be transferred to and processed in the United States.

For such transfers, Clippable relies on the European Commission's Standard Contractual Clauses (“SCCs”) as the legal mechanism for transferring personal data from the EEA to countries not recognized as providing an adequate level of data protection. Enterprise customers requiring executed SCCs may contact us at [email protected].

For transfers from the United Kingdom, Clippable uses the UK International Data Transfer Agreement (“IDTA”) or equivalent UK-approved transfer mechanism as applicable.

9. Data Subject Rights

Where Clippable receives a data subject request directly that relates to personal data processed on behalf of a Customer, Clippable will:

• Promptly notify the Customer of the request (to the extent permitted by law).
• Not respond to the data subject on the Customer's behalf without the Customer's authorization, except where required by applicable law.
• Provide reasonable technical assistance to the Customer to facilitate the Customer's response to the request.

Clippable will also assist the Customer, at no additional charge, in responding to data subject requests that can be addressed through platform functionality (e.g., account deletion, data export).

10. Audits and Inspections

Clippable will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable written notice (minimum 30 days), Clippable will allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer, subject to:

• The Customer bearing all costs associated with any audit.
• The auditor executing a confidentiality agreement acceptable to Clippable prior to the audit.
• The audit being conducted during normal business hours and in a manner that minimizes disruption to Clippable's operations.
• The scope of the audit being limited to information relevant to Clippable's processing of the Customer's personal data.

11. CCPA Service Provider Terms

To the extent that the CCPA applies to Clippable's processing of personal information on behalf of the Customer, Clippable acknowledges that it acts as a “service provider” as defined under the CCPA. Accordingly, Clippable:

• Will not “sell” or “share” (as defined under the CCPA) personal information provided by the Customer.
• Will not retain, use, or disclose personal information for any commercial purpose other than providing the Services specified in the Terms of Service.
• Will not retain, use, or disclose personal information outside of the direct business relationship with the Customer.
• Certifies that it understands and will comply with these restrictions.

12. Term and Termination

This DPA remains in effect for the duration of the Terms of Service and any active use of the Services. Upon expiration or termination:

• Clippable will, at the Customer's election, delete or return all personal data within 60 days, unless retention is required by applicable law.
• Clippable will certify in writing that all personal data has been deleted upon request.
• Obligations that by their nature survive termination (e.g., confidentiality, security incident notification) will continue in force.

13. Limitation of Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitations of liability set forth in the Clippable Terms of Service. The total aggregate liability of either party under this DPA shall not exceed the amounts paid by the Customer to Clippable in the twelve (12) months preceding the claim.

14. Governing Law

This DPA is governed by the same law as the Terms of Service. For EEA or UK Customers, to the extent required by applicable data protection law, this DPA is also governed by the applicable EU or UK data protection legislation, including the GDPR and UK GDPR respectively.

15. Contact for Data Protection Inquiries

For questions about this DPA, to request a signed copy, or for any other data protection inquiry:

Enterprise customers requiring a fully executed, countersigned DPA for procurement or compliance purposes should email [email protected] with the subject line “DPA Request - [Company Name].”