Data Processing Addendum

Effective from: July 25, 2025

‍

This Data Processing Addendum ("DPA") supplements and forms part of the Terms of Service or other master agreement (“Agreement”) between you (“Customer”) and Heatseeker Inc. or its relevant affiliate (“Heatseeker”, “Processor”, “we”, “us”, or “our”) governing Customer’s use of the Heatseeker platform, products, and related services (the “Services”). Terms used but not defined in this DPA have the meanings given to them in the Agreement.

‍

1. Definitions

“Personal Data” means “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined in Data Protection Laws.

“Customer Personal Data” means the Personal Data described under Annex 1 to this DPA.

“Data Protection Laws” means all applicable laws relating to the processing of Personal Data, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”), and other applicable privacy or data protection laws applicable to the Processing of Personal Data under the Agreement.

“Controller” means the entity that determines the purposes and means of the processing of Personal Data. The term “Controller” includes a “business” as defined under the CCPA.

“Processor” means the entity that processes Personal Data on behalf of the Controller. The term “Processor” includes a “service provider” as that term is defined under the CCPA.

“Subprocessor” means any third party engaged by Processor to process Personal Data on behalf of Controller.

“Sell” and “Share” each has the meaning given in the Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.

“Data Subject”, “Processing”, and related terms have the meanings given in applicable Data Protection Laws.

‍

2. Scope and Roles

2.1. Controller/Processor Roles: Each of Customer and Heatseeker will comply with their respective obligations under the Data Protection Laws. Excluding the data described in Section 2.2, for Customer Data that includes Personal Data and is processed by Heatseeker on Customer’s behalf pursuant to the Agreement, Customer is the “Controller”, and Heatseeker is the “Processor”.

2.2. Platform and California Consumer Data: For Personal Data that Heatseeker collects and processes for its own account management, analytics, security, billing, and compliance purposes (such as account registration data, platform usage analytics, and support communications), Heatseeker acts as an independent “Controller.” Additionally, with respect to the Personal Data of Data Subjects where Customer engages Heatseeker’s Services which may constitute “cross-context behavioral advertising” (as defined in the CCPA) of Californian Data Subjects, Heatseeker acts as independent “Controller”.  Heatseeker’s processing of such data is subject to its Privacy Policy and is not subject to the terms of this DPA.

‍

3. Instructions and Purpose

Heatseeker will process Customer Personal Data only on documented instructions from Customer, as necessary to provide the Services, comply with law, or as otherwise agreed in writing.

Customer instructs Heatseeker to process Customer Personal Data as required to provide the Services, support and secure the Services, and as further described in the Agreement and this DPA.  Heatseeker shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Services, or as otherwise permitted by Data Protection Laws; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Heatseeker, including by combining Customer Personal Data with Personal Data Heatseeker receives from third parties, other than Customer, except as permitted by the Data Protection Laws; or (3) Sell or Share Customer Personal Data. Upon notice to Heatseeker, Customer may take reasonable and appropriate steps to remediate Heatseeker’s use of Customer Personal Data in violation of this DPA.

‍

4. Confidentiality and Security

4.1. Confidentiality: Heatseeker ensures that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

4.2. Security: Heatseeker implements and maintains appropriate technical and organizational security measures (as described in the Agreement and Annex 2) to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. To the extent required by Data Protection Laws, Heatseeker will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data.

‍

5. Subprocessing

5.1. Authorization: Customer consents to Heatseeker engaging Subprocessors as needed to deliver the Services. A list of current Subprocessors is available upon request.

5.2. Safeguards: Heatseeker ensures Subprocessors are subject to written agreements requiring them to protect Personal Data in accordance with this DPA and applicable law.

5.3. Notice and Objection: Heatseeker will notify Customer at least 30 days in advance of any intended addition or replacement of Subprocessors. Customer may object in writing on reasonable privacy grounds within this period. If no resolution is reached, Customer may terminate the affected Services by providing written notice to Heatseeker within 30 days of receiving such notice, with a pro-rata refund of unused fees for the terminated Services.

‍

6. Data Subject Rights

To the extent legally required, Heatseeker will assist Customer (at Customer’s cost) in responding to Data Subject requests to access, correct, delete, restrict, or port their Personal Data, or to object to certain processing, as described in Data Protection Laws.

If Heatseeker receives a request directly from a Data Subject, it will promptly forward it to Customer (unless legally prohibited).

‍

7. Data Breach Notification

Heatseeker will notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Data, providing sufficient information for Customer to meet any obligations to notify regulators or Data Subjects under Data Protection Laws. Heatseeker’s notice of or response to a Personal Data Breach under this Section 7 will not be an acknowledgement or admission by Heatseeker of any fault or liability with respect to the Personal Data Breach.

‍

8. Data Transfers

Where Personal Data is transferred outside the EEA, UK, or other relevant jurisdiction, Heatseeker will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (“EU SCCs”), adequacy decisions, or other mechanisms as required by Data Protection Laws.  For purposes of the EU SCCs the parties agree that:

• The optional docking clause 7 of the EU SCCs will not apply.
• In clause 9 of the EU SCCs, option 2 will apply and the time period for prior notice of Subprocessor changes will be as set forth in Section 5.3 of this DPA.
• The optional language in clause 11 of the EU SCCs will not apply.
• In clause 17 of the EU SCCs, option 1 applies and the EU SCCs shall be governed by the laws of Ireland.
• In clause 18(b) of the EU SCCs, the parties agree to submit to the jurisdiction of the courts of Ireland.
• In Annex I, Section A (List of Parties) of the EU SCCs, (i) the Customer is the data exporter and Heatseeker is the data importer and their identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller (under “Module Two” of the EU SCCs) or Processor (under “Module Three” of the EU SCCs), and Heatseeker is a Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Service pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA.
• In Annex I, Section B (Description of Transfer) of the EU SCCs: (i) Annex 1 to this DPA describes Heatseeker’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Service); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) Heatseeker uses the Subprocessors described in Section 5 of this DPA to support the provision of the Service.
• In Annex I, Section C (Competent Supervisory Authority) of the EU SCCs, the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Heatseeker.
• In Annex II of the EU SCCs, data importer has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described in Annex 2 to this DPA.

9. Deletion and Return

Upon termination or expiry of the Agreement, Heatseeker will, at Customer’s written request, delete or return all Personal Data processed on Customer’s behalf, unless retention is required by law or permitted for legitimate business purposes.

Residual backup data will be deleted in line with Heatseeker’s standard retention schedule and will not be used for any other purpose.

‍

10. Audits and Compliance

Upon written request, Heatseeker will make available to Customer information necessary to demonstrate compliance with this DPA, such as SOC 2 or similar third-party audit summaries. If additional information is required, Customer may, no more than once per year (except as required by law or in response to a security incident), conduct a reasonable and proportionate audit or inspection of Heatseeker’s data processing activities, subject to at least 30 days’ prior written notice, confidentiality obligations, and at Customer’s expense. Customer agrees not to unduly disrupt Heatseeker’s business and to coordinate in good faith on audit timing and scope.

‍

11. Limitation of Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Customer acknowledges that Heatseeker is reliant on Customer for direction as to the extent to which Heatseeker is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently, Heatseeker will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Heatseeker in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.

‍‍

12. Miscellaneous

12.1. Conflicts: If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict as it relates to data protection. In the event of inconsistencies between the DPA and the SCCs, the SCCs will prevail.

12.2. Incorporation: This DPA is incorporated into and forms part of the Agreement.

12.3. Duration: This DPA will remain in effect as long as Heatseeker processes Personal Data on behalf of Customer under the Agreement.

‍

Annex 1: Data Processing Details

Data Subject Categories: Employees, contractors, end users, leads, and other individuals whose data is provided to the Services by or at the direction of Customer.

Personal Data Types: Name, contact information, account IDs, form responses, marketing preferences, experiment data, usage data, technical data, and any other information provided by Customer or data subjects.

Processing Purposes: Providing, supporting, improving, securing, and developing the Services, as described in the Agreement and DPA.

Nature of Processing: Collection, storage, use, transmission, disclosure, analysis, and deletion, as needed to provide and improve the Services.

Processing Frequency: Continuous as necessary for the term of the Agreement.

Retention Period: For the term of the Agreement and in accordance with Section 9 (Deletion and Return).

‍

Annex 2: Technical and Organizational Security Measures

1. Data Encryption: Personal Data is encrypted at rest and in transit using industry-standard protocols.
2. Access Controls: Role-based access and authentication; least privilege enforced.
3. Physical Security: Data centers are protected by industry-standard physical controls.
4. Monitoring & Logging: Security events and access to Personal Data are logged and monitored.
5. Vulnerability Management: Regular vulnerability scanning, patching, and penetration testing.
6. Personnel Training: Security and privacy training for all personnel with access to Personal Data.
7. Incident Response: Documented security incident and data breach response procedures.
8. Business Continuity/Disaster Recovery: Backups, failover, and disaster recovery plans in place.

IN WITNESS WHEREOF, this DPA is effective and forms part of the Agreement as of the Effective Date.

By using the Services, Customer agrees to this DPA. For a signed version, please contact privacy@heatseeker.ai.