Data Processing Addendum

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms of Service. The following definitions also apply:

• "Data Protection Law" means all laws and regulations applicable to the Parties' processing of Personal Data, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the CCPA, and other comparable U.S. state privacy laws.
• "Personal Data" means any "personal data," "personal information," or equivalent term defined under applicable Data Protection Law that Customer or its End Users submit to or generate through the Service and that Albright Labs processes on Customer's behalf.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Processing" (and "process") has the meaning given in GDPR Art. 4(2).
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
• "Sub-processor" means any third party engaged by Albright Labs to process Personal Data on its behalf in connection with the Service.
• "SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (or any successor decision), as supplemented for transfers from the United Kingdom by the UK Information Commissioner's International Data Transfer Addendum (or its successor) and for transfers from Switzerland by the FADP-specific adaptations issued by the Swiss Federal Data Protection and Information Commissioner.
• "Controller", "Processor", "Service Provider", "Business", and "Sale" / "Share" have the meanings given in the relevant Data Protection Law.

2. Roles of the Parties

For Personal Data processed under this DPA, Customer is the Controller (or Business) and Albright Labs is the Processor (or Service Provider). Where Customer acts as a Processor on behalf of a third-party Controller, Albright Labs acts as a Sub-processor; in that case, Customer is responsible for ensuring that Customer's engagement of Albright Labs is authorized by the relevant Controller and that this DPA's protections flow through.

Albright Labs separately acts as a Controller in its own right with respect to certain operational data, including account-management metadata and aggregate Service-usage data; that processing is described in the Privacy Policy and is not the subject of this DPA.

3. Scope and Description of Processing (Annex 1)

Subject matter. Albright Labs' provision of the Service to Customer.

Duration. The term of Customer's subscription to the Service plus any post-termination period during which Albright Labs retains Personal Data in accordance with Section 13.

Nature and purpose of processing. Hosting, storage, retrieval, transmission, and analysis of Personal Data as necessary to provide the Service Customer has subscribed to and to fulfill Customer's documented instructions.

Categories of Data Subjects. Customer's authorized users; Customer's end users, recipients, contacts, subscribers, and other natural persons whose information Customer submits to or generates through the Service. The specific categories depend on which App(s) Customer uses:

• Toggley: Customer's authorized users; HTTP API callers identified by IP address;
• Sendly: Customer's authorized users; Customer's email subscribers and recipients;
• Pulsey: Customer's authorized users; on-call notification recipients designated by Customer;
• Scanley: Customer's authorized users; persons who scan Customer's QR codes or click Customer's short links.

Categories of Personal Data. Determined by Customer through its configuration and use of the Service. Categories typically include:

• Identifiers (name, email address, account/user identifier);
• Authentication data (hashed passwords, multi-factor authentication state);
• Contact information (email, optional phone number);
• Internet and network activity (IP address, user-agent, session metadata, API request logs);
• Device and approximate geolocation data derived from IP (Scanley scan/click analytics);
• Email engagement events (delivery, bounce, open, click, unsubscribe — Sendly);
• Customer-defined metadata fields (e.g., custom subscriber attributes in Sendly);
• Any other Personal Data Customer chooses to submit, subject to the Acceptable Use Policy in the Terms of Service.

Special-category data. Customer agrees not to submit special categories of personal data (GDPR Art. 9), criminal-conviction data, government-issued identifiers, payment-card numbers (other than via the Service's Stripe-integrated payment flow), health information subject to HIPAA, or data subject to ITAR or PCI-DSS, unless the Parties have agreed in writing to such use and have implemented appropriate additional safeguards.

4. Customer's Instructions

Albright Labs will process Personal Data only on Customer's documented instructions, which consist of (a) the Terms of Service; (b) this DPA; (c) Customer's configuration and use of the Service through its administrative interfaces and APIs; and (d) any other written instructions Customer provides that are mutually agreed in writing. Albright Labs will inform Customer if, in its opinion, an instruction infringes Data Protection Law, except where law prohibits such notice.

5. Confidentiality of Processing

Albright Labs will ensure that personnel authorized to process Personal Data are bound by confidentiality obligations or are under appropriate statutory obligations of confidentiality, and are trained in their data-protection responsibilities.

6. Security (Annex 2 — Technical and Organizational Measures)

Albright Labs implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, having regard to the state of the art, the costs of implementation, the nature of the processing, and the risk to Data Subjects. These measures include, at a minimum:

• Encryption. TLS 1.2+ for data in transit between Customer, the Service, and sub-processors; encryption at rest for application databases and object storage at the infrastructure layer.
• Authentication and access control. Hashed (and salted) storage of user passwords and recovery codes; least-privilege access provisioning for staff; multi-factor authentication for administrative access; role-based access controls; session expiry and rotation.
• Network and infrastructure security. Application servers operated in segmented network environments; firewalled databases not exposed to the public internet; managed-service patching for hosted operating systems and runtimes.
• Logging and monitoring. Audit logs of security-relevant events; application logs sufficient to investigate anomalies; error monitoring and alerting on failure conditions.
• Vulnerability management. Routine dependency scanning; timely patching of identified vulnerabilities in accordance with severity; periodic review of third-party libraries.
• Backup and recovery. Regular, encrypted database backups with documented restore procedures; redundancy across availability zones where the underlying infrastructure provider supports it.
• Personnel. Background checks where permitted by local law; signed confidentiality agreements; security training; off-boarding procedures that revoke access promptly.
• Incident response. A documented Personal Data Breach response plan, including triage, containment, investigation, notification, and post-incident review.
• Vendor management. Due diligence on Sub-processors; contractual data-protection obligations with each; periodic review of Sub-processor security.

Albright Labs may update these measures from time to time, provided that no update will materially diminish the level of security afforded to Personal Data.

7. Sub-processors (Annex 3)

Customer provides Albright Labs with general written authorization to engage Sub-processors, subject to this Section. The Sub-processors currently engaged for the Service are:

• DigitalOcean, LLC (United States) — application, database, and storage hosting;
• Laravel Forge / Laravel LLC (United States) — server provisioning and configuration;
• Envoyer / Laravel LLC (United States) — code deployment orchestration;
• Stripe, Inc. (United States) — payment processing, subscription billing, customer portal, invoicing, and tax;
• Sendinblue SAS, d/b/a Brevo (France) — transactional email delivery and, where Customer uses Sendly's default sending infrastructure, campaign email delivery.

Albright Labs will (a) impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA; (b) remain liable to Customer for each Sub-processor's performance of its obligations; and (c) provide Customer with reasonable advance notice (by email to the Account billing contact and/or by updating this DPA on this page) before adding or replacing a Sub-processor that materially affects the processing of Personal Data. Customer may object to such an addition or replacement on reasonable, documented data-protection grounds within thirty (30) days of notice; if the objection cannot be reasonably resolved, Customer may terminate the affected subscription as its sole and exclusive remedy. Continued use of the Service following the notice period constitutes Customer's acceptance.

8. Assistance with Data Subject Requests

Taking into account the nature of the processing, Albright Labs will provide Customer with reasonable assistance, by appropriate technical and organizational measures and to the extent possible, to enable Customer to fulfill its obligations to respond to requests from Data Subjects exercising their rights under Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). Where Albright Labs receives a Data Subject request directly relating to Customer's Personal Data, Albright Labs will, unless prohibited by law, promptly forward the request to Customer rather than respond directly, and will not respond to the Data Subject except to confirm receipt or to inform the Data Subject that the request must be directed to the Customer.

9. Personal Data Breach Notification

Albright Labs will notify Customer without undue delay and, in any event, within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will include, to the extent then known: (a) the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate its effects; and (d) a contact point for further information. Albright Labs will provide Customer with reasonable cooperation and assistance in fulfilling Customer's own breach-notification obligations under Data Protection Law.

10. Data Protection Impact Assessments and Prior Consultation

Albright Labs will provide Customer with reasonable assistance, taking into account the nature of the processing and information available to Albright Labs, to enable Customer to (a) carry out data protection impact assessments under GDPR Art. 35 and (b) engage in prior consultations with supervisory authorities under GDPR Art. 36, in each case where required and to the extent the assessment relates to Albright Labs' processing of Personal Data on Customer's behalf.

11. International Data Transfers

Albright Labs is established in the United States and may transfer Personal Data to, and process it in, the United States and other jurisdictions where its Sub-processors operate. To the extent any such transfer is subject to GDPR or UK GDPR cross-border-transfer rules, the Parties agree that the SCCs (with their UK and Swiss adaptations as applicable) are incorporated into this DPA by reference and apply, with Customer (or its Controller) as data exporter and Albright Labs (or the relevant Sub-processor) as data importer, on the following basis:

• Module selection. Module Two (Controller-to-Processor) where Customer is a Controller; Module Three (Processor-to-Sub-processor) where Customer is itself a Processor on behalf of a third-party Controller.
• Optional Clause 7 (docking clause). Included.
• Clause 9 (sub-processor authorization). Option 2 (general authorization), with the notice period set in Section 7 above.
• Clause 11 (independent dispute resolution). The optional language is not used.
• Clause 17 (governing law). The law of the EU member state in which the data exporter is established or, if none, the Republic of Ireland.
• Clause 18 (forum and jurisdiction). The courts of the EU member state designated under Clause 17.
• Annex I.A (parties). Customer (data exporter) and Albright Labs (data importer); contact details as set out in this DPA and the Account.
• Annex I.B (description of transfer). As described in Section 3 of this DPA.
• Annex I.C (competent supervisory authority). The supervisory authority of the EU member state in which the data exporter is established or, if none, the Irish Data Protection Commission.
• Annex II (technical and organizational measures). As described in Section 6 of this DPA.
• Annex III (sub-processors). As described in Section 7 of this DPA.

For transfers from the United Kingdom, the parties incorporate the UK Information Commissioner's International Data Transfer Addendum to the SCCs in its current form. For transfers from Switzerland, references to the GDPR are deemed to refer to the FADP, and references to EU member state supervisory authorities are deemed to refer to the Swiss Federal Data Protection and Information Commissioner.

12. Audit Rights

Customer may, no more than once per twelve-month period (and more frequently if required by a supervisory authority or following a confirmed Personal Data Breach), request information reasonably necessary to demonstrate Albright Labs' compliance with this DPA. Customer agrees to first accept current third-party audit reports, certifications, and similar documentation made available by Albright Labs as satisfying its audit rights, where available. If a written information request is insufficient, the Parties will agree in good faith on the scope, timing, and conditions of an on-site audit, conducted at Customer's expense by an independent auditor mutually approved by the Parties, during normal business hours, with reasonable advance notice, and subject to confidentiality obligations.

13. Return or Deletion of Personal Data

On termination or expiration of Customer's subscription, Albright Labs will, on Customer's written request received within thirty (30) days after termination, make Customer Content available for export in a commercially reasonable format. After that thirty (30) day period (or sooner on Customer's instruction), Albright Labs will delete Personal Data from production systems and purge it from backups in accordance with Albright Labs' standard backup-rotation schedule (typically within ninety (90) days), except to the extent retention is required by applicable law, in which case Albright Labs will continue to protect such Personal Data in accordance with this DPA until deletion is permitted.

14. CCPA-Specific Terms

Where Albright Labs processes Personal Data subject to the CCPA, Albright Labs is acting as a "Service Provider" as defined in Cal. Civ. Code § 1798.140. Albright Labs will not (a) "sell" or "share" Customer's Personal Data within the meaning of the CCPA; (b) retain, use, or disclose Customer's Personal Data outside the direct business relationship between the Parties or for any commercial purpose other than performing the Service; or (c) combine Customer's Personal Data with personal data received from any other person except as permitted under CCPA Regs. § 7050(b). Albright Labs certifies that it understands and will comply with these restrictions. Customer may take reasonable and appropriate steps to ensure that Albright Labs uses Personal Data in a manner consistent with Customer's CCPA obligations and may, on notice, take reasonable and appropriate steps to stop and remediate Albright Labs' unauthorized use of Personal Data.

15. Liability

Each Party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. The Parties agree that any reference in those limitations to liability arising out of or relating to the Terms of Service includes liability arising out of or relating to this DPA.

16. Conflict; Term; General

This DPA is incorporated into the Terms of Service. In the event of any conflict between this DPA and the Terms of Service in respect of the processing of Personal Data, this DPA controls. This DPA takes effect on the Effective Date and continues for the term of the Terms of Service, with sections that by their nature are intended to survive (including Sections 6, 9, 11, 13, 14, and 15) surviving termination as needed to give effect to their terms.

This DPA may be updated by Albright Labs to reflect changes required by Data Protection Law or to incorporate operational improvements that do not materially diminish the protections afforded to Customer's Personal Data. Material changes will be communicated by email to the Account billing contact and/or by a prominent notice in the Service at least thirty (30) days before they take effect.

17. Contact

For questions or requests under this DPA, contact:

Albright Labs LLC
Attn: Data Protection
PO Box 1537, Albrightsville, PA 18210-1537
Email: support@albrightlabs.com