DATA PROCESSING ADDENDUM

Last Updated: July 16, 2026

This Data Processing Addendum (“DPA”) forms part of the Main Services Agreement or other written or electronic agreement between Reslify LLC (“Reslify”) and the entity purchasing the Services (“Client”) (collectively, the “Agreement”) and reflects the parties’ agreement with regard to the Processing of Client Personal Data in accordance with applicable Data Protection Laws.

By signing or otherwise accepting the Agreement, Client enters into this DPA on its own behalf and, to the extent permitted under applicable laws, in the name and on behalf of its Affiliates, if and to the extent Reslify Processes Client Personal Data for which such Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, references to “Client” include Client and its applicable Affiliates. All capitalized terms used but not defined in this DPA shall have the meanings ascribed to such terms in the Agreement.

Client may enter into and accept this DPA by (a) signing the Agreement, or (b) electronically accepting the Agreement and this DPA via clickwrap or a similar online acceptance mechanism. Such electronic acceptance shall constitute Client’s valid execution of this DPA.

In the course of providing the Services to Client pursuant to the Agreement, Reslify will Process Client Personal Data on behalf of Client, and the Parties agree to comply with this DPA, each acting reasonably and in good faith. For the avoidance of doubt, references to this DPA include this DPA and all Schedules hereto.

Schedules. Schedules 1–5 form part of this DPA and are incorporated by reference. Capitalized terms used in a Schedule but not defined there have the meanings given in this DPA.

Scope. This DPA applies to Client Personal Data that Reslify Processes as a Processor on behalf of Client in connection with the Services, except as expressly set forth in Section 3, which describes limited Processing by Reslify as an independent Controller. The Processor obligations in this DPA do not apply to Personal Data that Reslify Processes as an independent Controller for purposes it determines itself, including (i) account-level registration, administration and Client relationship management data maintained outside the Services or Client tenant, (ii) billing, subscription, invoicing, payment-status, and sales or marketing contact data related to the direct Client relationship, and (iii) Limited Controller Telemetry as described in Section 3. Such Processing is governed by Reslify’s Privacy Policy, subject to Sections 3 and 8.11 below. Personal Data of Client’s Authorized Users processed within the Services to provision access, administer the Client tenant, provide in-product auditability, troubleshoot, monitor reliability, perform capacity planning, generate Client reporting, or otherwise support the Services constitutes Client Personal Data and is Processed by Reslify as Processor. The same individual’s data may be processed as Client Personal Data within the Client tenant and as Reslify-controlled account, billing, or CRM records outside the Client tenant.

1. DEFINITIONS

“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a party. An entity shall be deemed to control another entity if it has the power to direct or cause the direction of the management or policies of such entity, whether through ownership of voting securities, by contract, or otherwise.

“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the "CPRA"), and any binding regulations promulgated thereunder.

“Client Content” means the substantive content submitted by or on behalf of Client into the Services (including text, images, menus, venue descriptions, notes, custom fields, and other content displayed or stored within the Client tenant), which may include Personal Data.

“Client Personal Data” means any Personal Data that Reslify (or its Subprocessors) Processes on behalf of Client or its Affiliates pursuant to or in connection with the Agreement. For the avoidance of doubt, information that has been anonymized (to the standard required by the GDPR) or de-identified (including, where applicable, as defined in the CCPA/CPRA) such that it is no longer considered Personal Data under applicable Data Protection Laws shall not be Client Personal Data hereunder. For clarity, Client Personal Data does not include Personal Data that Reslify Processes as an independent Controller (as described in the Scope section and Section 3).

For clarity, full payment card numbers and card security codes are collected in payment-processor-controlled fields or pages and are processed and stored by the applicable payment processor, not by Reslify. Reslify may Process processor customer and payment-method identifiers, transaction and status information, and masked card descriptors (such as card brand, last four digits, and expiry month/year) as necessary to operate the Services. Those limited descriptors do not include full primary account numbers or card security codes.

“Controller” means any natural or legal person, public authority, agency, or other body that determines the purposes and means of Processing Personal Data, whether alone or jointly with others.

“Data Protection Laws” means (a) European Data Protection Laws; (b) the CCPA/CPRA; and (c) to the extent applicable to the Processing of Client Personal Data under the Agreement, any other applicable laws, rules, and regulations relating to privacy, data protection, or the Processing of Personal Data (including, where applicable, U.S. federal and state privacy and consumer data protection laws), in each case as amended, replaced, or superseded from time to time.

“Data Subject” means the identified or identifiable natural person to whom Client Personal Data relates.

“European Data Protection Laws” means (i) the GDPR, (ii) the EU rules on privacy in electronic communications set out in Directive 2002/58/EC (as implemented in applicable national law), and (iii) the United Kingdom’s Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended, and any successor or replacement legislation.

“European Data” means Client Personal Data that is subject to European Data Protection Laws.

“EEA” means the European Economic Area.

“GDPR” means, to the extent applicable to the relevant Processing: (i) Regulation (EU) 2016/679 (the “EU GDPR”); and/or (ii) the EU GDPR as it applies in the United Kingdom pursuant to the European Union (Withdrawal) Act 2018, together with the UK Data Protection Act 2018 (the “UK GDPR”), in each case including any implementing or supplementary legislation and any amendments, replacements, or successor laws.

“Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar terms defined in applicable Data Protection Laws.

“Personal Data Breach” means a breach of Reslify’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data in Reslify’s possession, custody or control.

“Processing” (and related terms such as “Process” and “Processed”) means any activity or set of activities carried out on Personal Data, whether by automated means or otherwise, including collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing (by transmission or otherwise making available), combining, restricting, erasing, or destroying such Personal Data.

“Processor” means any person or entity that Processes Personal Data on behalf of a Controller.

“Restricted Transfer” means any disclosure of, access to, or other transfer of Client Personal Data from (i) the EEA to a country or territory outside the EEA that is not covered by an adequacy decision of the European Commission, (ii) the United Kingdom to a country or territory outside the United Kingdom that is not covered by an adequacy decision of the UK Government, or (iii) Switzerland to a country or territory outside Switzerland that is not covered by an adequacy determination under Swiss Data Protection Laws, in each case where such transfer would require an appropriate transfer safeguard under the European Data Protection Laws and/or Swiss Data Protection Laws.

“SCCs” means the European Commission’s standard contractual clauses for international transfers of personal data adopted under Implementing Decision (EU) 2021/914, as updated, amended, or replaced from time to time.

“Service Telemetry” means technical and operational data generated by the Services about the operation, performance, security, and usage of the Services, such as logs, event metadata, device/browser and network information, error reports, response times, uptime metrics, feature usage statistics, and security/audit metadata. For clarity, Service Telemetry excludes Client Content and does not include the substantive content of reservations/notes/messages, except to the limited extent strictly necessary to detect, prevent, or remediate security incidents, fraud, or abuse.

“Subprocessor” means any person or entity (including a third party or an Affiliate of Reslify, but excluding Reslify’s personnel) engaged or appointed by or on behalf of Reslify or any of its Affiliates to Process Client Personal Data for the provision of the Services.

“Switzerland” means the Swiss Confederation.

“Swiss Data Protection Laws” means Switzerland’s Federal Act on Data Protection (“FADP”) and any applicable implementing ordinances and binding guidance, in each case as amended, replaced, or superseded from time to time.

“UK Transfer Addendum” means the Information Commissioner’s Office (ICO) international data transfer addendum that supplements the EU SCCs for transfers subject to the UK GDPR, issued pursuant to section 119A of the UK Data Protection Act 2018, as amended, updated, or replaced from time to time.

Terms such as “Commission,” “Data Protection Impact Assessment,” “Member State,” and “Supervisory Authority” shall be interpreted in accordance with the meanings given to them in the GDPR, and related terms shall be construed accordingly.

2. PROCESSING OF PERSONAL DATA

2.1 Details of the Processing. The Parties acknowledge and agree that with regard to the Processing of Client Personal Data, Client is the Controller, Reslify is the Processor. The subject matter, duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA. For the avoidance of doubt, where Client acts as a Processor on behalf of another Controller, Reslify will Process the relevant Client Personal Data as a Processor acting as Client’s Subprocessor, and the applicable SCC module (including Module Three where relevant) is as set out in Schedule 4.

2.2 Client’s Processing of Personal Data; Instructions. Client shall, in its use of the Services, Process Personal Data, including by engaging Reslify as Processor, in accordance with applicable Data Protection Laws. For the avoidance of doubt, Client’s instructions for the Processing of Client Personal Data shall comply with applicable Data Protection Laws. The Parties agree that, as of the date Client enters into the Agreement, the Agreement (including this DPA) constitutes Client’s complete documented instructions to Reslify for the Processing of Client Personal Data. For clarity, Client’s documented instructions also include Client’s configuration and use of the Services (including administrative settings and feature selections), Client’s use of the Services’ self-service controls, and any support requests or API calls submitted by or on behalf of Client, in each case to the extent consistent with the Agreement. Any additional or alternative instructions that materially expand the scope of Processing beyond the Agreement shall be agreed by the Parties and documented in a written amendment to this DPA. Client shall have sole responsibility for (a) the accuracy of Client Personal Data, (b) the manner in which Client collected and obtained such Client Personal Data, and (c) ensuring that all required notices have been provided and that all necessary consents and permissions have been obtained, as required under applicable Data Protection Laws, in connection with Reslify’s Processing of Client Personal Data.

2.3 Reslify’s Processing of Client Personal Data. Reslify shall Process Client Personal Data only (i) on Client’s documented instructions or (ii) as otherwise required or permitted by applicable laws (including applicable Data Protection Laws). Client instructs Reslify to Process Client Personal Data as necessary to provide the Services and in accordance with the Agreement. Reslify will Process Client Personal Data in accordance with applicable Data Protection Laws; however, Reslify shall not be deemed in breach of this obligation to the extent any Processing that is inconsistent with applicable Data Protection Laws is attributable to Client’s documented instructions or otherwise results from Client’s acts or omissions. Reslify shall notify Client if, in Reslify’s reasonable judgment, any instruction provided by Client violates or is otherwise not compliant with applicable Data Protection Laws. Where Reslify is compelled by applicable laws to Process Client Personal Data outside the scope of Client’s documented instructions, Reslify shall, unless prohibited by applicable laws, notify Client prior to performing such Processing.

2.4 General. Taking into account the nature of the Processing of Client Personal Data and the information available to Reslify, and subject to the provisions of this DPA, Reslify shall provide to Client such information and assistance as Client may reasonably request to enable Client to meet its obligations under applicable Data Protection Laws, to the extent such information is available to Reslify and the provision thereof does not compromise the security, confidentiality, integrity, or availability of Personal Data Processed by Reslify. Reslify shall also make available to Client, upon reasonable request, such information in Reslify’s possession as is necessary to demonstrate Reslify’s compliance with applicable Data Protection Laws and this DPA. Such assistance may include, where applicable and as reasonably requested, support for Data Protection Impact Assessments (DPIAs) and, where required under applicable Data Protection Laws, support for Client’s prior consultations with the competent Supervisory Authority. Any assistance is limited to what is reasonably necessary and proportionate, taking into account the nature of the Services and the information available to Reslify. Reslify may charge reasonable fees at its then-current rates for assistance that is non-standard, requires material engineering or legal effort, or is beyond the Services’ standard functionality, to the extent permitted by law.

2.5 Client Warranties; Legal Bases; Indemnity. Client represents and warrants that (a) it has provided all notices and obtained all consents and/or has another valid legal basis under applicable Data Protection Laws to collect, use, and disclose Client Personal Data and to instruct Reslify to Process Client Personal Data as contemplated by the Agreement; and (b) Client’s instructions, configurations, and use of the Services will not cause Reslify to Process Client Personal Data in violation of applicable Data Protection Laws. To the extent permitted by law, Client shall defend, indemnify, and hold harmless Reslify, its Affiliates, and their respective officers, directors, employees, and agents from and against third-party claims and direct damages, liabilities, costs, and expenses (including reasonable attorneys’ fees) finally awarded by a court or competent authority, or agreed to in a settlement approved by Client, in each case to the extent arising from Client’s proven breach of this DPA or applicable Data Protection Laws, including Client’s failure to obtain a valid legal basis, provide required notices, obtain required consents, or lawfully collect and submit Client Personal Data to the Services. Administrative fines, regulatory penalties, sanctions, or similar public-law amounts are indemnifiable only to the extent they are legally transferable or indemnifiable under applicable law, finally imposed by a competent authority or finally awarded by a court of competent jurisdiction, and caused by Client’s proven breach. This indemnity will not apply to the extent a claim, damage, fine, penalty, sanction, cost, or expense is caused by Reslify’s breach of this DPA, Reslify’s failure to comply with applicable Data Protection Laws in its role as Processor (or Controller, where applicable), or Reslify’s gross negligence or willful misconduct.

2.6 Sensitive Data; Client Control and Responsibility; Optional Addendum. Client acknowledges that the Services may Process certain data that may be subject to heightened requirements under applicable Data Protection Laws, including (a) “special categories of personal data” within the meaning of Article 9 GDPR (e.g., health data such as allergy information) and/or (b) personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR, and/or similar highly sensitive data (collectively, “Sensitive Data”). Reslify does not determine whether any particular information submitted to the Services constitutes Sensitive Data.

Client may, in its sole discretion, choose to request, collect, submit, and Process Sensitive Data through the Services (including via free-text fields and/or Client-configured custom fields, forms, and workflows). Client is solely responsible for (i) determining the nature of the data it requests or collects (including whether it constitutes Sensitive Data), (ii) ensuring that a valid legal basis applies and any additional conditions or requirements are satisfied under applicable Data Protection Laws (including, where applicable, Article 9 GDPR conditions and transparency obligations), and (iii) providing all required notices and obtaining any necessary consents or authorizations from Data Subjects.

Reslify shall Process Sensitive Data submitted to the Services only on Client’s documented instructions and only as necessary to provide the Services within the Client tenant (e.g., to store and display booking/guest records to authorized Client users and to transmit communications initiated by Client configuration). Reslify applies the Security Measures in Schedule 3 to Client Personal Data, including any Sensitive Data submitted to the Services. Reslify does not use Sensitive Data for its own product analytics or service improvement and does not use Sensitive Data to train or fine-tune generalized AI models, except as expressly agreed in writing.

If Reslify reasonably determines that Client’s collection or use of Sensitive Data (including through systematic collection via custom fields or forms) creates a material compliance, security, or operational risk, or would require safeguards beyond Schedule 3 or material changes to the Services, Reslify may (a) request that the Parties enter into a separate written addendum setting out appropriate safeguards, scope, and (if applicable) fees; and/or (b) require Client to modify its configuration or collection practices; and/or (c) restrict access to, delete, or suspend the affected feature(s) to the extent permitted by law, until appropriate safeguards are implemented.

For the avoidance of doubt, Client’s obligations under Section 2.5 apply to Client’s collection and submission of Sensitive Data.

3. TELEMETRY AND LIMITED CONTROLLER PROCESSING

3.1 Processor Telemetry; Limited Controller Purposes. Service Telemetry generated within a Client account to provide, maintain, troubleshoot, monitor reliability, perform capacity planning, generate Client reporting, or otherwise support the Services is Client Personal Data and is Processed by Reslify as Processor on Client’s documented instructions.

Reslify may Process the minimum identifiable Service Telemetry necessary as an independent Controller only for platform-wide security monitoring and incident response, fraud and abuse prevention, compliance with law and legal process, direct billing or contract administration outside the Client tenant, and establishing, exercising, or defending legal claims (“Limited Controller Telemetry”). Limited Controller Telemetry does not include Client Content or the substantive content of Guest booking records except where access is strictly necessary for a specific security incident, fraud or abuse investigation, legal obligation, or legal claim.

Reslify will not use identifiable Client Personal Data in its independent Controller capacity for general product analytics or service improvement. Reslify may use aggregated or anonymized usage and performance information for those purposes only where it is no longer Personal Data under applicable Data Protection Laws and Reslify does not attempt to re-identify it.

3.2 GDPR Considerations. To the extent the GDPR applies to Limited Controller Telemetry, Reslify acts as an independent Controller only for the limited purposes stated in Section 3.1 and shall (a) comply with the GDPR in relation to such Processing; (b) protect Limited Controller Telemetry using technical and organizational measures no less protective than those required under this DPA; and (c) not disclose Limited Controller Telemetry in a manner that identifies Client or any applicable Data Subject except to Reslify’s Processors acting under its instructions, where required by applicable law or legal process, or as necessary to establish, exercise, or defend legal claims.

Data minimization. Reslify will limit Limited Controller Telemetry to fields necessary for the applicable purpose, restrict access on a need-to-know basis, and retain identifiable data only for as long as necessary for that purpose, subject to applicable law.

3.3 AI Features; Use of Data. Where enabled by Client, the Services may provide an AI-powered booking assistant, AI-assisted menu import, and related artificial intelligence or machine learning features (“AI Features”). To provide the AI Booking Assistant, Reslify may Process Guest messages and any personal data included in them, relevant booking-journey information, prior conversation context, and Client-configured venue information, offers, policies, and other booking content. To provide AI-assisted menu import, Reslify may Process Client-uploaded menu files or images, file metadata, extracted text, menu names, categories, item names, descriptions, prices, dietary or source labels, and generated structured menu drafts. The AI Booking Assistant may generate responses and propose non-binding booking-flow actions or draft changes; the booking flow remains the source of truth, and no reservation, hold, payment, or other booking-impacting action is completed without the applicable confirmation in the Services. AI-assisted menu-import output is a draft for Client review and may be edited or rejected before it is saved as menu content.

External AI model providers. If Reslify uses an external AI model provider to Process Client Personal Data for an AI Feature, that provider is a Subprocessor and must be identified in Schedule 2 before it Processes Client Personal Data in production. Reslify will engage that provider under a written agreement containing confidentiality, security, and data protection obligations consistent with this DPA and applicable Data Protection Laws.

No generalized-model training. Unless otherwise expressly agreed in writing by the Parties, Reslify will not use or share Client Personal Data or Client Content to train, fine-tune, or improve any generalized artificial intelligence model that is not deployed solely for Client’s use. Reslify may, however, use data that has been anonymized to the standard required by the GDPR or otherwise de-identified such that it is no longer Personal Data under applicable Data Protection Laws, as well as aggregated usage and performance data, to develop, maintain, and improve the Services and AI Features.

AI retention and transparency. In Reslify’s systems, Reslify retains AI Booking Assistant sessions, including a bounded conversation history, for up to 24 hours to maintain the conversation and booking journey. Stored conversation history is designed to redact email addresses and telephone numbers before storage. AI-assisted menu-import source files and associated import-job records stored by Reslify are scheduled to expire after up to seven (7) days. These periods are separate from retention by an external AI provider. Under OpenAI’s standard API data controls, API inputs and outputs may be retained in abuse-monitoring logs for up to thirty (30) days, unless a shorter approved retention control applies, and may be retained longer where OpenAI is legally required to do so. Menu content reviewed and saved by Client becomes Client Personal Data within the Services and is retained in accordance with Client’s instructions and this DPA. Where an AI Feature is intended to interact directly with natural persons, the Reslify-controlled interface identifies it as an AI system through a clear, visible, and non-configurable notice before the person can send a message. Client must not remove, obscure, or misrepresent that notice and remains responsible for any additional notices required by Client’s configuration or applicable law, including, where applicable, the EU AI Act.

3.4 Separation; Retention. Reslify will maintain reasonable logical separation between (a) Client Personal Data Processed as Processor and (b) Limited Controller Telemetry Processed as Controller for the purposes stated in Section 3.1. Reslify will retain Limited Controller Telemetry only for as long as reasonably necessary for the applicable limited purpose, subject to applicable law and Reslify’s retention practices described in the Privacy Policy.

4. Reslify PERSONNEL

4.1 Confidentiality. To the extent required under applicable Data Protection Laws, Reslify shall ensure that personnel authorized to Process Client Personal Data are bound by written confidentiality commitments or are otherwise subject to appropriate statutory or professional duties of confidentiality with respect to such Client Personal Data.

4.2 Limitation of Access. Reslify shall take commercially reasonable measures to restrict access to Client Personal Data to those members of its personnel who have a need to know such Client Personal Data for purposes of providing the Services in accordance with the Agreement.

5. DATA SUBJECT REQUESTS

5.1 Data Subject Requests. Having regard to the nature of the Processing, Reslify shall provide and maintain appropriate technical and organizational measures intended to support Client in meeting its obligations under applicable Data Protection Laws to respond to requests by Data Subjects to exercise their rights in respect of Client Personal Data (each, a “Data Subject Request”).

5.2 Client Controls. The Services include features and controls that enable Client to access, retrieve, rectify, erase, restrict, or otherwise manage Client Personal Data, which Client may use to facilitate compliance with applicable Data Protection Laws, including in connection with responding to Data Subject Requests. Where Client cannot address a Data Subject Request using the Services, Reslify shall, upon Client’s written request, provide reasonable assistance to enable Client to respond to such Data Subject Request. Any assistance provided under this Section 5 is subject to the limitations and fee terms in Section 2.4, to the extent permitted by applicable law.

5.3 Data Subject Requests Received by Reslify. If Reslify receives a Data Subject Request directly, Reslify shall, to the extent legally permitted and to the extent Reslify can reasonably determine that the request relates to a Data Subject whose Personal Data was submitted to the Services by or on behalf of Client, notify Client without undue delay. Reslify shall not take substantive action in response to any Data Subject Request except on Client’s prior written instructions, provided that Reslify may (a) confirm that the request relates to Client (which Client hereby authorizes) and (b) respond where required by applicable law, in which case Reslify shall, to the extent permitted by applicable law, inform Client of such legal requirement prior to responding. Client remains solely responsible for the substance of any response to Data Subject Requests and for related communications involving Client Personal Data.

5.4 Scope of This Section. For clarity, this Section 5 applies only to Client Personal Data processed by Reslify as Processor under this DPA. Requests relating to Personal Data processed by Reslify as an independent Controller (including account/billing/CRM data and Limited Controller Telemetry) will be handled by Reslify in accordance with its Privacy Policy and applicable law.

6. SUBPROCESSORS

6.1 Use of Subprocessors. Client acknowledges and agrees that Reslify may appoint its Affiliates as Subprocessors and may also engage third-party Subprocessors in connection with the provision of the Services and the related Processing of Client Personal Data. When Reslify engages a Subprocessor, Reslify shall limit that Subprocessor’s access to Client Personal Data to what is necessary to operate, maintain, and provide the Services to Client and its Users, shall enter into a written agreement with the Subprocessor imposing data protection obligations that are no less protective than those set out in this DPA (as applicable to the services performed by the Subprocessor), and shall remain liable for the acts and omissions of such Subprocessors under or in connection with this DPA to the same extent as if Reslify were performing the relevant services directly. Where required for any Restricted Transfer, Reslify will ensure that any Subprocessor involved in the Processing of European Data is subject to appropriate transfer safeguards (including the SCCs or other lawful mechanisms) for onward transfers and remote access, and that such safeguards are maintained for as long as the Subprocessor Processes such European Data.

6.2 Current Subprocessors; Notice of Changes; Objection. The current list of Subprocessors, including each Subprocessor’s identity, country of location, and the nature of the Processing performed, is set out in Schedule 2 (List of Subprocessors). Reslify shall notify Client in writing (including by email) at least ten (10) business days in advance of any intended addition or replacement of a Subprocessor. Client may object to such change by notifying Reslify in writing within ten (10) business days of receipt of the notice. Following a timely objection, the Parties shall work in good faith to implement a commercially reasonable change to the Services that avoids the use of the proposed Subprocessor. If Reslify cannot implement a commercially reasonable alternative within thirty (30) days after receiving Client’s objection, Client may, without prejudice to any rights and remedies available under the SCCs and/or the UK Transfer Addendum (as applicable) and/or mandatory applicable law, discontinue use of the affected feature(s) and/or terminate the affected Services in accordance with the Agreement (including any non-renewal or termination provisions applicable to the affected Services). Any termination rights and any refunds/credits (if any) are governed by the Agreement, except to the extent mandatory applicable law requires otherwise.

7. SECURITY

7.1 Protection of Client Personal Data; Security Measures. Considering the state of the art, implementation costs, and the nature, scope, context, and purposes of the Processing, as well as the risks to the rights and freedoms of Data Subjects, Reslify shall maintain appropriate technical and organizational measures to safeguard the security, confidentiality, and integrity of Client Personal Data, including measures designed to protect against a Personal Data Breach, and including (without limitation) measures consistent with Article 32 of the GDPR, as further described in Schedule 3 (Security Measures). Reslify may change or update the Security Measures from time to time in its discretion, provided that any such change does not materially reduce the overall level of protection afforded by the Security Measures and the Security Measures continue to comply with applicable Data Protection Laws. Client is responsible for determining whether the Services, the Security Measures, and Reslify’s commitments under this DPA are appropriate for Client’s intended Processing, taking into account the nature, scope, context, purposes, and risks of such Processing. Reslify shall provide information reasonably necessary to assist Client in making that assessment as described in this DPA.

7.2 Third Party Reports and Certifications. Upon Client’s written request at reasonable intervals and subject to the confidentiality obligations in the Agreement, Reslify shall provide Client with information reasonably necessary to demonstrate Reslify’s compliance with this DPA by making available copies of Reslify’s then-current, generally available third-party audit reports and/or certifications, if and to the extent available, and Reslify may satisfy such request by providing such materials to Client directly or through Client’s independent third-party auditor, provided that such auditor is not a competitor of Reslify and is bound by confidentiality obligations at least as protective as those in the Agreement.

7.3 Audit Rights. Reslify shall maintain sufficient records and information to demonstrate compliance with this DPA. Any audit or inspection request by Client shall first be satisfied, to the extent reasonably feasible, through remote means and by Reslify providing its then-current standard security and compliance materials made available under Section 7.2 (including, where applicable, third-party audit reports and certifications) and written responses to reasonable information requests and/or security questionnaires. Client (or its permitted third-party auditor described in Section 7.2) may conduct an audit or inspection remotely no more than once per calendar year, upon at least three (3) weeks’ prior written notice; provided, however, that this frequency limitation shall not apply to the extent a more frequent audit is (i) required by applicable law, (ii) required by Client’s regulators or a competent Supervisory Authority, and/or (iii) required to satisfy the audit rights under the SCCs (to the extent applicable) or any successor transfer mechanism. If an additional audit beyond the materials and remote methods described above is strictly required by applicable law, Client’s regulators, a competent Supervisory Authority, and/or the SCCs (to the extent applicable), the Parties shall agree in advance on the scope, timing, and procedures with a view to minimizing disruption and limiting the audit to matters necessary to verify compliance with this DPA (and/or the SCCs, as applicable). If an on-site audit is reasonably required under the foregoing circumstances, and Reslify maintains relevant facilities for the Processing of Client Personal Data, any on-site audit shall be limited to those facilities relevant to the Processing and shall not exceed one (1) business day unless required otherwise by applicable law, Client’s regulators, a competent Supervisory Authority, and/or the SCCs (to the extent applicable). Client shall reimburse Reslify for all reasonable, actually incurred costs and expenses associated with any audit beyond Reslify’s standard materials and reasonable remote assistance, including Reslify’s reasonable time spent assisting with the audit at Reslify’s then-current hourly rates, except to the extent reimbursement is prohibited by applicable law or required otherwise by a competent authority. Reslify may require prepayment of reasonably estimated fees for non-standard audit assistance, to the extent permitted by law. For clarity, any reimbursement, hourly fees, or prepayment requirements under this Section 7.3 apply only to non-standard audit assistance that goes beyond Reslify’s then-current standard materials and reasonable remote cooperation. Reslify will not condition any audit or inspection that is strictly required by applicable law, a competent Supervisory Authority, and/or the SCCs on the payment of fees that would unreasonably delay or prevent the exercise of such mandatory audit rights. Client shall promptly notify Reslify of any identified non-compliance with reasonably detailed findings. Client shall not conduct vulnerability scans or other technical, operational, or penetration testing of Reslify’s applications, websites, services, networks, or systems without Reslify’s prior written consent, which Reslify may grant or withhold based on reasonable security considerations; provided that such consent will not be required to the extent an audit activity is expressly required by applicable law, a competent Supervisory Authority, or the SCCs. Any information obtained in connection with an audit or inspection under this Section 7.3 constitutes Reslify’s Confidential Information and may be used by Client solely to verify compliance with this DPA and/or to meet Client’s obligations under applicable Data Protection Laws and/or the SCCs (to the extent applicable). The Parties will first use remote methods and existing third-party reports and certifications where feasible.

7.4 Audits Under the SCCs. The Parties agree that any audit obligations under Clause 8.9 of the SCCs shall be carried out in accordance with Sections 7.2 and 7.3 of this DPA to the extent such procedures are not inconsistent with the SCCs and do not reduce the data exporter’s rights under Clause 8.9. If and to the extent any procedure, limitation, or condition in Sections 7.2 or 7.3 would be interpreted to reduce the data exporter’s rights under Clause 8.9, the SCCs shall prevail to the extent of such inconsistency for the purposes of the relevant Restricted Transfer.

7.5 Personal Data Breaches. Reslify shall notify Client without undue delay after becoming aware of a Personal Data Breach and shall provide relevant information regarding the Personal Data Breach as it becomes available or as reasonably requested by Client. At Client’s request, Reslify shall provide reasonable assistance necessary to enable Client to make any required notifications to competent authorities and/or affected Data Subjects under applicable Data Protection Laws. Reslify’s notification of, or response to, a Personal Data Breach shall not be construed as an admission of fault or liability. Where Client determines that it must issue notices relating to a Personal Data Breach to a Supervisory Authority or other governmental body, affected Data Subjects, the public, or others under applicable Data Protection Laws, and such notice directly or indirectly identifies Reslify, then, where permitted by applicable law, Client shall provide Reslify with advance notice and shall consult with Reslify in good faith and consider any reasonable clarifications or corrections requested by Reslify regarding Reslify’s involvement in or relevance to such Personal Data Breach.

8. DATA TRANSFERS

8.1 Transfers; EU Hosting Default; Limited Non-EEA Access.

Client Personal Data processed by Reslify as Processor within the Services (Client tenant) will be hosted in the EEA (e.g., Germany/Frankfurt) by default, unless otherwise agreed in writing in the applicable Subscription Details or an Addendum. Reslify will not enable cross-region replication of the primary Client tenant database outside the EEA by default, unless otherwise agreed in writing in the applicable Subscription Details or an Addendum. Where remote access from outside the EEA is permitted under this DPA for support/operations, Reslify will apply access controls and security logging appropriate to the risk.

For clarity, this EEA hosting default applies to Client Personal Data processed by Reslify as Processor; it does not apply to Personal Data processed by Reslify as an independent Controller (including Limited Controller Telemetry and account/billing/CRM data), which is handled as described in the Scope/Section 3 and Reslify’s Privacy Policy.

Reslify may permit access to European Data from outside the EEA only to the extent strictly necessary to provide support, maintain, secure, or troubleshoot the Services, and subject to Reslify’s access controls (including an applicable transfer mechanism such as the SCCs, or an applicable adequacy decision or other lawful mechanism, but only to the extent Reslify and/or the relevant recipient is certified or otherwise eligible under that mechanism).

To the extent such access constitutes a Restricted Transfer, Reslify will ensure an appropriate transfer mechanism under Section 8 applies (including the SCCs or another lawful mechanism, such as an applicable adequacy framework where available).

8.2 Transfer Safeguards for European Data. Reslify shall not make any transfer of European Data that constitutes a Restricted Transfer to a country, territory, or recipient not recognized as providing an adequate level of protection within the meaning of European Data Protection Laws unless Reslify first implements the measures required to ensure the transfer complies with European Data Protection Laws, which may include, as applicable, the execution of the SCCs, reliance on an applicable adequacy decision (only to the extent Reslify and/or the relevant recipient is certified or otherwise eligible under that decision), binding corporate rules, and/or the use of an applicable derogation under the GDPR.

8.3 Order of Preference. In the event a particular Restricted Transfer in connection with the Services could be covered by more than one transfer mechanism under applicable Data Protection Laws, the transfer of Client Personal Data will be subject to a single transfer mechanism, as applicable, and in accordance with the following order of precedence: (a) the EU SCCs as set forth in Section 8.4; (b) the UK Transfer Addendum as set forth in Section 8.5; (c) the Switzerland mechanism as set forth in Section 8.6; and, if none of (a), (b), or (c) is applicable, then (d) other applicable data transfer mechanisms permitted under applicable Data Protection Laws. For the avoidance of doubt, this Section 8.3 applies on a transfer-by-transfer basis, and different Restricted Transfers may be subject to different mechanisms in accordance with this Section 8.3.

8.4 EEA Restricted Transfers and EU SCCs. In accordance with the order of precedence in Section 8.3, to the extent that any Processing of European Data under this DPA involves an EEA Restricted Transfer from Client to Reslify, the Parties shall comply with the EU SCCs, which are hereby incorporated by reference into this DPA and deemed completed in accordance with Part 1 of Schedule 4, and deemed entered into by the Parties for the purposes of the relevant Restricted Transfer.

8.5 UK Restricted Transfers and UK Transfer Addendum. In accordance with the order of precedence in Section 8.3, to the extent that any Processing of European Data under this DPA involves a UK Restricted Transfer from Client to Reslify, the Parties shall comply with the EU SCCs as adapted to meet the requirements of the UK GDPR through the UK Transfer Addendum, which are hereby incorporated by reference into this DPA and deemed completed in accordance with Part 2 of Schedule 4, and deemed entered into by the Parties for the purposes of the relevant Restricted Transfer.

8.6 Switzerland Restricted Transfers. In accordance with the order of precedence in Section 8.3, to the extent that any Processing of Client Personal Data under this DPA involves a Restricted Transfer from Switzerland to Reslify, the Parties shall implement an appropriate transfer safeguard that permits the lawful transfer under Swiss Data Protection Laws, including, where applicable, the EU SCCs as supplemented or adapted as necessary for Switzerland, which are hereby incorporated by reference into this DPA and deemed completed in accordance with Part 3 of Schedule 4 for the purposes of the relevant Restricted Transfer.

8.7 Other Jurisdictions. To the extent any cross-border transfer of Client Personal Data is subject to transfer restrictions or specific safeguards under non-European Data Protection Laws, the Parties shall cooperate in good faith to implement and comply with a lawful transfer mechanism recognized under such laws, including as set out in any applicable Schedule(s) to this DPA or as otherwise agreed in writing by the Parties.

8.8 Adoption of Alternative Transfer Mechanism. Reslify may, on notice to Client, vary this DPA and replace the applicable transfer mechanism referenced in this Section 8 (including, where applicable, the SCCs and/or the UK Transfer Addendum) with: (i) any new, updated, or successor form of the relevant SCCs and/or addendum (as applicable), duly completed and incorporated; or (ii) another lawful transfer mechanism (other than the SCCs) that enables the continued lawful transfer of European Data (and/or other Client Personal Data subject to transfer restrictions) in compliance with applicable Data Protection Laws.

8.9 Provision of Executed SCCs. For any Restricted Transfer relying on the EU SCCs, where Client is required to provide an executed copy of the relevant SCCs to a Supervisory Authority or a Data Subject, and Client submits a specific written request accompanied by reasonable supporting evidence of such requirement, Reslify shall provide Client with an executed version of the relevant SCCs, completed as applicable in accordance with Schedule 4, for countersignature by Client and onward provision and/or retention as evidence of compliance.

8.10 Transfer Assessments; Government Access Requests; Supplementary Measures. To the extent required under applicable Data Protection Laws (including, where applicable, to support transfer impact assessments, transfer risk assessments, or similar assessments), Reslify shall, upon Client’s reasonable written request, provide information reasonably available to Reslify regarding the Processing relevant to the Restricted Transfer, including: (a) the applicable transfer mechanism(s) and roles; (b) categories of Subprocessors and locations involved in the Processing; and (c) a high-level description of Reslify’s technical and organizational measures (including those in Schedule 3) and relevant policies. Reslify’s obligation is limited to information reasonably available to Reslify and does not require Reslify to disclose information that would compromise the security, confidentiality, integrity, or availability of systems or Personal Data, or that is subject to legal privilege, trade secrets, or third-party confidentiality restrictions.

Where legally permitted, Reslify will notify Client of any legally binding request from a public authority for disclosure of European Data (or access thereto) relating to a Restricted Transfer, and will, where Reslify reasonably determines it appropriate and permitted, challenge such request or seek appropriate protective measures. Reslify may implement supplementary measures where required for a Restricted Transfer (including technical, organizational, and contractual measures), taking into account the nature of the Services and the information reasonably available to Reslify. Any assistance under this Section 8.10 that is non-standard, requires material engineering or legal effort, or is beyond the Services’ standard functionality may be subject to reasonable fees at Reslify’s then-current rates, to the extent permitted by law.

8.11 Controller Transfers (Account/Billing/CRM and Limited Controller Telemetry). This Section 8 applies to Client Personal Data that Reslify Processes as a Processor under this DPA. Personal Data that Reslify Processes as an independent Controller (including account-level registration/administration, billing/subscription/CRM contact data, and Limited Controller Telemetry) is governed by Reslify’s Privacy Policy and other applicable notices, including any transfer disclosures therein.

Where such Controller Processing involves cross-border transfers or remote access that are subject to transfer restrictions under applicable Data Protection Laws, Reslify will implement and maintain an appropriate transfer mechanism and safeguards for such transfers (which may include, as applicable, the SCCs, an applicable adequacy decision (only to the extent Reslify and/or the relevant recipient is certified or otherwise eligible thereunder), and/or other lawful mechanisms permitted by law). For clarity, nothing in this Section 8.11 expands Reslify’s role as Processor under this DPA or converts Controller Processing into Processing on behalf of Client.

For Personal Data that Reslify Processes as an independent Controller (including account-level registration/administration, billing/subscription/CRM contact data, and Limited Controller Telemetry), Reslify will provide the information required by applicable Data Protection Laws via its Privacy Policy and other applicable notices, including disclosures regarding cross-border transfers and the applicable transfer mechanism(s) where required, and will implement and maintain appropriate safeguards for any such transfers as described in this Section 8.11.

8.12 Transfer Mechanism Applicability; Fallback. The Parties intend that the SCCs (and, where applicable, the UK Transfer Addendum and/or the Swiss Addendum), as incorporated and completed under this DPA, will apply only to the extent they constitute a valid and effective transfer mechanism for the relevant Restricted Transfer under applicable Data Protection Laws.

If, for any Restricted Transfer, the Parties reasonably determine that the referenced mechanism is not valid, not effective, or not available for that transfer (including, without limitation, due to changes in law, binding guidance, or a decision by a competent authority or court, or because a different transfer tool is required for the relevant transfer scenario), the Parties shall promptly cooperate in good faith to implement an alternative lawful transfer mechanism and/or supplementary measures that enable the continued lawful transfer in compliance with applicable Data Protection Laws.

Pending implementation of such alternative mechanism and/or supplementary measures, Reslify may, to the extent necessary to comply with applicable law, suspend or limit the relevant transfer and/or the affected feature(s), with notice to Client, without liability to the extent permitted by law.

9. LIMITATION OF LIABILITY

The total, aggregate liability of each Party and its respective Affiliates arising out of or in connection with this DPA, whether based in contract, tort, or any other legal theory, shall be governed by and subject to the limitation of liability provisions set forth in the Agreement. For purposes of applying such limitation, any reference in the Agreement to a Party’s liability shall be deemed to include the combined liability of that Party and its Affiliates under the Agreement, including this DPA. Nothing in this Section 9 limits or otherwise affects any liability to Data Subjects under the third-party beneficiary provisions of the SCCs, to the extent the SCCs apply. Client’s indemnification obligations under Section 2.5 are subject to the Agreement’s limitation of liability except to the extent the Agreement expressly states otherwise or mandatory applicable law prohibits such limitation.

10. TERMINATION

This DPA will remain in effect until the expiration or termination of the Agreement. Upon expiration or termination of the Agreement, Reslify will, at Client’s written election, delete or return all Client Personal Data (including copies thereof), unless retention is required by applicable law. Sections of this DPA that by their nature are intended to survive termination (including confidentiality and deletion/return obligations) shall survive until such deletion or return is completed. If Client does not specify its election within thirty (30) days following expiration or termination of the Agreement, Reslify will delete the Client Personal Data, unless retention is required by applicable law. Notwithstanding the foregoing, Client Personal Data may be retained in routine backups for a limited period in accordance with Reslify’s backup retention schedules and may be retained as necessary to comply with applicable law or to establish, exercise, or defend legal claims, provided that such retained data remains protected under this DPA.

11. CALIFORNIA CONSUMER PRIVACY ACT (CCPA/CPRA)

The following terms apply to any Personal Information (as defined under the CCPA/CPRA) that Reslify Processes on behalf of Client.

11.1 Status; Limited Purpose; Compliance. The Parties intend that, with respect to such Personal Information, Reslify acts as a “service provider” (and, where applicable, a “contractor”) under the CCPA/CPRA. Reslify acknowledges that Client discloses Personal Information to Reslify solely for the limited and specified business purposes described in the Agreement, shall comply with its applicable obligations under the CCPA/CPRA and provide a level of privacy protection for such Personal Information that is at least that required by the CCPA/CPRA, shall notify Client in writing within five (5) business days if Reslify determines it can no longer meet its obligations under the CCPA/CPRA, and agrees that Client may, upon notice (including following such notification), take reasonable and appropriate steps to help stop and remediate any unauthorized use of Personal Information.

11.2 Audit for CCPA/CPRA Compliance. Client may conduct audits in accordance with Section 7.3 to verify that Reslify’s Processing of Personal Information is consistent with Reslify’s obligations under this Section 11 and the CCPA/CPRA.

11.3 Restrictions on Use and Disclosure. Reslify shall not sell or share Personal Information; shall not retain, use, or disclose Personal Information for any purpose other than performing the Services and the business purposes specified in the Agreement or as otherwise permitted by the CCPA/CPRA; shall not retain, use, or disclose Personal Information outside the direct business relationship between the Parties; and shall not combine Personal Information received from or on behalf of Client with Personal Information received from or on behalf of another person or collected through Reslify’s own interactions with the relevant Consumer, except as permitted under the CCPA/CPRA. Reslify confirms that it understands and will comply with the restrictions set out in this Section 11.3.

11.4 Subprocessor Notice. The Parties agree that Reslify’s notice to Client regarding Subprocessors in accordance with Section 6 satisfies Reslify’s obligation under the CCPA/CPRA to provide notice of its engagement of Subprocessors.

11.5 Relationship Acknowledgement. The Parties acknowledge that Reslify’s retention, use, and disclosure of Personal Information as directed by Client’s documented instructions in the Agreement are necessary for Reslify to provide the Services and are integral to the Parties’ business relationship.

11.6 Other U.S. State Privacy Laws. To the extent any applicable U.S. state privacy or consumer data protection laws (excluding the CCPA/CPRA) (“U.S. State Privacy Laws”) apply to the Processing of Client Personal Data under the Agreement, Reslify will, to the extent required by such U.S. State Privacy Laws: (a) Process Client Personal Data only on Client’s documented instructions and for the purposes described in the Agreement; (b) ensure that personnel authorized to Process such data are subject to appropriate confidentiality obligations; (c) implement and maintain appropriate technical and organizational measures; (d) provide reasonable assistance, as requested by Client, to enable Client to respond to consumer/data subject rights requests and to meet applicable legal obligations (including, where required, assistance with data protection assessments); (e) enter into written agreements with Subprocessors imposing obligations no less protective than those set out in this DPA; and (f) make available information reasonably necessary to demonstrate compliance and allow audits in accordance with Section 7. For the avoidance of doubt, Reslify’s deletion/return obligations are set out in Section 10.

11.7 Limited Controller Telemetry (CCPA/CPRA Clarification). To the extent Limited Controller Telemetry described in Section 3 involves Personal Information subject to the CCPA/CPRA, Reslify will Process it in identifiable form only to the minimum extent necessary for the limited security, integrity, abuse or fraud prevention, incident-response, legal-compliance, billing, contract-administration, or legal-claims purpose and subject to appropriate access controls. Reslify will use only aggregated or de-identified data for its own general product analytics and service improvement. In all cases, Reslify shall not sell or share such Personal Information, Process it for cross-context behavioral advertising, build profiles across Clients, or combine identifiable Personal Information across Clients except to the extent expressly permitted under the CCPA/CPRA for security and fraud prevention and consistent with Section 11.3.

12. GENERAL

12.1 Updates. Reslify may amend or update this DPA from time to time on a prospective basis. Reslify may make non-material updates, clarifications, administrative changes, and updates required to reflect changes in law, guidance, security practices, Subprocessors, transfer mechanisms, or the Services, provided that such updates do not materially reduce Client’s rights or Reslify’s obligations under this DPA or applicable Data Protection Laws.

Reslify will provide Client with at least thirty (30) days’ prior written notice of any material update to this DPA, except where a shorter notice period is reasonably necessary to comply with applicable Data Protection Laws or binding guidance/orders of a competent authority, address a security, fraud, abuse-prevention, or operational integrity risk, or meet requirements imposed by a critical third-party service provider necessary to continue providing the Services.

A material update that requires new documented instructions from Client, materially expands the categories of Client Personal Data, categories of Data Subjects, Processing purposes, or Reslify’s Processing role beyond this DPA, or materially changes the Restricted Transfer terms in a way not already permitted by this DPA, will apply to Client only if Client accepts it in writing or electronically, or if the update is required by applicable law. If Client reasonably objects on data-protection grounds before the effective date, the Parties will cooperate in good faith to address the objection. If the objection is not resolved, Reslify may, as Client’s sole and exclusive remedy, decline to provide the affected new feature, provide a reasonable workaround where available, or permit Client to discontinue the affected feature or terminate the affected Services at the end of the then-current billing period, without refund except as required by mandatory applicable law. This Section 12.1 does not limit any mandatory rights Client may have under applicable law.

For the avoidance of doubt, any update to this DPA shall not amend or replace the SCCs or the UK Transfer Addendum without the Parties’ mutual written agreement, except as expressly permitted under Section 8.8 and/or to the extent a competent authority mandates an update to the applicable transfer mechanism. Notices under this Section 12.1 may be provided by email in accordance with Section 12.2 and the Agreement’s notice provisions. Nothing in this Section 12.1 limits or reduces any rights or obligations under the SCCs and/or the UK Transfer Addendum (as applicable) or under mandatory applicable law.

12.2 Notices; Contact Details. For purposes of this DPA, each Party’s contact details for privacy-related notices are as follows and may be updated by either Party upon written notice to the other: for Reslify, privacy@reslify.com; and for Client, the contact details designated by Client in the Agreement’s notices provisions or, if not specified there, the primary contact details associated with Client’s account registration or most recently provided by Client to Reslify in writing.

12.3 Entire Understanding. This DPA constitutes the Parties’ entire understanding regarding the Processing of Client Personal Data and the Parties’ respective obligations in connection with applicable Data Protection Laws, and supersedes any prior or contemporaneous understandings on that subject matter.

12.4 Governing Law; Jurisdiction. Except as otherwise provided in the SCCs (to the extent applicable), this DPA is governed by, and the Parties submit to, the choice of law and forum selection provisions set out in the Agreement for any dispute or claim arising out of or relating to this DPA.

12.5 Order of Precedence for Transfer Documents. In the event of any conflict or inconsistency between this DPA and the Agreement regarding the Processing of Client Personal Data, this DPA shall prevail. In the event of any conflict or inconsistency between this DPA and the SCCs and/or the UK Transfer Addendum (as applicable), the SCCs and/or the UK Transfer Addendum shall prevail to the extent of the conflict for the purposes of the relevant Restricted Transfer.

12.6 Language. This DPA is drafted in English. Any translation is provided for convenience only and shall not be relied upon to interpret this DPA. In the event of any inconsistency, the English version shall prevail, except to the extent (and only to the extent) that mandatory applicable law requires otherwise.

12.7 Availability of Transfer Documents. Reslify will make the full text of the EU SCCs (Commission Implementing Decision (EU) 2021/914) and, where applicable, the UK Transfer Addendum and/or the Swiss Addendum (each as referenced in Schedule 4) available to Client upon request and/or through Reslify’s standard contract repository, customer portal, or other reasonable means.

The Parties acknowledge that such transfer documents form part of this DPA and are incorporated by reference as set out herein. For clarity, Reslify is not required to provide individually signed paper copies of such documents except as expressly required by Section 8.9 or by mandatory applicable law.

SCHEDULE 1

Incorporation. This Schedule 1 forms part of and is incorporated into the Data Processing Addendum dated July 16, 2026 (the “DPA”) between Reslify and Client. In case of conflict, the DPA order of precedence applies.

Details of the Processing (Client Personal Data)

A. DATA EXPORTER (CLIENT) DETAILS

Name: As set out in the clickwrap acceptance record and the Client account registration/profile information (including the legal name of the contracting entity, as provided by Client). Address: As set out in the clickwrap acceptance record and/or as provided by Client in its account registration/profile or billing information. Contact Details for Data Protection / Privacy: The primary account administrator email and/or the privacy contact details provided by Client in its account profile (or otherwise notified to Reslify in writing). Client Activities: Client’s activities relevant to this DPA consist of using the Services as part of its business operations to manage reservations and bookings, reduce no-shows (including through deposits, prepayments, card guarantees using saved payment methods and possible later cancellation/no-show charges, and, where separately enabled, authorization holds), sell and fulfill events/experiences, offer, deliver, and redeem Venue-issued gift cards, import and manage menu content (including through AI-assisted menu import), accept prepayments, ticket/issue confirmations, and manage related guest communications and operational workflows, including via supported integrations. Role: Controller where Client is a Controller of Client Personal Data in its own right; Processor where Client is a Processor acting on behalf of any other person (including its Affiliates if and where applicable).

B. DATA IMPORTER (Reslify) DETAILS

Name: Reslify LLC (“Reslify”) Jurisdiction of incorporation: Delaware, United States Address: 8 The Green, Suite B, Dover, DE 19901, USA Contact Details for Data Protection / Privacy: privacy@reslify.com Reslify Activities: Reslify provides a business-to-business software-as-a-service platform for hospitality operators and similar venues to (i) manage reservations and bookings, (ii) reduce no-shows through deposits, prepayments, card guarantees using saved payment methods and possible later cancellation/no-show charges, and, where separately enabled, authorization holds, (iii) sell and fulfill ticketed events and experiences, (iv) offer, deliver, and redeem Venue-issued gift cards, (v) import and manage menu content, including through AI-assisted menu import, (vi) accept prepayments, and (vii) integrate with third-party services and surfaces (including “Reserve with Google” and other supported integrations), as described in the Agreement. Role: Processor with respect to Client Personal Data processed on behalf of Client under this DPA, without prejudice to the narrowly limited Controller Processing described in Section 3.

C. DATA PROCESSING DETAILS

Subject Matter. The subject matter of the Processing under this DPA is Client Personal Data.

Duration of Processing. As between Reslify and Client, the duration of the Processing under this DPA is determined by Client’s use of the Services; provided that, in general, Client Personal Data will be Processed for the term of the Agreement and for the minimum period thereafter as reasonably necessary to wind down the Parties’ relationship, and to return or delete Client Personal Data in accordance with the Agreement and this DPA, or as required by applicable law.

Nature of the Processing. Storing and otherwise Processing Client Personal Data as necessary to provide the Services and related support, as described in the Agreement.

Frequency of transfer (where applicable). Continuous and event-driven, as Client and end users submit and access data through the Services and as the Services generate operational logs/telemetry necessary to provide and secure the Services.

Processing operations. Collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission (as initiated by Client configuration and integrations), alignment/combination (within the Client tenant), restriction, erasure, and destruction.

Retention and deletion (summary). Client Personal Data is retained for the term of the Agreement and until deletion/return is completed under Section 10. Upon termination and Client’s election (or default deletion), Reslify will delete Client Personal Data from active production systems within a commercially reasonable period, typically within 90 days, unless a longer period is required by applicable law or for legal claims. Data stored in routine backups is protected and expires or is overwritten on rolling, service-specific schedules. Deleted data may remain in protected backups until scheduled expiry and is not restored except for recovery; applicable deletion or restriction controls are re-applied after a restore. Reslify does not represent that every data set uses a single backup period. Feature-specific shorter periods apply where stated in this Schedule, including up to 24 hours for AI Booking Assistant sessions, up to seven (7) days for AI-assisted menu-import source files and job records, and 90 days from the most recent registration or refresh for mobile push-device registrations. Ordinary operational application and API logs are retained in access-controlled primary logging systems for up to 30 days. Only selected, explicitly classified, and minimized security, payment, and dispute evidence events may be retained in the access-controlled evidence archive described in Schedule 3 for up to 400 days. Relevant evidence may be preserved for longer only under a documented, case-specific legal hold or where necessary to comply with applicable law or establish, exercise, or defend legal claims.

D. CATEGORIES OF DATA SUBJECTS, TYPES OF CLIENT PERSONAL DATA, AND PURPOSES — ORGANIZED BY Reslify SERVICE/MODULE

| Reslify Service / Module | Categories of Data Subjects | Types of Client Personal Data | Purpose of the Processing | | ----- | ----- | ----- | ----- | | AI Booking Assistant (if enabled) | Venue guests/diners using the guest-facing booking experience; Client staff/users to the extent their Client-configured content is used as context | Guest messages and any personal data included in them; booking-journey state (such as requested date, time, party size, availability, selected options, and free-text notes); bounded prior conversation context; Client-configured venue information, offers, policies, operating information, and booking content; session identifiers and language preference | Generate grounded booking assistance, respond to Guest questions, propose non-binding booking-flow actions or draft changes, maintain a short-lived conversation context, and operate and secure the AI Feature; no reservation, hold, payment, or other booking-impacting action is completed without the applicable confirmation in the Services | | AI-Assisted Menu Import (if enabled) | Client staff/users; individuals whose information is included by Client in an uploaded menu source | Uploaded menu files and images; file names, file types, and file metadata; extracted text; menu names, categories, item names, descriptions, prices, dietary or source labels; generated structured menu drafts; job identifiers, status, warnings, and failure information | Extract and structure menu information, generate an editable draft for Client review, and create or update menu content only after the applicable Client action or confirmation; source files and import-job records are scheduled to expire after up to seven (7) days | | Venue Profile & Media | Client staff/users; individuals identifiable in Client-uploaded media | Venue names, descriptions, addresses, contact details, website and review links, geographic coordinates, opening/service information, logos, profile images, experience images, gift-card images, menu images, and related file and asset metadata | Configure and publish Client venue profiles and offerings; store, process, transform, cache, and deliver Client media through the Services | | Reservations (Core Booking) | Venue guests/diners (including those booking via online widgets, telephone, or walk-ins); Client staff/users | Guest identifiers (name); contact details (email/phone) (optional); reservation details (date/time, party size, venue/location/area/table preferences); booking status/history; notes/special requests (free-text; end-user provided; may include Sensitive Data), and any additional information provided through Client-configured fields (optional) | Create, manage, and fulfill reservations and reservation requests; update/confirm/cancel bookings; provide operational visibility to authorized Client users | | Waitlist & Request Management | Venue guests/diners; Client staff/users | Name; contact details (email/phone); waitlist entry details (party size, preferred times); status/history; notes/preferences (free-text; end-user provided; may include Sensitive Data) | Create and manage waitlists; support guest notifications and internal queue management; optimize seating/availability workflows | | No-Show Prevention (Deposits / Prepayments / Card Guarantees / Later Charges / Authorization Holds if enabled) | Venue guests/diners; Client staff/users | Booking linkage identifiers; policy selections (deposit, prepayment, card-guarantee, cancellation/no-show fee, and, where separately enabled, hold rules); payment status/metadata (payment processor customer identifiers, tokenized payment-method identifiers, setup/payment intent identifiers, transaction identifiers, timestamps, amounts, currency, paid/refunded/failed/authorized status, and masked card descriptors such as brand, last four digits, and expiry where available); enforcement/chargeback-related status indicators (if applicable) | Enable Client’s no-show policies; support deposits, prepayments, card guarantees using saved payment methods, possible later cancellation/no-show charges, and, where separately enabled, authorization holds; display compliance/booking guarantee status for operational fulfillment and reconciliation without storing full card numbers or card security codes | | PAYTR Marketplace Payments (if enabled) | Venue guests/purchasers; Client staff/users; Client/Venue seller beneficiaries | Order and transaction identifiers; timestamps; gross amount, seller net amount, platform commission, refund and adjustment amounts; currency and payment/settlement status; Client/Venue beneficiary name and IBAN; masked card descriptors where made available by PAYTR; no full card number or card security code | Facilitate PAYTR-hosted checkout through the Turkish Payment Operator’s marketplace account; instruct PAYTR to transfer Client’s seller net amount directly to Client’s designated IBAN and the separately calculated platform commission to the Turkish Payment Operator; reconcile settlements, refunds, adjustments, returned transfers, and payment status on Client’s instructions | | Events & Experiences (Ticketing / Prepaid Offerings) | Purchasers/attendees; Client staff/users | Name; contact details (email/phone) (optional); experience/event selection; quantities; session/time slot; ticket/booking identifiers; check-in/attendance status; notes/preferences (free-text; end-user provided; may include Sensitive Data); limited payment status/metadata as above (if paid), and any additional information provided through Client-configured fields (optional) | Sell, issue, and fulfill ticketed events/experiences; manage attendee lists and check-in; provide confirmations and operational oversight; reconcile paid status without storing full card numbers or card security codes | | Gift Cards (if enabled) | Gift-card purchasers and recipients; individuals redeeming gift cards; Client staff/users | Purchaser and recipient names and contact details; purchaser and recipient language preferences; gift-card product, amount, currency, delivery choice, delivery timing, optional personal message, code or token, status and expiry; purchase, delivery, redemption, balance, and adjustment history; related booking linkage; limited payment and transaction metadata | Enable Venue-issued gift-card purchase, delivery, balance management, redemption, fraud prevention, support, reconciliation, and related Client operational workflows and communications | | Host Mobile App & Push Notifications (if enabled) | Client staff/users; Guests linked to the pseudonymous reservation or request identifiers in an operational notification | User, Client/merchant, installation, and device identifiers; platform, push provider and push token; notification-permission status; app and device metadata; registration and last-seen timestamps; neutral localized notification title/body; payload schema version; event type and timestamp; party size; and pseudonymous reservation or request identifier. The push payload excludes Guest names and contact details, reservation time and status, notes, free text, and application routes. | Register and maintain authorized devices; route minimized operational reservation and reservation-request notifications to permitted Client users; construct the authorized in-app route locally and retrieve any detailed Guest or reservation information directly from Reslify through the authenticated application; troubleshoot delivery and remove invalid registrations | | Guest Profiles / CRM (if enabled) | Venue guests/diners; Client staff/users | Guest profile identifiers; contact details; visit/booking history; preferences/tags; free-form notes (free-text; end-user provided; may include Sensitive Data); special occasion (optional); custom fields and additional information submitted by or on behalf of Client and/or end users through Client-configured forms (optional). | Maintain and display guest profiles at Client’s direction; support personalization and consistent guest service; record preferences and operational notes | | Transactional Communications (Email/SMS/WhatsApp or similar, as configured) | Venue guests/diners/purchasers; Client staff/users | Contact details; message content; templates/variables (as configured); delivery metadata/logs (timestamps, status) | Send confirmations, reminders, updates, and operational messages triggered by Client’s use/configuration; evidence delivery status and support guest communications | | Integrations (incl. “Reserve with Google” and other supported third parties) | Venue guests/diners; Client staff/users | Booking identifiers; guest contact/booking fields required for the integration (as configured); integration identifiers and configuration data (and, where applicable, access tokens or similar authentication data) submitted by or on behalf of Client; synchronization metadata/logs | Enable integrated discovery/booking flows; synchronize availability, bookings, and status updates across configured third-party surfaces/services; maintain integrity of booking data | | Venue / Seating & Operational Tools (if enabled) | Venue guests/diners; Client staff/users | Reservation/party details; seating/table assignments; operational notes; status timestamps; staff/user identifiers for actions | Support table/section assignment and real-time operational management; provide auditability of actions taken within the platform | | Admin, User Management & Access Control | Client staff/users; Client contacts (to the extent such contacts are authorized users within the Client tenant) | Authorized user identity within the Client tenant (name); business email; role/permissions; tenant-level user settings; and in-product action/audit trails relating to use of the Services (e.g., administrative actions and changes performed by authorized users). | Provision and manage user accounts within the Client tenant; manage roles/permissions; administer Client tenancy settings; maintain tenant-level action/auditability as visible to Client. | | Reporting & Dashboards (Client-facing) | Client staff/users | Aggregated and record-level booking/event data as visible to Client; operational metrics; timestamps; limited payment status indicators | Provide operational reporting and dashboards to Client; support reconciliation, forecasting, and performance monitoring (client-facing) | | Support & Customer Service | Client staff/users; Client contacts (to the extent such contacts are authorized users within the Client tenant) | Support request content; account identifiers; troubleshooting metadata; logs necessary to investigate issues | Respond to support inquiries; troubleshoot incidents; restore service; communicate resolutions and maintain service continuity | | Security, Audit Logs & Abuse/Fraud Prevention (Service Delivery) | Guests (as applicable); Client staff/users | Tenant-level access and activity logs and audit trails generated within the Client tenant and made available to Client through the Services (e.g., user actions, administrative changes, timestamps, and related identifiers as applicable); operational application/API logs containing identifiers, request metadata, error details, and limited record information where necessary for security, troubleshooting, reliability, and incident response | Protect the Services within the Client tenant; provide auditability to Client; investigate tenant-specific incidents; troubleshoot failures; maintain reliability; and support security/accountability requirements as applicable |

Notes: This Schedule 1 describes the Processing of Client Personal Data by Reslify as a Processor on behalf of Client under this DPA. It does not describe Processing by Reslify as an independent Controller as set out in the Scope section (including account-level registration/administration, billing/subscription, CRM/sales/marketing and related communications, and Limited Controller Telemetry). Support requests submitted by account-level/billing contacts outside the Client tenant fall under Reslify’s independent Controller processing described in the Scope and are not included in this Schedule 1.

Certain fields may be optional and depend on Client configuration and end-user input. Reslify does not determine which optional/custom fields Client enables or what information Client requests from end users; Client controls such configuration and the prompts or content it chooses to request through the Services. Full payment card numbers and card security codes are collected in payment-processor-controlled fields or pages and are not stored by Reslify. Reslify Processes only the processor identifiers, transaction/status information, and masked card descriptors described above as necessary to operate the Services.

Certain fields in the Services are free-text in nature (including the standard “notes” / “special requests” or similar comment field), and Client may also configure optional/custom fields, add-ons, or forms within the Services to request additional information from end users (including dietary/allergen information or preferences). Reslify does not determine which optional/custom fields Client enables or what information Client requests from end users, and Reslify does not control what an end user chooses to enter in free-text fields.

Client acknowledges and agrees that information submitted through free-text fields or Client-configured fields may constitute Sensitive Data under applicable Data Protection Laws (e.g., allergy information as health data). As set out in Section 2.6 of the DPA, Client is solely responsible for determining applicable legal bases and satisfying any special requirements for the collection and Processing of such data (including, where applicable, Article 9 GDPR conditions), and for providing all required notices and obtaining any necessary consents or authorizations. Reslify Processes such content only as necessary to provide the Services within the Client tenant and on Client’s documented instructions, applies the Security Measures in Schedule 3, and does not use such data for its own product analytics, service improvement, or generalized AI training, except as expressly agreed in writing.

For clarity, platform-wide security/authentication telemetry (e.g., device/IP signals and security monitoring logs processed for Reslify’s independent security and abuse prevention purposes) is addressed in the Privacy Policy and is not intended to expand the scope of Client Personal Data beyond what is processed on Client’s behalf under this DPA.

SCHEDULE 2

List of Subprocessors

Last revised: July 16, 2026

This Schedule 2 lists Reslify LLC (“Reslify”) third-party service providers authorized to Process Client Personal Data as Subprocessors in connection with the Services. This list may be updated from time to time in accordance with Section 6.2 of the DPA.

A. Subprocessors (engaged by Reslify)

| Entity Name | Relevant Services / Function | Entity Services (Examples) | Primary Location (HQ) | Processing Location(s) (if different / known) | | ----- | ----- | ----- | ----- | ----- | | Amazon Web Services, Inc. and AWS Turkey Pazarlama Teknoloji ve Danışmanlık Hizmetleri Limited Şirketi (together, “AWS” under the AWS Data Processing Addendum) | Core hosting and infrastructure for the Services, including compute, storage, networking, identity/authentication, queuing, logging/monitoring, menu-import source storage, and transactional email delivery | Lambda, API Gateway, DynamoDB, S3, Cognito, SQS, EventBridge, CloudWatch, and Amazon SES | United States and Türkiye | Germany (Frankfurt, EU/EEA) for primary database and menu-import source hosting (as applicable); other locations only as described in the AWS Data Processing Addendum and Section 8 | | Reslify Bilişim Pazarlama Limited Şirketi | Operation of the supported PAYTR marketplace payment flow on Reslify’s behalf, to the extent it Processes Client Personal Data as a Subprocessor | Payment and settlement instructions; Client/Venue beneficiary name and IBAN; transaction, platform-commission, refund, adjustment, reconciliation, and returned-transfer metadata; payment support | Türkiye | Türkiye; access to relevant Client Personal Data in the EEA-hosted Platform only as necessary for the enabled payment flow and support | | OpenAI OpCo, LLC | AI model provider for the AI Booking Assistant and AI-assisted menu import | Generation of AI Booking Assistant responses and extraction/structuring of information from Client-uploaded menu files or images | United States | United States | | 650 Industries, Inc. (Expo) | Mobile push-notification delivery for Client staff/users | Processing of device push tokens and operational notification payloads; routing through the applicable mobile-platform push service | United States | United States; onward routing through Apple Push Notification service or Google Firebase Cloud Messaging, depending on the device platform |

Notes (AWS contracting entity and EU hosting). The contracting and invoice-issuing entity for Reslify’s current production AWS account is AWS Turkey Pazarlama Teknoloji ve Danışmanlık Hizmetleri Limited Şirketi. The AWS Data Processing Addendum separately applies with Amazon Web Services, Inc. and the applicable AWS contracting party, together defined there as AWS. AWS may use downstream subprocessors identified on the AWS Sub-processors page, including the infrastructure entity associated with the selected AWS Region. Reslify uses the AWS Europe (Frankfurt) service region for primary Client tenant data storage by default. Cross-region replication of the primary Client tenant database outside the EEA is not enabled by default unless otherwise agreed in writing. Authorized remote access from outside the EEA may occur only as strictly necessary for support/operations and in accordance with Section 8.1 and applicable transfer safeguards.

Turkish payment operator / PAYTR marketplace flow. Reslify Bilişim Pazarlama Limited Şirketi is Reslify LLC’s authorized Turkish reseller and the operator of the supported PAYTR marketplace account. To the extent it Processes Client Personal Data on Reslify’s behalf to provide that flow, it acts as Reslify’s Subprocessor and is subject to the requirements of Section 6. PAYTR processes the Guest payment and, on the submitted transfer instructions, transfers Client’s seller net amount directly to Client’s designated IBAN and transfers only the separately calculated platform commission to Reslify Bilişim Pazarlama Limited Şirketi. Neither Reslify entity receives or holds Client’s seller net proceeds as principal in its own bank account. Reslify Bilişim Pazarlama Limited Şirketi separately acts as an independent Controller for its limited marketplace-account, commission, reconciliation, fraud-prevention, accounting, tax, legal-compliance, and legal-claims records; that independent Controller processing is governed by the Privacy Policy and is outside this DPA.

AI model provider / United States transfers and retention. OpenAI OpCo, LLC is authorized to Process Client Personal Data only as necessary to generate AI Booking Assistant responses and to extract and structure information from Client-uploaded menu files or images. For AI-assisted menu import, the information sent to OpenAI may include the uploaded menu material and extracted menu information described in Schedule 1. Processing occurs in the United States and may constitute a Restricted Transfer of European Data. Reslify will maintain the appropriate transfer safeguard required under Section 8 of this DPA, including the SCCs or another lawful mechanism, as applicable. Under OpenAI’s standard API data controls, API inputs and outputs may be retained in abuse-monitoring logs for up to thirty (30) days unless a shorter approved retention control applies, and may be retained longer where OpenAI is legally required to do so. OpenAI states that business/API data is not used to train or improve generalized OpenAI models by default unless the customer affirmatively opts in.

Mobile push provider / United States transfers. 650 Industries, Inc. (Expo) is authorized to Process Client Personal Data only as necessary to route operational push notifications to registered Client-user devices. Processing may occur in the United States and may constitute a Restricted Transfer of European Data. Reslify will maintain the appropriate transfer safeguard required under Section 8 of this DPA, including the SCCs or another lawful mechanism, as applicable. Delivery also depends on the applicable device-platform push service.

B. Client-enabled or independent third-party services (not Subprocessors)

The following third parties may receive data where enabled/configured by Client, where selected by Reslify as part of a product feature, or where needed to complete a payment transaction. They process data under their own terms/policies and are not engaged by Reslify as Subprocessors for the relevant activity:

| Entity Name | Relevant Services / Function | Notes | | ----- | ----- | ----- | | Google LLC | Reserve with Google / Google Maps Booking integration | Client-enabled third-party booking channel. Where Client enables the integration, Google may receive Venue/location information, booking links, reservation policies, service hours, inventory/availability, and booking/update metadata. Google processes such data under its own terms and policies and is not engaged by Reslify as a Subprocessor for this integration. | | Google LLC | Google Maps / Places / Geocoding / Time Zone services | Reslify-selected location service used in onboarding, venue configuration, and Google identity selection. Search text, address/place information, public phone number and website, coordinates, place identifiers, locale, time-zone information, and related device/network information may be sent to Google as necessary to provide the feature. Google processes such data under its own terms and policies and is not engaged by Reslify as a Subprocessor for this service. | | Google LLC | Google Analytics 4 (GA4), where enabled | Analytics provider for server-side and/or browser-based product, operational, conversion, and service-usage analytics where configured and, where required, subject to consent. Google may process pseudonymous identifiers, allow-listed event names/properties, timestamps, surface/application information, and product or transaction metadata under the applicable Google service terms. GA4 is not used to send raw names, email addresses, telephone numbers, payment-card details, free-text Guest notes, or full page URLs as described in the Privacy Policy. | | Stripe (relevant Stripe entity as applicable to Client/region) | Payment processing for deposits, prepayments, gift-card purchases, saved payment method setup/card guarantees, possible later cancellation/no-show charges, and, where separately enabled, authorization holds; tokenization and payment operations | Tokenized payment processing; SetupIntent/PaymentIntent and checkout/billing flows; refunds; payment status/metadata | | PayTR Ödeme ve Elektronik Para Kuruluşu A.Ş. | Payment processing where a Client uses the supported PAYTR marketplace checkout | Provider-hosted iFrame checkout operated through the Turkish Payment Operator’s marketplace account; PAYTR processes the Guest payment, transfers Client’s seller net amount directly to Client’s designated IBAN, and transfers only the platform commission to the Turkish Payment Operator; transaction/callback processing, refunds, settlement, and payment status/metadata under PAYTR’s own terms and policies |

Notes

  1. Client-configured integrations. Certain third parties receive data only if Client enables a feature or integration (e.g., “Reserve with Google”). Other third-party services listed above may be used by Reslify as part of onboarding, venue configuration, analytics, payment, or similar product functionality as described in the relevant row.

  2. Payment card data. Sensitive card input is collected in Stripe- or PayTR-controlled fields, pages, or iframes. The applicable payment processor processes and stores the full primary account number and card security code under its own terms and policies. In the current Stripe Connect card-guarantee flow, the payment method may be saved on the Client’s connected Stripe account through a SetupIntent for possible future off-session use; saving a payment method is not, by itself, an authorization hold or completed charge. Reslify may Process processor customer and payment-method identifiers, setup/payment intent identifiers, transaction identifiers, timestamps, amounts, currency, status, and masked card descriptors such as brand, last four digits, and expiry where available, strictly as necessary to operate the Services. Reslify does not store full primary account numbers or card security codes.

  3. EEA hosting. Client Personal Data processed within the Services (Client tenant) is hosted in Frankfurt, Germany (EU/EEA) by default. Authorized access to Client Personal Data may occur from other locations strictly as necessary to provide and support the Services, and in accordance with the DPA.

  4. Updates / objections. Reslify will provide notice of additions or replacements of Subprocessors and handle objections in accordance with Section 6.2 of the DPA.

  5. Observability note. Operational logging/observability is provided via Amazon CloudWatch and is covered under the AWS entry above (no separate third-party observability provider is currently configured).

  6. Categories not currently configured in this repository. No dedicated third-party SMS/WhatsApp messaging or customer support ticketing provider is currently configured in the production code paths in this repository.

SCHEDULE 3

Incorporation. This Schedule 3 forms part of and is incorporated into the Data Processing Addendum dated July 16, 2026 (the “DPA”) between Reslify and Client. In case of conflict, the DPA order of precedence applies.

Security Measures (Technical and Organizational Measures)

Reslify shall implement and maintain appropriate technical and organizational measures designed to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data, taking into account the state of the art, implementation costs, the nature, scope, context and purposes of the Processing, and the risk to the rights and freedoms of natural persons. Reslify records the implementation status, evidence, gaps, owner, and review date for each control area in an internal TOM control register. This Schedule does not represent that Reslify holds a security certification or has completed an independent penetration test.

1) Information Security Governance and Policies

Reslify maintains a documented operating standard, control register, privacy/incident procedure, and change history appropriate to its current owner-operated organization. Security and privacy responsibilities are assigned to the owners. The measures and material gaps are reviewed at least annually and after a material change to the Services, processing, infrastructure, personnel, or providers.

2) Access Control and Identity Management

Reslify limits production and Client Personal Data access to authorized persons on a need-to-know and least-privilege basis. Human production-capable access uses unique accounts. Multi-factor authentication is required where the applicable provider supports it; exceptions must be documented with compensating controls and an expiry. Secrets are kept in managed configuration or secret stores rather than source control. Production-capable access is reviewed at least every six months and after a role or access change. Sensitive production exports, destructive operations, legal holds, and critical/high risk acceptances require second-owner review where both owners are available, with retrospective review after an emergency.

3) Encryption, Minimization, and Key Controls

Reslify uses industry-standard encrypted transport such as TLS for service communications and provider-managed encryption at rest for production data stores and backups where supported. Access to provider-managed keys and encryption configuration is restricted through the applicable cloud access controls. Reslify applies minimization, masking, tokenization, or pseudonymous identifiers where appropriate to the purpose. This Schedule does not claim customer-managed keys or a separate Reslify key-rotation process where the service relies on provider-managed encryption.

4) Network Security, Logging, and Monitoring

Reslify uses managed cloud boundaries and access controls, including security groups or service-level permissions where applicable. Public API and application logging is configured to exclude request bodies, credentials, raw headers, IP addresses, user agents, and full paths where those fields are not necessary. Security-relevant events, monitoring, rate controls, and alarms are configured on a risk-based basis for production services.

5) Secure Development and Change Controls

Reslify separates development and production stages and credentials, maintains source history, and applies automated tests and risk-based human review to material changes. Security and privacy behavior is tested where practicable, including typed/minimized evidence logging and legal-policy contract checks. Independent penetration testing is performed when justified by risk, a material architectural change, contractual commitment, or customer requirement; this Schedule does not state that periodic independent penetration testing has already occurred.

6) Vulnerability and Patch Management

Reslify reviews dependency and provider security advisories at least monthly and before a production release, triages findings for applicability and production risk, and tracks remediation according to severity, exploitability, available fixes, and compensating controls. An untriaged production-reachable critical or high finding blocks release. Any temporary acceptance of a critical/high risk must be time-bounded, documented, and approved by both owners.

7) Data Handling, Minimization, and Segregation

Reslify applies logical tenant scoping and authorization controls within the Services, limits fields and retention to the service purpose, and avoids using production Client Personal Data in non-production unless strictly necessary, approved, minimized, and protected. Support and troubleshooting access and exports are limited to what is necessary for the documented purpose. Raw request bodies, credentials, and prohibited sensitive fields are excluded from the long-lived evidence archive.

8) Backups, Business Continuity, and Recovery

Reslify uses managed point-in-time recovery or other proportionate backup mechanisms for production data stores where supported and necessary. Reslify maintains a recovery procedure and performs a representative restore rehearsal at least annually and after a material recovery-design change. Recovery validation is risk-based and does not constitute a promise of a specific recovery-time or recovery-point objective unless separately agreed. Applicable deletion or restriction controls are re-applied before restored data is returned to service.

9) Physical and Endpoint Security

Production infrastructure is hosted in professionally managed data centers operated by the applicable cloud provider and subject to that provider's physical and environmental controls. Devices used by Reslify to access production systems or Client Personal Data must use supported operating systems, disk encryption, screen locking, timely security updates, and owner/operator access restrictions. Approved temporary local exports must be encrypted, access-limited, and deleted after their purpose is complete.

10) Incident Response and Security Event Management

Reslify maintains procedures for identifying, containing, investigating, remediating, and documenting security incidents; escalating them to the privacy/security owners; assessing Personal Data Breach notifications; and providing Client with information required under this DPA. A representative incident-response tabletop is performed at least annually and resulting corrective actions are tracked.

11) Confidentiality, Training, and Access Changes

Access is limited to Reslify's owners and any other specifically authorized persons. Each person with access must be bound by confidentiality obligations and complete role-appropriate security and privacy instruction before access and at least annually. Access is changed or removed promptly when responsibilities change or a person's authorization ends. Completion metadata is recorded internally; this owner-operated control replaces references to employee disciplinary procedures that do not reflect Reslify's current organization.

12) Subprocessor Security Management

Before permitting a Subprocessor to Process Client Personal Data, Reslify records the provider's role, data/purpose, processing locations, relevant security evidence, contractual data-protection terms, and applicable transfer mechanism. Reslify enters into the terms required by Section 6 and applicable Data Protection Laws and reviews the provider at least annually and after a material provider, service, location, subprocessor, security, or contractual change. Public provider trust pages are not treated as proof of Reslify's account-specific contract or configuration.

13) Payment Card Data Scope

Full primary account numbers and card security codes are collected in payment-processor-controlled fields, pages, or iframes and are not stored by Reslify. Reslify may Process processor customer and payment-method identifiers, setup/payment intent and transaction identifiers, amounts, currency, timestamps, status, and masked card descriptors such as brand, last four digits, and expiry month/year where available, strictly as necessary to operate the Services. Reslify reassesses this boundary before enabling a new payment path.

14) Measures Supporting Data Subject Requests

Reslify maintains administrative and/or product controls that allow Client to access, export, rectify, delete, or restrict Client Personal Data to the extent supported by the Services, together with a documented procedure for controller/processor triage, proportionate identity verification, system searches, second-person review of exports and destructive actions, secure delivery, and reasonable assistance where Client cannot fulfill a request through self-service controls.

15) Data Retention, Secure Deletion, and Log Retention

Reslify deletes or logically destroys Client Personal Data from active systems upon Client instruction or termination as required by this DPA and applicable law. Routine backups are protected and expire or are overwritten on rolling, service-specific schedules; deleted data may remain until scheduled expiry and applicable deletion/restriction controls are re-applied after a restore. Ordinary production application and API diagnostics are retained in access-controlled operational systems for up to 30 days. Only selected, explicitly classified, and minimized security, payment, and dispute evidence events may be retained in an access-controlled evidence archive for up to 400 days. Relevant normalized evidence may be preserved longer only under a documented, case-specific legal hold or where necessary to comply with applicable law or establish, exercise, or defend legal claims.

SCHEDULE 4

Completion of the SCCs and Related Transfer Documents

This Schedule 4 sets out how the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 (the “EU SCCs”) are incorporated into and completed under this DPA, and (where applicable) how they are adapted for UK Restricted Transfers and Switzerland Restricted Transfers.

PART 1: EEA RESTRICTED TRANSFERS (EU SCCs)

1. Deemed Execution of the SCCs

Where the EU SCCs apply pursuant to Section 8.4 of this DPA, each Party is deemed to have executed the EU SCCs (including by electronic acceptance), and to have signed the EU SCCs at the relevant signature blocks of the SCCs and/or the Appendix thereto, as applicable for the relevant Restricted Transfer.

2. Applicable SCC Modules

Having regard to the role(s) of Client described in Schedule 1 of this DPA, the Parties agree that the following SCC modules apply, as relevant to the applicable EEA Restricted Transfer:

(a) Module Two (Controller → Processor) applies to any EEA Restricted Transfer where Client acts as a Controller in its own right with respect to the relevant Client Personal Data; and

(b) Module Three (Processor → Processor / Subprocessor) applies to any EEA Restricted Transfer where Client acts as a Processor on behalf of another Controller (including, where applicable, its Affiliates) and appoints Reslify to Process such data for the Services.

3. Completion of the SCC Clauses

For each applicable module, the Parties agree that the SCCs shall be completed as follows, to the extent relevant to the applicable clauses:

(a) Clause 7 (Docking clause): not used.

(b) Clause 9 (Use of Subprocessors): Option 2 (General written authorisation) applies. (i) The time period in Clause 9(a) for Reslify’s prior notice of any intended addition or replacement of a Subprocessor is completed as: at least ten (10) business days in advance. (ii) The time period in Clause 9(a) for Client’s right to object following such notice is completed as: ten (10) business days from receipt of the notice. (iii) These completions are intended to align with the notice and objection process set out in Section 6.2 of this DPA.

(c) Clause 11 (Redress): the optional language is not used.

(d) Clause 13 (Supervision): the bracketed drafting options in Clause 13(a) are completed by selecting the applicable scenario and disapplying the non-applicable bracketed alternatives, consistent with Paragraph 4(b) below and Annex I, Part C.

(e) Clause 17 (Governing law): Option 1 applies. The Parties agree that the EU SCCs shall be governed by the law of Ireland for EEA Restricted Transfers, consistent with the requirement that the chosen law provides third-party beneficiary rights. For clarity, this choice of law and forum applies only to the EU SCCs for EEA Restricted Transfers and does not amend the governing law/forum provisions of the Agreement outside the SCCs.

(f) Clause 18(b) (Choice of forum and jurisdiction): the Parties agree that, for EEA Restricted Transfers, disputes arising under the SCCs shall be resolved by the courts of Ireland.

(g) Clauses 14 and 15 (Transfer assessments and public authority access): The Parties shall comply with their respective obligations under Clauses 14 and 15 of the EU SCCs, as applicable, including documenting and keeping under review the assessment of the relevant transfer(s) and implementing supplementary measures where required.

4. Completion of the Annexes to the SCCs

The Annexes to the SCCs shall be completed as follows:

(a) Annex I (A/B) – Parties and Description of Transfer: populated with the corresponding information set out in Schedule 1 to this DPA, with Client as the data exporter and Reslify as the data importer.

(b) Annex I, Part C – Competent Supervisory Authority: determined as follows:

(i) If Client is established in an EU/EEA Member State, the competent supervisory authority shall be the supervisory authority of the EU/EEA Member State in which Client is established.

(ii) If Client is not established in an EU/EEA Member State, Article 3(2) GDPR applies, and Client has appointed an EU representative under Article 27 GDPR, the competent supervisory authority shall be the supervisory authority of the EU/EEA Member State in which Client’s relevant EU representative is located (as updated from time to time).

(iii) If Client is not established in an EU/EEA Member State, Article 3(2) GDPR applies, and Client is not required to appoint an EU representative pursuant to Article 27(2) GDPR, Client shall notify privacy@reslify.com in writing of one competent supervisory authority in an EU/EEA Member State where the relevant Data Subjects are located in connection with the offering of goods or services to them, or the monitoring of their behaviour, in relation to the transfer(s) under the SCCs.

(iv) If Client is required to provide a designation under paragraph (iii) but does not do so, the competent supervisory authority shall be the supervisory authority of the EU/EEA Member State where the majority of relevant Data Subjects are located in connection with the relevant transfer(s), as reasonably determined based on information available to Reslify.

(c) Annex II – Technical and Organisational Measures: populated by reference to the security measures described in Section 7.1 of this DPA and Schedule 3 (Security Measures). For the avoidance of doubt, the technical and organisational measures described in Schedule 3 apply to Client Personal Data processed under this DPA, including for purposes of the applicable Restricted Transfers.

(d) Annex III – List of Subprocessors: populated by reference to Schedule 2 (List of Subprocessors), as updated from time to time in accordance with Section 6.2 of this DPA.

(e) Subprocessor commitments (where applicable): When Reslify engages a Subprocessor in connection with the SCCs, Reslify shall enter into a binding written agreement with the Subprocessor requiring protections that are no less protective than those imposed on Reslify under the EU SCCs and this DPA, including, as applicable, obligations relating to (i) appropriate information security measures, (ii) notification of Personal Data Breaches to Reslify, (iii) return or deletion of Client Personal Data as required, and (iv) restrictions and controls on the engagement of further Subprocessors.

PART 2: UK RESTRICTED TRANSFERS (UK TRANSFER ADDENDUM)

1. Incorporation of the UK Transfer Addendum. Where the UK Transfer Addendum applies pursuant to Section 8.5 of this DPA, the EU SCCs shall apply to UK Restricted Transfers as amended and supplemented by the UK Transfer Addendum (together with the EU SCCs, the “UK Transfer Mechanism”). The Parties agree that this Part 2 describes how the UK Transfer Addendum is incorporated and completed for such UK Restricted Transfers.

2. Completion of the UK Transfer Addendum (Part 1: Tables 1–4). To the extent the UK Transfer Addendum permits the Parties to complete the required information by cross-reference, the Parties agree that the information required by Part 1 (Tables 1–4) of the UK Transfer Addendum is satisfied as follows:

(a) Tables 1–3 (Parties, Approved EU SCCs, Appendix Information). Tables 1, 2 and 3 are deemed completed using the corresponding information set out in Schedule 1 of this DPA and Part 1 of this Schedule 4 (as applicable), subject to any mandatory application of the UK Mandatory Clauses.

(b) Table 4 (Ending this Addendum when the Approved Addendum changes). Table 4 is deemed completed by selecting: “Importer” as the party that may end the UK Transfer Addendum in accordance with Section 19 of the UK Transfer Addendum (Ending the Addendum when the Approved Addendum changes).

3. UK Mandatory Clauses. The Parties agree to be bound by the UK Mandatory Clauses contained in Part 2 of the UK Transfer Addendum.

4. Presentation of the Tables; No Reduction of Safeguards. As permitted by the UK Transfer Addendum (including its provision allowing the Parties to vary the format used to present the Part 1: Tables information), the Parties agree that presenting the Table information by cross-reference in this Schedule 4 is acceptable, provided that nothing in this presentation operates to reduce the “Appropriate Safeguards” required by the UK Transfer Addendum.

5. Construction of References. For any UK Restricted Transfer to which this Part 2 applies, references in this DPA to the “SCCs” shall be read, where the context requires, as references to the EU SCCs as amended and supplemented by the UK Transfer Addendum for the relevant UK Restricted Transfer. For the avoidance of doubt, for UK Restricted Transfers the governing law and jurisdiction (and any related procedural provisions) are determined in accordance with the UK Transfer Addendum (and the UK Mandatory Clauses), and any references in Part 1 of this Schedule 4 to Irish law and/or the courts of Ireland apply only to EEA Restricted Transfers.

PART 3 (SWITZERLAND) – Swiss Addendum to the EU SCCs (Decision (EU) 2021/914)

1. Scope. This Part 3 applies to any transfer of Client Personal Data that is subject to Swiss Data Protection Laws (including the Swiss Federal Act on Data Protection, as revised, and its implementing ordinances) from Switzerland to Reslify (or its Subprocessors) in a country not recognized as providing an adequate level of protection under Swiss Data Protection Laws, unless the Parties rely on another valid transfer mechanism recognized under Swiss law (including, where applicable, the Swiss-U.S. Data Privacy Framework for recipients certified thereunder).

2. Incorporation of the EU SCCs. For such transfers, the Parties agree that the EU SCCs (Decision (EU) 2021/914) are incorporated by reference and apply as the appropriate safeguard, as supplemented by this Swiss Addendum.

3. Interpretation for Swiss Transfers. Where the SCCs refer to the “GDPR”, such references shall be understood, for Swiss-law governed aspects of the transfer, as references to Swiss Data Protection Laws, to the extent necessary to ensure compliance with Swiss requirements and to avoid disadvantaging Swiss data subjects.

4. Supervisory Authority (Annex I.C). For Swiss transfers, the competent supervisory authority shall be the Federal Data Protection and Information Commissioner (FDPIC/EDÖB), which shall be designated in Annex I.C of the SCCs for transfers subject to Swiss Data Protection Laws. Where a transfer is also subject to the GDPR (e.g., due to the GDPR’s extraterritorial application), the Parties acknowledge that supervisory competence is parallel and, in addition to the FDPIC/EDÖB for Swiss-law aspects, an EU supervisory authority shall be designated in Annex I.C in accordance with Clause 13 of the SCCs for the GDPR-governed aspects of the transfer.

5. Module and Roles. Having regard to the role(s) of Client described in Schedule 1 and the Agreement, the Parties agree that, for Switzerland Restricted Transfers: (a) Module Two (Controller → Processor) applies where Client acts as a Controller in its own right with respect to the relevant Client Personal Data; and (b) Module Three (Processor → Processor) applies where Client acts as a Processor on behalf of another Controller and appoints Reslify to Process such data for the Services. In each case, Client is the data exporter and Reslify is the data importer for the purposes of the applicable module.

6. Swiss Data Subjects’ Rights; Clause 18(c). With respect to Clause 18(c) of the SCCs, the Parties clarify that the term “Member State” shall not be interpreted in a manner that would exclude Swiss data subjects from bringing claims at their habitual place of residence in Switzerland; Swiss data subjects may therefore bring legal proceedings in Switzerland to enforce the third-party beneficiary rights granted under the SCCs, without prejudice to any mandatory Swiss law provisions.

7. Governing Law (Clause 17) for Swiss Transfers. For transfers subject exclusively to Swiss Data Protection Laws, Clause 17 of the SCCs shall be completed so that the SCCs (as supplemented by this Swiss Addendum) are governed by the laws of Switzerland.

8. Choice of Forum and Jurisdiction (Clause 18(b)) for Swiss Transfers. For transfers subject exclusively to Swiss Data Protection Laws, Clause 18(b) of the SCCs shall be completed so that disputes arising from the SCCs (as supplemented by this Swiss Addendum) shall be resolved by the competent courts of Switzerland.

9. Order of Precedence. In case of conflict between the SCCs and this Swiss Addendum, this Swiss Addendum prevails solely for Swiss-law specific elements necessary to reflect Swiss requirements; otherwise, the SCCs prevail.

SCHEDULE 5

TURKEY (KVKK) ADDENDUM

This Schedule 5 applies only if and to the extent that (i) Client is established in Türkiye, and/or (ii) the Processing and/or transfer of Client Personal Data is subject to the Turkish Personal Data Protection Law No. 6698 (“KVKK”) and related secondary legislation on cross-border transfers.

1. Definitions & Interpretation. For the purposes of this Schedule 5, references to “Data Protection Laws” in the DPA include KVKK to the extent applicable. The terms “Controller” and “Processor” shall be interpreted, where relevant under KVKK, as “Veri Sorumlusu” and “Veri İşleyen”, respectively.

2. Cross-Border Transfers from Türkiye (KVKK Article 9).

2.1 Client acknowledges that, in providing the Services, Reslify may host and/or access Client Personal Data outside Türkiye (including in the EU/EEA and/or the United States), which may constitute a cross-border transfer under KVKK.

Where the supported PAYTR marketplace flow is enabled, Reslify Bilişim Pazarlama Limited Şirketi may Process the transaction, beneficiary, settlement, refund, adjustment, and reconciliation metadata necessary to provide that flow as Reslify’s Subprocessor. Any independent Controller processing by that entity for its own marketplace-account, commission, accounting, tax, fraud-prevention, legal-compliance, or legal-claims purposes is governed by the Privacy Policy and does not fall within this DPA. Reslify will maintain any intercompany processing and transfer terms required for its appointment and access.

2.2 Client’s Processing of Personal Data; Instructions. Client shall, in its use of the Services, Process Personal Data, including by engaging Reslify as Processor, in accordance with applicable Data Protection Laws. For the avoidance of doubt, Client’s instructions for the Processing of Client Personal Data shall comply with applicable Data Protection Laws. The Parties agree that, as of the date Client enters into the Agreement, the Agreement (including this DPA) constitutes Client’s complete documented instructions to Reslify for the Processing of Client Personal Data. For clarity, Client’s documented instructions also include Client’s configuration and use of the Services (including administrative settings and feature selections), Client’s use of the Services’ self-service controls, and any support requests or API calls submitted by or on behalf of Client, in each case to the extent consistent with the Agreement. Any additional or alternative instructions that materially expand the scope of Processing beyond the Agreement shall be agreed by the Parties and documented in a written amendment to this DPA. Client shall have sole responsibility for (a) the accuracy of Client Personal Data, (b) the manner in which Client collected and obtained such Client Personal Data, and (c) ensuring that all required notices have been provided and that all necessary consents and permissions have been obtained, as required under applicable Data Protection Laws, in connection with Reslify’s Processing of Client Personal Data.

2.3 Standard Contract Requirement (No Substitution). The Parties acknowledge that this Schedule 5 itself does not constitute an “appropriate safeguard” for KVKK cross-border transfers. Where a Turkish standard contract is required as the appropriate safeguard, the Parties shall execute the applicable Turkish Standard Contract (SS-1/SS-2/SS-3/SS-4) published (and as may be updated from time to time) by the Turkish Personal Data Protection Authority/Board (the “Turkish Standard Contract”). For clarity, Client’s documented instructions include instructions relating to international transfers and any remote access from third countries, as described in Section 8 and Schedule 4 (as applicable).

2.4 No Modification; Turkish Prevails. The Turkish Standard Contract shall be used without modification to its standard text. If the Turkish Standard Contract is also executed in another language, the Turkish text shall prevail.

2.5 Form of Execution. The Turkish Standard Contract will be executed as a separate agreement between the transfer parties and signed by duly authorized signatories.

3. Notification to the Turkish Authority (5 Business Days). The Parties acknowledge that the Turkish Standard Contract must be notified to the Turkish Personal Data Protection Authority within five (5) business days following completion of all signatures, in accordance with applicable rules. Unless the Turkish Standard Contract expressly allocates the notification obligation otherwise, the Parties designate Client (as the data exporter / veri aktaran) as responsible for making the notification. Reslify will provide reasonable cooperation and information necessary for such notification upon Client’s request. The Parties will ensure that each transfer party’s signature date is stated on the Turkish Standard Contract for purposes of determining the notification deadline. Any allocation of the notification responsibility in this Schedule 5 will be applied in a manner consistent with the selection/fields completed in the Turkish Standard Contract.

4. Compliance; Assistance; Data Subject Rights; Breach Notice. Reslify shall Process Client Personal Data in accordance with the DPA and, to the extent applicable, the general principles under KVKK (including KVKK Article 4). Reslify shall provide reasonable assistance to Client in responding to Data Subject requests under KVKK Article 11, consistent with the assistance provisions of the DPA. Reslify shall notify Client without undue delay after becoming aware of a Personal Data Breach affecting Client Personal Data, consistent with the breach notification provisions of the DPA.

5. Order of Precedence. In the event of any conflict between this Schedule 5 and the Turkish Standard Contract, the Turkish Standard Contract shall prevail solely to the extent necessary to comply with KVKK cross-border transfer requirements. Nothing in this Schedule 5 is intended to reduce protections provided under the DPA.