Data Processing Addendum (DPA)

Effective Date: 1 April 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between ENTROPY LLC ("Processor") and the customer using the Service ("Controller"), to the extent Processor processes Personal Data on behalf of Controller.

1. Purpose and Scope

This DPA applies when Processor processes Personal Data on behalf of Controller in connection with the Service.

This DPA supplements the Terms of Service and governs the processing of Personal Data carried out by Processor for Controller.

2. Definitions

"Personal Data," "Controller," "Processor," "Data Subject," and "Processing" have the meanings given under applicable data protection law, including the GDPR where applicable.

3. Roles of the Parties

The parties acknowledge that:

• Controller determines the purposes and means of processing Customer-controlled data submitted to the Service; and
• Processor processes Personal Data on behalf of Controller for the limited purposes described in the Terms of Service and this DPA.

4. Subject Matter and Duration

4.1 Subject Matter

Processor provides the Service, including subscription collection infrastructure, message management, campaign delivery support, reporting, billing-related administration, and related hosting and support functions.

4.2 Duration

Processing continues for as long as Processor provides the Service to Controller and for any additional period reasonably necessary for backup, security, legal compliance, dispute handling, or deletion/return procedures.

5. Nature and Purpose of Processing

Processor may process Personal Data in order to:

• host and maintain customer accounts and project data;
• receive and store browser push subscription data;
• associate subscriptions with customer tags and campaigns;
• queue and deliver push notifications based on Controller instructions;
• log delivery outcomes, inactive subscriptions, and operational events;
• provide reporting, troubleshooting, security, and support;
• manage billing, access control, and service administration.

6. Categories of Data Subjects

Depending on how Controller uses the Service, categories of Data Subjects may include:

• Controller personnel and account users;
• website visitors who subscribe to browser push notifications on Controller websites;
• recipients of Controller campaigns;
• support or billing contacts.

7. Categories of Personal Data

Depending on use of the Service, Personal Data may include:

• email address and contact details of Controller personnel;
• account and login metadata;
• browser push subscription endpoint;
• push subscription cryptographic keys;
• timezone and technical device/browser metadata;
• tag associations;
• campaign metadata and message content submitted by Controller;
• delivery, unsubscribe, and operational log records;
• payment or subscription identifiers received from payment providers.

8. Controller Instructions

Processor will process Personal Data only:

• on documented instructions from Controller;
• as necessary to provide the Service under the Terms of Service; or
• as required by applicable law.

Controller instructs Processor to process Personal Data as necessary to provide and secure the Service and to carry out related support, logging, billing, and system administration functions.

9. Controller Responsibilities

Controller is responsible for:

• ensuring it has a lawful basis for processing Personal Data;
• providing legally required notices to Data Subjects;
• obtaining any required consents or permissions;
• ensuring that its use of the Service complies with applicable law;
• not instructing Processor to engage in unlawful processing.

10. Processor Personnel and Confidentiality

Processor will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.

11. Security Measures

Processor will implement and maintain reasonable technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

Such measures may include, as appropriate to the Service:

• access controls;
• authentication and session protections;
• rate limiting and abuse controls;
• logging and monitoring;
• environment separation;
• restricted configuration management;
• reasonable measures to protect data in transit and at rest where applicable.

12. Subprocessors

Controller authorizes Processor to use subprocessors as reasonably necessary to provide the Service, including hosting, infrastructure, security, anti-abuse, payment, and communications providers.

Processor remains responsible for the performance of its subprocessors to the extent required by applicable law.

13. Assistance

Taking into account the nature of the processing and the information available to Processor, Processor will provide reasonable assistance to Controller in responding to Data Subject requests and in addressing applicable data protection obligations, to the extent required by law and reasonably feasible.

14. Security Incidents

If Processor becomes aware of a confirmed security incident affecting Personal Data processed under this DPA, Processor will notify Controller without undue delay, taking into account the information reasonably available to Processor and the need to verify the incident before notification.

15. Deletion and Return of Data

Upon termination of the Service, Processor will delete or return Personal Data as required by applicable law, the Terms of Service, or documented Controller instructions, except to the extent Processor must retain certain data for legal, regulatory, security, backup, accounting, dispute, or compliance purposes.

16. International Transfers

Processor may process Personal Data in the United States and other jurisdictions where Processor or its subprocessors operate.

Where required by applicable law, the parties will cooperate in implementing an appropriate transfer mechanism.

17. Audits and Information Requests

Processor will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, proportionality, and the protection of other customers and Processor's systems.

Any audit rights must be exercised in a reasonable manner, during normal business hours, with reasonable prior notice, and without disrupting Processor operations.

18. Liability

Liability under this DPA is subject to the liability limitations and exclusions set out in the Terms of Service, to the extent permitted by applicable law.

19. Order of Precedence

If there is a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA controls to that extent.

20. Governing Law

This DPA is governed by the laws specified in the Terms of Service, unless applicable data protection law requires otherwise.

21. Contact

Processor:

ENTROPY LLC 680 S Cache Street 100-7403, Jackson, WY misha@entropy-ads.com