Data Processing Agreement

3.1 NeuroPage shall Process Personal Data only for the purposes of providing the Services under the Main Agreement, including personalized page generation, persona analysis, hosting, integrations, support, and analytics directly connected to the Services.

3.2 The subject matter, nature, and purpose of the Processing, the categories of Personal Data, and the categories of Data Subjects are described in Annex 1.

3.3 The duration of the Processing shall continue for as long as NeuroPage provides the relevant Services to Customer and for such limited period thereafter as required to complete deletion, return, backup rotation, legal compliance, or documented winding-down activities under this DPA.

3.4 Customer acknowledges that certain limited processing activities may continue for a short period after account termination or deletion requests where reasonably necessary to implement secure deletion, prevent fraud or abuse, or complete standard backup overwriting cycles.

4.1 As between the parties, Customer is the Controller or equivalent responsible party for Personal Data processed by NeuroPage on behalf of Customer through the Services, except where NeuroPage acts as an independent Controller for its own business purposes as described in the Privacy Policy or Main Agreement.

4.2 NeuroPage acts as Processor only with respect to Personal Data that Customer instructs NeuroPage to process for Customer's campaigns, personalized pages, persona analysis, and related workflows.

4.3 Nothing in this DPA prevents NeuroPage from acting as an independent Controller with respect to account administration, billing, security, fraud prevention, product abuse monitoring, legal compliance, and other purposes for which NeuroPage determines the purposes and means of processing.

4.4 Customer is solely responsible for determining whether its collection, disclosure, and use of Personal Data through the Services is lawful and appropriate under Applicable Data Protection Law, including any obligations relating to transparency, lawful basis, suppression lists, objections to direct marketing, and data subject rights.

5.1 NeuroPage shall process Personal Data only on Customer's documented instructions, including as set out in the Main Agreement, this DPA, Customer's use of the Services, Customer's configuration choices, and Customer's requests submitted through the Services or support channels.

5.2 Customer instructs NeuroPage to process Personal Data as necessary to provide, secure, host, support, maintain, and improve the Services for Customer, including generating personalized pages and persona analysis based on customer-provided or customer-authorized inputs.

5.3 Customer shall ensure that its instructions comply with Applicable Data Protection Law. NeuroPage shall promptly inform Customer if, in NeuroPage's opinion, a documented instruction infringes Applicable Data Protection Law, unless prohibited from doing so by law.

5.4 NeuroPage shall not be required to follow any instruction that would cause NeuroPage to violate Applicable Data Protection Law or that falls outside the scope of the Services.

6.1 Customer represents and warrants that it has all rights, permissions, notices, consents, or other lawful bases necessary to disclose Personal Data to NeuroPage and to instruct NeuroPage to process such Personal Data for the purposes contemplated by the Main Agreement and this DPA.

6.2 Customer shall not submit, upload, or otherwise make available Restricted Data to NeuroPage unless NeuroPage has expressly agreed in writing to process such data and the parties have implemented any additional safeguards required by Applicable Data Protection Law.

6.3 Without limiting Clause 6.2, Customer shall not intentionally use the Services to process special-category data, criminal-offence data, children's data, political campaigning data, or data used for solely automated decisions with legal or similarly significant effects concerning individuals.

6.4 Customer remains solely responsible for the legality of source data obtained from its own systems, customer-authorized integrations, CRM tools, outreach platforms, uploaded files, or customer-provided URLs. NeuroPage is not a lead database broker and is not responsible for the original collection practices of Customer or Customer-selected third parties.

6.5 Where Customer uses professional profile data or customer-provided profile URLs in connection with the Services, Customer remains responsible for ensuring that such use is lawful and consistent with applicable law and third-party terms.

7.1 NeuroPage shall ensure that persons authorized to process Personal Data are bound by appropriate obligations of confidentiality, whether by contract, policy, or statutory duty.

7.2 NeuroPage shall limit access to Personal Data to personnel, contractors, and subprocessors who require such access for the performance, support, security, or maintenance of the Services and who are subject to appropriate confidentiality obligations.

8.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks for the rights and freedoms of natural persons, NeuroPage shall implement appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

8.2 Such measures may include, where appropriate, encryption in transit and at rest, access control mechanisms, role-based permissions, secure hosting arrangements, backup management, environment segregation, monitoring, and internal policies governing access and handling of data.

8.3 Customer acknowledges that no security measure can guarantee absolute security. NeuroPage does not warrant that the Services will be immune from all security incidents, but shall maintain safeguards appropriate to the risks presented by the processing activities covered by this DPA.

9.1 Customer grants NeuroPage a general authorization to engage Subprocessors in connection with the Services, provided that NeuroPage remains responsible for the performance of its Subprocessors to the extent required by Applicable Data Protection Law.

9.2 NeuroPage shall impose data protection obligations on each Subprocessor that are substantially equivalent to the obligations set out in this DPA, to the extent applicable to the services performed by that Subprocessor.

9.3 Upon written request, NeuroPage shall provide Customer with reasonable information about categories of Subprocessors or, where maintained, a current Subprocessor list, subject to confidentiality and security limitations.

9.4 If Customer reasonably objects to a new Subprocessor on data protection grounds, the parties shall discuss the objection in good faith. If no reasonable resolution is available, Customer may cease using the affected part of the Services or terminate the affected portion of the Services in accordance with the Main Agreement.

10.1 NeuroPage shall not transfer Personal Data subject to the GDPR outside the European Economic Area except where such transfer is permitted under Applicable Data Protection Law and subject to appropriate safeguards.

10.2 Where required, such safeguards may include an adequacy decision, the European Commission's Standard Contractual Clauses, the UK Addendum, or another legally recognized transfer mechanism.

10.3 Customer authorizes NeuroPage to take such steps as are reasonably necessary to implement and maintain an appropriate transfer mechanism where required for the lawful provision of the Services.

11.1 Taking into account the nature of the processing, NeuroPage shall provide reasonable assistance to Customer, through appropriate technical and organizational measures where possible, to enable Customer to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

11.2 If NeuroPage receives a request from a Data Subject relating to Personal Data processed under this DPA, NeuroPage may, where legally permitted and reasonably practicable, direct the request to Customer or notify Customer of the request.

11.3 Customer is responsible for responding to Data Subject requests where Customer is the Controller and for maintaining any suppression, deletion, or objection records required for Customer's marketing and campaign activities.

12.1 Taking into account the nature of processing and the information available to NeuroPage, NeuroPage shall provide reasonable assistance to Customer with Customer's obligations under Articles 32 to 36 GDPR or equivalent provisions of Applicable Data Protection Law, to the extent Customer cannot reasonably fulfil those obligations without NeuroPage's assistance.

12.2 Such assistance may include information concerning NeuroPage's security measures, data flows relevant to the Services, and support in connection with Data Protection Impact Assessments or prior consultation requirements, subject to reasonable confidentiality, technical feasibility, and cost considerations.

13.1 NeuroPage shall notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Personal Data processed by NeuroPage on behalf of Customer under this DPA.

13.2 Such notification shall, to the extent reasonably possible at the time of notice, include a description of the nature of the Personal Data Breach, the categories of affected data, the likely consequences, and the measures taken or proposed to address the Personal Data Breach.

13.3 NeuroPage's notification of a Personal Data Breach is not an acknowledgment of fault or liability.

14.1 Upon termination of the Services or upon Customer's valid request, NeuroPage shall delete or return Personal Data processed under this DPA, unless retention is required by applicable law or reasonably necessary for the completion of secure deletion procedures, backup rotation, fraud prevention, dispute resolution, or enforcement of the Main Agreement.

14.2 Unless otherwise agreed in writing, active production data subject to a valid deletion request shall be deleted within approximately seventy-two (72) hours, subject to ordinary system constraints and verification procedures.

14.3 Generated personalized pages that remain hosted by NeuroPage after account termination may remain accessible for a limited transition period of up to thirty (30) days and may thereafter be disabled, removed, or redirected in accordance with the Main Agreement and service configuration.

14.4 Backup copies containing Personal Data may continue to exist for a limited period not exceeding thirty (30) days after deletion from active systems, after which such backup copies shall be overwritten or otherwise rendered inaccessible in accordance with NeuroPage's backup retention practices.

14.5 NeuroPage may retain Aggregated Analytics or De-identified Analytics for longer periods, including for product improvement, benchmarking, service optimization, and abuse prevention, provided such analytics are not reasonably capable of being linked back by NeuroPage to a specific individual, personalized page, or customer campaign.

14.6 Where analytics remain linked to a customer account, campaign, personalized page, or identifiable individual, NeuroPage shall retain such analytics only for a limited period as described in the Main Agreement or Privacy Policy, or otherwise only as long as reasonably necessary for the purposes for which such analytics were collected.

15.1 NeuroPage shall make available to Customer such information as is reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Law.

15.2 Where required by Applicable Data Protection Law, and upon reasonable written notice, Customer may request an audit of NeuroPage's compliance with this DPA, provided that any such audit shall be limited to once annually unless a Personal Data Breach or regulator request reasonably justifies a further audit.

15.3 Any audit shall be conducted during normal business hours, in a manner that minimizes disruption, and subject to reasonable confidentiality, security, and scope limitations. NeuroPage may satisfy audit obligations by providing recent third-party audit reports, security summaries, or other equivalent documentation where appropriate.

15.4 Customer shall bear its own costs of any audit, and shall reimburse NeuroPage for reasonable costs incurred in supporting any on-site audit or unusually burdensome audit request, except where a material breach of this DPA by NeuroPage is established.

16.1 Each party's liability arising out of or relating to this DPA shall be subject to the exclusions and limitations of liability set out in the Main Agreement, unless Applicable Data Protection Law requires otherwise.

16.2 Nothing in this DPA limits a party's liability to the extent such limitation is prohibited by Applicable Data Protection Law.

17.1 This DPA shall be governed by the laws of the Netherlands, excluding its conflict of laws rules, unless the Main Agreement expressly provides otherwise.

17.2 The courts of Amsterdam, the Netherlands, shall have exclusive jurisdiction over disputes arising under this DPA, except where mandatory law requires otherwise.

17.3 If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

17.4 This DPA may be updated by NeuroPage where reasonably necessary to reflect changes in the Services, Applicable Data Protection Law, or Subprocessor arrangements, provided that any material adverse change shall be notified in accordance with the Main Agreement.