Data Processing Agreement (DPA)

DATA PROCESSING AGREEMENT (DPA) Last Updated: May 2026

This Data Processing Agreement ("DPA") governs the processing of personal data in connection with the services provided by Rinnode to its customers.

1. ROLES AND SCOPE Customer acts as the Data Controller, and Rinnode acts as the Data Processor. This DPA applies to the processing of personal data ("Data") submitted by Controller's users through forms, waitlists, and lead capturing widgets hosted or processed by Rinnode.

2. PROCESSOR OBLIGATIONS Rinnode agrees to: - Process Personal Data only on documented instructions from the Controller. - Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality. - Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. - Assist the Controller in responding to Data Subjects' requests exercising their rights.

3. SUB-PROCESSORS Controller authorizes Rinnode to engage sub-processors (such as database hosts, server infrastructure providers, and queue systems) to perform specific processing activities. Rinnode shall ensure that engaged sub-processors are bound by data protection obligations equivalent to those set out in this DPA.

4. DATA TRANSFERS Rinnode shall ensure that any transfer of personal data outside the European Economic Area (EEA), United Kingdom (UK), or Switzerland is protected by appropriate safeguards, including Standard Contractual Clauses (SCCs).

5. DATA BREACH NOTIFICATION In the event of a confirmed security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, Rinnode shall notify the Controller without undue delay (within 72 hours of becoming aware of the breach).