Data Processing Agreement (DPA)

Effective Date: March 4, 2026 Last Updated: March 23, 2026

This Data Processing Agreement ("DPA") is entered into between Kosmatic Solutions Inc. ("Processor") and the Customer ("Controller") and forms part of the Terms of Service between the parties.

This DPA reflects the parties' agreement regarding the processing of Personal Data in accordance with the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), the Brazilian Lei Geral de Proteção de Dados (LGPD), and other applicable data protection laws.

1. Definitions

| Term | Definition | |------|------------| | "Applicable Laws" | GDPR, UK GDPR, CCPA/CPRA, PIPEDA, Quebec Law 25, LGPD, and other data protection laws applicable to the processing. | | "Controller" | The Customer, who determines the purposes and means of processing Personal Data. | | "Data Subject" | An identified or identifiable natural person whose Personal Data is processed. | | "Personal Data" | Any information relating to a Data Subject processed under the Agreement. | | "Processing" | Any operation performed on Personal Data (collection, storage, use, disclosure, profiling, automated decision-making, etc.). | | "Processor" | Kosmatic Solutions Inc., who processes Personal Data on behalf of the Controller. | | "Profiling" | Any form of automated processing of Personal Data to evaluate, analyze, or predict aspects concerning a natural person's behavior, preferences, or economic situation. | | "Automated Decision-Making" | A decision made solely by automated means, including profiling, that produces legal or similarly significant effects. | | "AI Workflow" | A scheduled or triggered automated process using artificial intelligence to process Personal Data. | | "MCP API" | The Model Context Protocol API that allows authorized AI assistants to interact with the Service. | | "Security Incident" | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. | | "Standard Contractual Clauses" | The EU Commission's Standard Contractual Clauses for data transfers (Commission Implementing Decision 2021/914). | | "Sub-processor" | Any third party engaged by Processor to process Personal Data. |

2. Processing Details

2.1 Subject Matter

The processing concerns AI-powered customer analytics, behavioral signal collection, automated profiling, customer lifetime value prediction, and marketing automation for e-commerce merchants.

2.2 Duration

Processing continues for the term of the Agreement and until deletion of all Personal Data as specified in Section 8.

2.3 Nature and Purpose

| Aspect | Description | |--------|-------------| | Nature | Collection, storage, analysis, profiling, automated decision-making, and transmission of behavioral and transactional data | | Purpose | Customer lifetime value prediction; behavioral archetype classification; segment creation and audience sync; A/B test optimization; playbook recommendation and execution; AI Workflow processing; MCP API access; marketing platform integration | | Data Subjects | End Users (visitors to Controller's e-commerce store) |

2.4 Categories of Personal Data

Tier 1 — Anonymous (no consent required):

Scroll velocity, scroll depth, reading pattern classification
Rage clicks, dead clicks, form interaction patterns (no content)

Tier 2 — Pseudonymous (ephemeral fingerprint, 24h TTL):

Decision latency, navigation backtracks, mouse hesitation patterns
Pricing attention, CTA engagement, exit trajectory
Session depth, return visitor status
Product attention data (hover time, viewport time, scroll-backs, clicks per product)

Tier 3 — Identified (explicit consent required):

Email address, name, phone number
Cart value, checkout progress, order history, lifetime spend
Quiz/form responses (purchase timeline, budget authority, price sensitivity)
UTM parameters and campaign attribution data
Marketing consent status

Derived Data (generated by processing):

Behavioral archetype classification and confidence score
Customer lifetime value (CLV) prediction
Purchase probability scores and peak conversion windows
Segment membership
Suggested playbook and intervention history
Net behavioral score

2.5 Special Categories

We do not intentionally process special category data (Article 9 GDPR: health, biometrics, racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, sex life/orientation, criminal convictions) unless explicitly authorized by Controller in writing.

3. Obligations of Processor

3.1 Processing Instructions

Processor shall:

Process Personal Data only on documented instructions from Controller
Not use Personal Data for purposes other than providing the Service
Not transfer Personal Data to third parties without authorization
Ensure persons authorized to process are bound by confidentiality
Not use Personal Data for Processor's own product development except in aggregate, anonymized form as described in the Terms of Service

3.2 Confidentiality

All personnel with access to Personal Data are bound by confidentiality obligations. Integration API keys, webhook URLs, and AI Workflow configurations provided by Controller are treated as Controller's Confidential Information.

3.3 Security Measures

Processor implements the following technical and organizational measures:

| Category | Measure | |----------|---------| | Encryption | AES-256 at rest, TLS 1.3 in transit | | Authentication | Argon2id password hashing (m=65536, t=3, p=4); JWT access tokens (15-min expiry, httpOnly cookies); account lockout after 5 failed attempts | | Access Control | Role-based access; merchant-scoped data isolation; MCP API scoped to merchant context | | Monitoring | 24/7 security monitoring; AI action log for all automated operations | | Rate Limiting | Authentication endpoints (10 requests/15 min); API endpoints rate-limited | | Backups | Encrypted, geographically distributed | | Testing | Quarterly penetration testing | | Training | Annual security awareness training | | Data Minimization | Three-tier consent model; configurable retention periods; automated daily deletion |

3.4 Sub-processors

Current sub-processors are listed in Annex A. Processor may engage additional sub-processors with 30 days' written notice (email to the address on Controller's account).

Controller may object to new sub-processors within 14 days of notice. If the objection is not resolved within 30 days, Controller may terminate the affected services without penalty.

Processor shall:

Impose equivalent data protection obligations on all sub-processors
Remain liable for sub-processor compliance
Maintain a current list of sub-processors at [kosmatic.com/subprocessors]

3.5 Data Subject Rights

Processor shall assist Controller in responding to Data Subject requests:

| Request Type | Processor Assistance | Timeline | |--------------|----------------------|----------| | Access | Export data in machine-readable format (JSON/CSV) | Within 5 business days | | Rectification | Update data as directed by Controller | Within 5 business days | | Erasure | Delete all Personal Data and derived data (archetypes, CLV scores, segment membership) | Within 30 days | | Restriction | Suspend processing as directed; exclude from AI Workflows and audience syncs | Within 5 business days | | Portability | Provide data in JSON or CSV format | Within 5 business days | | Objection | Cease processing as directed; remove from automated profiling | Within 5 business days | | Objection to Profiling | Exclude Data Subject from archetype classification, CLV prediction, playbook targeting, and A/B tests | Within 5 business days | | Automated Decision Review | Provide explanation of automated decision logic and facilitate human review by Controller | Within 10 business days |

3.6 Security Incidents

In case of a Security Incident:

Notify Controller within 24 hours of discovery (via email and dashboard notification)
Provide details of: nature of incident, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed
Cooperate with Controller's breach notification obligations under applicable law
Document incident and remediation in writing
Provide follow-up reports as new information becomes available

3.7 Data Protection Impact Assessment

Processor shall provide reasonable assistance for Data Protection Impact Assessments (DPIAs) related to the Service. Given that the Service involves:

Systematic profiling of individuals (archetype classification)
Automated decision-making (CLV prediction, playbook recommendation)
Large-scale processing of behavioral data

Controller is advised that a DPIA is likely required under GDPR Article 35(3). Processor will provide:

Documentation of all processing activities
Technical descriptions of automated decision-making logic
Data flow diagrams
Details of security measures and safeguards

3.8 Audits

Controller may audit Processor's compliance once annually with 30 days' notice. Audits shall be conducted during business hours and not unreasonably disrupt operations.

Audit alternatives: Processor will make available its most recent SOC 2 Type II report (when available), penetration test summary, and written responses to Controller's security questionnaire. If these are sufficient, on-site audit is not required.

Audit costs: If Controller requires an on-site audit after reviewing available documentation, Controller shall bear all reasonable travel and facility costs. Processor bears its own personnel costs.

Processor shall provide access to relevant documentation, systems (in read-only mode), and personnel.

4. Obligations of Controller

Controller shall:

Ensure lawful basis for processing exists for each tier of data collection
Provide accurate privacy notices to Data Subjects that disclose the use of automated profiling, behavioral classification, and CLV prediction
Obtain valid consent for Tier 3 (Identified) data collection
Honor Data Subject requests promptly, including requests to opt out of profiling
Not provide special category data without explicit written authorization
Ensure instructions to Processor comply with Applicable Laws
Conduct a DPIA where required by GDPR Article 35
Ensure that AI Workflows, playbook configurations, and audience syncs comply with applicable laws
Ensure that audience segments synced to advertising platforms do not result in discriminatory targeting
Review AI action logs and workflow outputs regularly

5. Automated Processing and Profiling

5.1 Types of Automated Processing

Processor performs the following automated processing on behalf of Controller:

| Process | Input Data | Output | Retention of Output | |---------|-----------|--------|---------------------| | Archetype Classification | Behavioral signals (Tier 1+2) | Archetype label + confidence score | Until visitor deletion | | CLV Prediction | Purchase history, visit frequency, archetype | CLV estimate + survival probability | Until visitor deletion | | Purchase Probability | Visit patterns, archetype, CLV parameters | Daily probability score, peak window | Recalculated per request | | Segment Assignment | Any data per Merchant-defined rules | Segment membership | Until segment deleted or visitor removed | | A/B Test Assignment | Visitor ID (hashed) | Variant assignment | Duration of test | | Playbook Recommendation | Archetype, segment, CLV, engagement history | Suggested intervention strategy | Until visitor deletion |

5.2 Processor's Obligations for Automated Processing

Processor shall:

Provide Controller with meaningful information about the logic involved in automated processing upon request
Facilitate Controller's obligation to inform Data Subjects about automated processing (GDPR Art. 13(2)(f), 14(2)(g))
Support Controller in implementing the right to object to profiling (GDPR Art. 21)
Enable Controller to exclude individual Data Subjects from automated profiling upon request
Log all automated processing actions (AI Workflows, playbook executions) with timestamps and parameters
Not use automated processing outputs for purposes beyond those instructed by Controller

5.3 Controller's Obligations for Automated Processing

Controller shall:

Assess whether automated processing constitutes solely automated decision-making with legal or significant effects under GDPR Article 22
Implement appropriate safeguards including the right to obtain human intervention, express a point of view, and contest the decision
Provide meaningful information to Data Subjects about automated processing in its privacy notice
Monitor automated outputs for bias or discriminatory impact

6. Data Transfers

6.1 Transfer Locations

Personal Data may be transferred to:

Canada (Processor's location — Vancouver, British Columbia)
United States (hosting infrastructure — Render; sub-processors — see Annex A)

6.2 Transfer Mechanisms

| Data Origin | Destination | Mechanism | |-------------|-------------|-----------| | EEA | Canada | EU adequacy decision (conditional, per GDPR Art. 45) | | EEA | USA | Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) | | UK | Canada | UK adequacy regulations | | UK | USA | UK International Data Transfer Addendum (IDTA) to SCCs | | Switzerland | USA | Swiss-specific SCC addendum | | Brazil | USA/Canada | SCCs + supplementary measures per LGPD Art. 33 |

6.3 Standard Contractual Clauses

The EU Commission's Standard Contractual Clauses (Decision 2021/914) are incorporated by reference:

Module Two (Controller to Processor) — for transfers from Controller in EEA to Processor's infrastructure in USA
Annex I (parties, processing details): As described in this DPA Sections 2 and Annex A
Annex II (security measures): As described in Section 3.3 and Annex B
Annex III (sub-processors): As listed in Annex A

6.4 Transfer Impact Assessment

Processor has conducted a transfer impact assessment for US-bound data and determined that, considering:

Encryption at rest and in transit
Merchant-scoped access controls
No government access requests received to date
Limited scope of data (behavioral signals, not content of communications)

the supplementary measures in place provide an essentially equivalent level of protection to that guaranteed within the EEA.

6.5 UK and Swiss Data

For UK data: The UK International Data Transfer Addendum (IDTA) to the SCCs applies. For Swiss data: The relevant Swiss-specific SCC modifications apply, with the FDPIC as the competent supervisory authority.

7. AI-Specific Processing

7.1 AI Workflows

When Controller configures AI Workflows:

Workflows execute on Processor's infrastructure using Processor's AI capabilities
Workflow inputs and outputs are Controller's Personal Data, processed per Controller's instructions
All workflow executions are logged in the AI action log (action type, timestamp, parameters, cost)
Processor does not use workflow data for its own purposes
Workflow web fetch requests (to external URLs approved by Controller) are made from Processor's infrastructure; Controller is responsible for the privacy implications of external data retrieval

7.2 MCP API

When Controller grants MCP API access to AI assistants:

The AI assistant operates within Controller's data scope and permissions
All MCP actions are logged in the AI action log
Processor (Kosmatic) does not control or monitor the AI assistant's reasoning or decision-making
Controller is responsible for the actions of AI assistants authorized via MCP
Personal Data accessed via MCP is not transmitted to third-party AI model training pipelines

7.3 AI Model Training

Processor may use aggregate, anonymized data (not linked to individual Data Subjects) to improve platform-wide AI models (archetype classifier, CLV predictor)
Processor does not use individual-level Personal Data from one Controller to train models applied to another Controller's data
Controller may opt out of aggregate model training by contacting support@kosmatic.com

8. Data Retention and Deletion

8.1 Retention Periods

| Data Type | Default Retention | Configurable? | |-----------|-------------------|---------------| | Anonymous behavioral signals (Tier 1) | 90 days | Yes (via merchant settings) | | Pseudonymous signals (Tier 2) | 90 days | Yes (via merchant settings) | | Identified visitor profiles (Tier 3) | 90 days | Yes (via merchant settings) | | Derived data (archetypes, CLV, scores) | Same as source visitor | Yes (deleted with visitor) | | Consent records | 90 days from withdrawal | No (legal requirement) | | AI action logs | 1 year | No (audit trail) | | Authentication logs | 1 year | No (security) | | Aggregate analytics | Indefinite | No (anonymized, Art. 89 exemption) |

An automated daily process enforces configured retention periods. Data exceeding the retention period is permanently deleted.

8.2 Return and Deletion

Upon termination of the Agreement:

Controller may export data within 30 days (via dashboard or MCP API, in JSON/CSV format)
Processor shall delete all Personal Data within 90 days of termination
Processor may retain anonymized aggregate data (not linked to individuals)
Processor may retain data as required by law (with written notice to Controller of the legal basis)
AI Workflows are disabled immediately; workflow configurations are deleted with account data

8.3 Certification of Deletion

Processor shall provide written certification of deletion upon Controller's request, within 30 days of completing deletion.

8.4 Individual Erasure

When Controller requests erasure of a specific Data Subject:

All personally identifiable data is deleted from visitors2 table and all related tables
Derived data (archetype, CLV, scores, segment membership) is deleted
The Data Subject is removed from all active audience syncs
Consent records are retained for the legally required period
Anonymized aggregate statistics are retained (not linked to the individual)
Deletion is completed within 30 days

9. CCPA/CPRA Specific Provisions

For California residents:

Processor acts as a "Service Provider" under CCPA/CPRA
Personal Data is not "sold" (as defined by CCPA)
Personal Data may be "shared" for cross-context behavioral advertising when Controller enables audience sync to Meta or Google — Controller is responsible for providing opt-out mechanisms
Processor does not retain, use, or disclose Personal Data outside the direct business relationship with Controller
Processor certifies understanding of CCPA/CPRA restrictions and will not combine Personal Data received from Controller with data from other sources except as permitted
Processor will comply with Controller's instructions regarding consumer opt-out requests, including the Global Privacy Control (GPC) signal

10. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service, except:

Processor's liability for GDPR violations (including failure to comply with automated decision-making obligations) shall not exceed the greater of:

- Amounts paid under the Agreement in the 12 months preceding the claim, or - The applicable GDPR fine ceiling (Art. 83)

This Section does not limit liability for willful breach, gross negligence, or fraud

11. Term and Termination

This DPA:

Commences on the Effective Date
Continues until termination of the Agreement
Survives termination for data deletion and return obligations (Section 8)
Confidentiality obligations survive for 5 years after termination

12. General Provisions

12.1 Governing Law

This DPA is governed by the laws of British Columbia, Canada. For Data Subjects in the EEA, the mandatory provisions of GDPR and applicable member state law prevail where they conflict.

12.2 Conflicts

In case of conflict between this DPA and the Terms of Service, this DPA prevails for data protection matters.

12.3 Amendments

Amendments must be in writing and signed by both parties. Processor may update Annex A (sub-processors) with 30 days' notice as described in Section 3.4.

12.4 Severability

If any provision is invalid, the remainder continues in effect.

Annex A: Sub-processors

| Sub-processor | Service | Location | Data Types Processed | |---------------|---------|----------|---------------------| | Render | Cloud hosting (compute + storage) | USA | All data | | PostgreSQL (via Render) | Relational database | USA | All persistent data | | Redis (via Render) | In-memory caching | USA | Ephemeral session data, fingerprints (24h TTL) | | Shopify | E-commerce platform integration | USA/Canada | Store data, order history, customer data | | Klaviyo | Email marketing automation | USA | Email, archetype, segment, CLV, playbook | | HubSpot | CRM integration | USA | Email, archetype, segment, CLV, engagement data | | Meta (Facebook) | Advertising (Conversions API) | USA | Hashed email, hashed phone, conversion events | | Google | Analytics (GA4), Authentication (OAuth), Advertising (Google Ads) | USA | Anonymized usage data, OAuth profiles, hashed identifiers | | Slack | Merchant notifications | USA | High-intent visitor alerts (archetype, score — to Merchant's Slack) | | Anthropic | AI processing (Claude via MCP) | USA | Merchant-scoped analytics queries (no PII sent to model training) |

Last updated: March 23, 2026

Annex B: Technical and Organizational Security Measures

| Category | Measure | Detail | |----------|---------|--------| | Encryption at Rest | AES-256 | Database and backup encryption | | Encryption in Transit | TLS 1.3 | All API and web traffic | | Password Security | Argon2id | m=65536, t=3, p=4 (OWASP recommended) | | Session Security | JWT + httpOnly cookies | 15-min access token, 7-day refresh token | | Account Protection | Lockout policy | 5 failed attempts → 15-minute lockout | | Rate Limiting | Per-endpoint limits | 10 req/15min on login; API rate limited | | Access Control | RBAC + tenant isolation | Merchant-scoped data; role-based dashboard access | | Data Minimization | Three-tier consent model | Anonymous/Pseudonymous/Identified tiers | | Retention Enforcement | Automated daily cron | Deletes data exceeding configured retention | | Audit Logging | AI action log | All MCP, workflow, and automated actions logged | | Fingerprint Privacy | Memory-only, 24h TTL | No device storage; SHA-256 hashing; expires automatically | | Incident Response | 24-hour notification | Written procedures for breach detection, containment, notification | | Penetration Testing | Quarterly | External security assessment | | Security Training | Annual | All personnel with data access |

Detailed security specifications available upon request at support@kosmatic.com.

Signatures

Kosmatic Solutions Inc.

By: _________________________ Name: _________________________ Title: _________________________ Date: _________________________

Address: Vancouver, British Columbia, Canada

Customer

By: _________________________ Name: _________________________ Title: _________________________ Date: _________________________

END OF DATA PROCESSING AGREEMENT