Sub-Processor List

Effective Date: May 12, 2026 Last Updated: May 16, 2026

Kosmatic Solutions Inc. ("Kosmatic," "we") engages third-party service providers ("Sub-Processors") to assist in providing the Auraflow service. This page lists every Sub-Processor that may Process Personal Data on our behalf, the purpose of Processing, the data categories involved, the Sub-Processor's location, and the transfer mechanism in place for cross-border data flows.

We commit to:

• Maintaining this list current at all times
• Providing at least 30 days' notice before adding or replacing a Sub-Processor, where required by our Data Processing Agreement
• Imposing data protection obligations on every Sub-Processor by written contract that are at least as protective as those in our DPA
• Remaining liable to Customers for the acts and omissions of our Sub-Processors

Customers may object to a new Sub-Processor by emailing support@kosmatic.com within 30 days of notification. If we cannot accommodate the objection, the Customer may terminate the affected Service.

1. Infrastructure Sub-Processors

These providers run the technical infrastructure of the Auraflow service. They have access to all Personal Data we Process, in encrypted form at rest and in transit.

| Provider | Purpose | Data Categories | Location | Transfer Mechanism | |---|---|---|---|---| | Render Services, Inc. | Application hosting, container orchestration, PostgreSQL database hosting, Redis caching | All Customer Data and End User Data (encrypted) | United States (us-west, us-east) | EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) | | Cloudinary Ltd. | Image and asset CDN (logos, email templates, dashboard assets) | Static assets only — no Personal Data | United States, Israel, European Union (multi-region) | Standard Contractual Clauses (SCCs) | | Cloudflare, Inc. | DNS, edge caching, DDoS protection for kosmatic.com | IP addresses, request metadata, no payload-level Personal Data | Global edge network (300+ cities) | EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) |

2. Communication Sub-Processors

| Provider | Purpose | Data Categories | Location | Transfer Mechanism | |---|---|---|---|---| | ActiveCampaign LLC (Postmark) | Transactional email delivery (OTP, password reset, workflow reports, account notifications) | Recipient email address, subject line, email body content | United States | Standard Contractual Clauses (SCCs) |

3. Authentication Sub-Processors

| Provider | Purpose | Data Categories | Location | Transfer Mechanism | |---|---|---|---|---| | Google LLC | Google OAuth (Sign in with Google) for Customer accounts | Email, name, Google account ID (sub claim) — used solely for authentication | United States | EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) | | Shopify Inc. | Shopify OAuth for app installation, Admin GraphQL API access | Shop domain, access token, shop owner email, store metadata, order data (read-only) | Canada, United States | Adequacy Decision (Canada), Standard Contractual Clauses (SCCs) |

4. Payment Sub-Processors

| Provider | Purpose | Data Categories | Location | Transfer Mechanism | |---|---|---|---|---| | Shopify Inc. | App subscription billing for Shopify-installed merchants (via Shopify Billing API) | Subscription identifiers, billing status — no payment card data ever reaches Kosmatic | Canada, United States | Adequacy Decision (Canada), Standard Contractual Clauses (SCCs) | | Stripe, Inc. | Direct subscription billing for non-Shopify customers (where applicable) | Customer email, subscription identifier, billing status — Stripe receives card data directly via Stripe Elements; Kosmatic never sees raw card numbers | United States, Ireland | EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) |

5. AI / Model Inference Sub-Processors

AI providers process workflow prompts, dashboard chat queries, and generated content. We support a Bring-Your-Own-Key (BYOK) model: Customers connect their own AI provider account, meaning AI calls are made directly between the Customer and the AI provider on the Customer's bill, with Kosmatic acting only as a request router. Where Kosmatic performs AI calls on the Customer's behalf (e.g., default storefront personalization), the provider below applies.

| Provider | Purpose | Data Categories | Location | Transfer Mechanism | |---|---|---|---|---| | Anthropic, PBC (Claude) | LLM inference for AI workflows, dashboard chat, MCP tool calls | Workflow prompts, structured tool outputs, Customer-scoped analytics summaries. End User PII is scrubbed before transmission. No data sent to Anthropic is used for training. | United States | Standard Contractual Clauses (SCCs), Anthropic's Data Processing Addendum | | OpenAI, L.L.C. | LLM inference (only when Customer selects OpenAI as their provider) | Same as Anthropic | United States | Standard Contractual Clauses (SCCs), OpenAI's Data Processing Addendum | | Google LLC (Gemini API) | LLM inference (only when Customer selects Gemini as their provider) | Same as Anthropic | United States, European Union (region-pinned per request) | EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) | | Moonshot AI Co., Ltd. (Kimi) | LLM inference (only when Customer selects Kimi as their provider) | Same as Anthropic | Singapore (primary), global edge | Standard Contractual Clauses (SCCs), Moonshot's Data Processing Addendum |

6. Customer-Controlled Integrations

The following are Customer-controlled integrations. When a Customer connects one of these platforms, data flows from Auraflow to that platform under the Customer's own contractual relationship with the provider. Kosmatic is not the "controller" for these transfers — the Customer is. We list them here for transparency.

| Provider | Purpose | Data Categories | Customer's Relationship | |---|---|---|---| | Klaviyo, Inc. | Email marketing automation, segment sync, profile property updates | Email, archetype, CLV tier, favourite product, discount code | Customer connects their own Klaviyo account via OAuth. Kosmatic forwards Customer-authorized data only. | | HubSpot, Inc. | CRM contacts, lists, deals, timeline events, workflow enrollment | Email, archetype, CLV tier, favourite product, engagement properties | Customer connects their own HubSpot account via OAuth. | | Meta Platforms, Inc. | Conversions API for advertising optimization | Hashed emails (SHA-256), conversion events — server-side only, no raw behavioral data | Customer connects their own Meta business account. | | Google LLC (Google Analytics 4) | Custom dimension registration, audience definitions | Anonymized visitor metadata, classification dimensions | Customer connects their own GA4 property. | | Slack Technologies, LLC | High-intent visitor alerts | Archetype, confidence score, anonymized visitor identifiers | Customer provides their own Slack webhook URL. |

7. Sub-Processors Not Used

For clarity, Kosmatic does not engage the following categories of Sub-Processors:

• Advertising networks for retargeting or audience-building based on Customer or End User data
• Data brokers for enrichment, append, or resale of Personal Data
• Tracking pixels for cross-site behavioral profiling outside the Customer's own storefront
• Training data providers — no End User or Customer data is sold, shared, or contributed to AI model training datasets

8. International Transfers and Safeguards

Personal Data Processed by Sub-Processors may be transferred outside the European Economic Area, United Kingdom, Canada, or other jurisdictions where End Users reside. Where such transfers occur, we rely on one or more of the following lawful transfer mechanisms:

• EU-US Data Privacy Framework (DPF) — for transfers to Sub-Processors certified under the Framework
• Standard Contractual Clauses (SCCs) — module-appropriate clauses adopted by the European Commission (2021/914)
• UK International Data Transfer Addendum (IDTA) — for transfers from the United Kingdom
• Adequacy Decisions — where the destination country has been deemed adequate by the European Commission (e.g., Canada — commercial sector)

We have completed Transfer Impact Assessments (TIAs) for each transfer route and apply supplementary measures (encryption in transit and at rest, access controls, audit logging) consistent with the European Data Protection Board's recommendations.

9. Audit Rights

Customers operating under our standard DPA have rights to:

• Request a summary of the most recent Sub-Processor audit reports (SOC 2, ISO 27001) where available
• Conduct or commission a Customer-paid audit of Kosmatic's compliance with the DPA, subject to reasonable notice and confidentiality
• Receive prompt notification of any Personal Data Breach involving a Sub-Processor that affects the Customer

Audit requests should be directed to support@kosmatic.com.

10. Updates to This List

This list is updated whenever a Sub-Processor is added, removed, or replaced. Material changes are notified to Customers by email and/or in-product banner at least 30 days in advance, except where:

• The Sub-Processor change is required by law
• The change is necessary to prevent a material risk to data security
• The Sub-Processor is being removed (in which case immediate notice is given)

To subscribe to Sub-Processor change notifications, email support@kosmatic.com with subject line "Sub-Processor Notifications."

Contact: Kosmatic Solutions Inc. Email: support@kosmatic.com Address: Vancouver, British Columbia, Canada