Data Processing Agreement

Effective date: September 14, 2025 • Replaces all prior versions

This Data Processing Agreement (the “DPA“) forms part of the Terms of Service between 11 Technology Group d/b/a Piixoo (“Processor“, “we”, “us”) and the customer entity that uses the Services (“Controller“, “you”). Capitalized terms not defined here have the meanings in the Terms of Service.

1) Definitions

“Applicable Data Protection Laws” means all laws and regulations relating to privacy and data protection applicable to the processing under this DPA, including GDPR/UK GDPR, CCPA/CPRA (to the extent applicable), and e‑privacy rules. “Personal Data” means information relating to an identified or identifiable natural person. “Processing” has the meaning set out in Applicable Data Protection Laws. “Subprocessor” means any third party engaged by Piixoo to process Personal Data.

2) Roles; Processing Instructions

• Controller is the controller of Personal Data uploaded to the Services. Piixoo acts as a processor and shall process Personal Data only on documented instructions from Controller, including as necessary to provide and improve the Services and to comply with law.
• Controller is responsible for the lawfulness of Personal Data and for obtaining all necessary consents and notices. Controller will not instruct Piixoo to process data in violation of law.
• If Piixoo is required by law to process Personal Data beyond Controller’s instructions, Piixoo will inform Controller (unless legally prohibited).

3) Nature, Purpose, Types, and Duration of Processing

4) Security Measures

• Access control (least privilege, MFA for administrative access, role‑based permissions), network segmentation, and encryption in transit; encryption at rest where supported.
• Secure development practices, vulnerability management, logging and monitoring, incident response runbooks, and employee confidentiality commitments.
• Periodic reviews of deliverability and abuse signals; automated safeguards (rate limiting, warm‑up, suppression enforcement) to protect recipients and provider networks.

5) Confidentiality

Piixoo ensures that persons authorized to process Personal Data are subject to confidentiality obligations and receive appropriate training regarding data protection and abuse prevention.

6) Subprocessors

• Controller authorizes Piixoo to engage Subprocessors to support the Services. Piixoo will impose data protection obligations on Subprocessors substantially similar to those in this DPA and remains responsible for their performance.
• Upon request, Piixoo will provide a current list of Subprocessors. Controller may subscribe to updates where available.
• Piixoo may use third‑party cloud infrastructure providers. Processing must comply with applicable third‑party acceptable use policies and service terms.

7) International Transfers

• Piixoo may transfer Personal Data internationally where Subprocessors operate. Where required, Piixoo will implement appropriate safeguards such as the EU Commission’s Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum, with supplementary measures as appropriate.
• Where Customer is subject to data localization rules, the parties will cooperate in good faith on appropriate technical and organizational measures to comply.

8) Data Subject Requests

Taking into account the nature of the processing, Piixoo will provide reasonable assistance to Controller, by appropriate technical and organizational measures, for fulfilling Controller’s obligations to respond to requests to exercise data subject rights (access, rectification, erasure, restriction, portability, objection) under Applicable Data Protection Laws. Piixoo will promptly forward requests it receives directly from data subjects to Controller, unless legally prohibited.

9) Incident Management & Breach Notification

• Piixoo will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller’s Personal Data. The notification will include information reasonably available to Piixoo at the time and will be supplemented as more information becomes available.
• Piixoo will take appropriate remedial actions and cooperate with Controller to investigate and mitigate the breach, including providing relevant logs and summaries where appropriate.

10) Audit & Compliance Assistance

• Upon reasonable written request, and no more than once annually unless required by a competent authority or following a material incident, Piixoo will make available information necessary to demonstrate compliance with this DPA (e.g., security summaries, policy excerpts, third‑party attestations where available).
• Where on‑site or third‑party audits are required by law, the parties will agree on scope, timing, and confidentiality; audits shall minimize disruption and protect other customers’ data.

11) Return or Deletion of Data

• Upon termination or expiry of the Services, Piixoo will delete or return Personal Data per Controller’s instructions and within a commercially reasonable period, unless retention is required by law or legitimate business purposes (e.g., security logs, billing records). Suppression lists may be retained as necessary to prevent re‑mailing.

12) Assistance with DPIAs & Consultations

Piixoo will provide reasonable assistance to Controller with data protection impact assessments and prior consultations with supervisory authorities to the extent required by law and limited to the processing of Personal Data by Piixoo.

13) Liability; Conflict; Order of Precedence

• Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except to the extent such limitations are prohibited by Applicable Data Protection Laws.
• In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the subject matter herein.

14) Governing Law; Jurisdiction

Unless otherwise required by Applicable Data Protection Laws, this DPA is governed by the laws of the State of California, United States, and the parties submit to the exclusive jurisdiction of the state and federal courts located in San Francisco, California.

Annex 1 – Technical & Organizational Security Measures

• Access Management: role‑based access, MFA for privileged accounts, regular access reviews, secure key management.
• Data Security: TLS in transit; encryption at rest where supported; message content scoping; suppression list protection; data minimization and retention controls.
• Application Security: secure SDLC, code review, dependency scanning, periodic penetration testing by qualified third parties.
• Operational Security: monitoring and alerting, rate limiting, warm‑up enforcement, anomaly detection for bounces/complaints/spam‑traps.
• Business Continuity: backups, redundancy, disaster recovery testing for critical components.
• Vendor Management: subprocessor due diligence, contractual safeguards, continuous evaluation.
• Incident Response: defined runbooks; breach notification workflows; customer communications protocols.
• Personnel: background checks where permitted; confidentiality agreements; security and privacy training.

Annex 2 – Subprocessors

Upon request, Piixoo will provide a current list of Subprocessors used to deliver the Services. Controller may subscribe to updates where available.