Legal

Data processing addendum

Data processing terms for customers subject to GDPR, CCPA, and other privacy regulations.

Document status

Last updated 2026.

These pages are here for review, procurement, and internal approvals. For questions, contact legal@incenify.com.

01

1. Definitions

This Data Processing Addendum ("DPA") supplements the Master Service Agreement ("MSA") between Incenify LLC ("Incenify") and Customer. Capitalized terms not defined in this DPA have the meanings in the MSA.

"Applicable Data Protection Law" means any privacy or data protection law applicable to the Processing of Personal Data under the Agreement, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the California Consumer Privacy Act of 2018, as amended ("CCPA"), in each case only to the extent applicable.

"Personal Data" means personal data, personal information, or similar information relating to an identified or identifiable individual that Incenify Processes on behalf of Customer. "Data Subject" means the individual to whom Personal Data relates. "Processing" and "Process" have the meanings assigned under Applicable Data Protection Law. "Controller," "Processor," "Business," "Service Provider," "Contractor," and "Supervisory Authority" have the meanings assigned under Applicable Data Protection Law.

02

2. Roles, scope, and precedence

Customer is the Controller or Business, and Incenify is the Processor, Service Provider, or Contractor, as applicable, with respect to Personal Data submitted to the Services. This DPA applies only to Personal Data Processed by Incenify on Customer's behalf in connection with the Services. The subject matter, duration, nature, and purpose of Processing, types of Personal Data, and categories of Data Subjects are described in Exhibit A.

If this DPA conflicts with the MSA regarding the Processing of Personal Data, this DPA controls solely with respect to that conflict.

03

3. Processing instructions and restrictions

Incenify will Process Personal Data only: (a) to provide the Services as described in the MSA and applicable SOW; (b) in accordance with additional documented instructions provided by Customer and accepted by Incenify; and (c) as necessary to comply with applicable law. If Incenify believes an instruction violates Applicable Data Protection Law, Incenify will inform Customer unless prohibited by law. Customer is responsible for ensuring that its instructions comply with Applicable Data Protection Law.

Where the CCPA applies, Incenify will Process Personal Data only for the limited and specified business purposes described in the Agreement and Exhibit A. Incenify will not: (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data for a purpose other than those limited and specified business purposes or as otherwise permitted by the CCPA; (iii) retain, use, or disclose Personal Data outside the direct business relationship between Incenify and Customer, except as permitted by the CCPA; or (iv) combine Personal Data with personal information received from another source or collected from Incenify's own interaction with an individual, except as permitted by the CCPA.

Incenify will provide the level of privacy protection required of service providers and contractors under the CCPA and will notify Customer if Incenify determines that it can no longer meet its applicable obligations. Customer may take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.

04

4. Confidentiality of personnel

Incenify will ensure that persons authorized to Process Personal Data are subject to confidentiality obligations and have access only as necessary to perform their responsibilities.

05

5. Security measures

Incenify will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature, scope, context, and purposes of the Processing and the risks to individuals.

Such measures include encryption of Personal Data in transit and at rest, authentication and role-based access controls, and restricted access to production systems, as applicable to the Services. Incenify may update its measures from time to time, provided the overall level of protection is not materially reduced.

06

6. Subprocessors

Customer authorizes Incenify to engage subprocessors to Process Personal Data. Incenify will: (a) maintain a current list at incenify.com/security/subprocessors; (b) provide at least thirty (30) days' notice of a new or replacement subprocessor; (c) impose data protection obligations on each subprocessor appropriate to the services it performs; and (d) remain responsible for the subprocessor's performance of its data protection obligations to the extent required by Applicable Data Protection Law.

Customer may object to a new subprocessor on reasonable data protection grounds by notifying legal@incenify.com within fifteen (15) days after notice. The parties will work in good faith to resolve the objection. If they cannot resolve it, Customer may terminate only the affected Services and receive a pro-rata refund of prepaid fees for the terminated portion.

07

7. Data Subject rights

Taking into account the nature of the Processing and to the extent required by Applicable Data Protection Law, Incenify will provide reasonable assistance to Customer in responding to requests from Data Subjects. If Incenify receives a Data Subject request directly concerning Personal Data Processed on Customer's behalf, Incenify will promptly forward it to Customer unless legally prohibited. Customer is responsible for responding to the request.

Incenify may charge a reasonable fee for assistance that is materially beyond the functionality of the Services or the assistance required by Applicable Data Protection Law.

08

8. Personal Data breach notification

Incenify will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Personal Data Processed under this DPA. To the extent reasonably available, the notice will describe the nature of the breach, the categories of affected data, the approximate number of affected Data Subjects and records, likely consequences, and measures taken or proposed. Incenify will reasonably cooperate with Customer's investigation and provide information reasonably necessary for Customer to meet applicable legal notification obligations.

Notification will be sent to the security contact specified in the SOW or to another contact designated by Customer.

09

9. Compliance information and legally required reviews

Incenify will make available information reasonably necessary to demonstrate compliance with its obligations under this DPA. The parties will first use written information, available documentation, and remote review to address Customer's reasonable compliance inquiry.

Only to the extent an audit or inspection is expressly required by Applicable Data Protection Law and the information provided by Incenify is not reasonably sufficient, Incenify will allow and contribute to the legally required review. Any such review must: (a) be limited to Personal Data and Processing subject to this DPA; (b) be conducted on at least thirty (30) days' written notice unless a shorter period is required by law, a Supervisory Authority, or a confirmed Personal Data breach; (c) occur no more than once in any twelve-month period unless required by law, a Supervisory Authority, or following a confirmed Personal Data breach; (d) be conducted during normal business hours by Customer personnel with a need to know or an independent reviewer subject to written confidentiality obligations; (e) not access other customers' data, source code, or information that would create a material security risk if disclosed; and (f) not unreasonably interfere with Incenify's operations.

Customer is responsible for its review costs, and Incenify may charge reasonable fees for material assistance, except to the extent prohibited by Applicable Data Protection Law. Nothing in this Section grants Customer a general contractual audit right beyond what Applicable Data Protection Law requires or limits the authority of a competent regulator.

10

10. International transfers

Incenify may Process Personal Data in countries outside the European Economic Area ("EEA"). Where Applicable Data Protection Law requires a transfer mechanism, Incenify will use an appropriate safeguard, including the Standard Contractual Clauses described in Exhibit B, an applicable adequacy decision, or another legally recognized mechanism.

11

11. Data retention and deletion

Incenify will retain Personal Data only as long as necessary to provide the Services or meet legal obligations. Upon termination or expiration of the MSA, Incenify will, at Customer's written request made within thirty (30) days, return or securely delete Personal Data, except to the extent applicable law requires retention. After that thirty-day period, Incenify may delete Personal Data in accordance with its standard retention practices.

Upon reasonable request, Incenify will confirm completion of deletion, subject to data retained in routine backups until overwritten in the ordinary course and data retained as required by law.

12

12. Customer obligations

Customer represents and warrants that: (a) it has provided all necessary notices and obtained all required consents or other legal bases for Incenify to Process Personal Data as contemplated by the Services; (b) its instructions and use of the Services comply with Applicable Data Protection Law; and (c) it has implemented appropriate security measures for its own systems and accounts. Customer will indemnify Incenify against third-party claims arising from Customer's breach of these obligations, subject to the limitations and procedures in the MSA.

13

13. Cooperation and assistance

Upon Customer's reasonable request and at Customer's expense, Incenify will provide reasonable assistance required by Applicable Data Protection Law with: (a) data protection impact assessments; (b) consultations with Supervisory Authorities; (c) Customer's compliance obligations concerning the Processing; and (d) implementation of appropriate technical and organizational measures. Such assistance does not include legal advice.

14

Exhibit A. Processing details

Subject Matter. Provision of the Incenify channel incentive management platform and related services.

Duration. The term of the applicable SOW and any limited period during which Incenify retains Personal Data as permitted by the Agreement or law.

Nature and Purpose. Hosting, organizing, validating, reporting, communicating about, and administering channel incentive programs, including eligibility, activities, claims, rewards, and related support.

Types of Personal Data. As configured by Customer and applicable to the Services: names, postal addresses, email addresses, phone numbers, employer or employment information, program eligibility information, transaction or activity information, submitted materials, support communications, activity logs, IP addresses, and device identifiers. The Services are not intended for Social Security numbers, payment-card information, bank-account information, health information, biometric information, or government identification numbers unless expressly agreed in an SOW.

Categories of Data Subjects. Customer personnel, channel partner personnel, program participants, and other Authorized Users.

15

Exhibit B. Standard Contractual Clauses

For transfers of Personal Data from the EEA to a country that does not benefit from an applicable adequacy decision, the parties incorporate the Standard Contractual Clauses adopted under European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "SCCs").

Module Two (Controller to Processor) applies where Customer is a Controller and Incenify is a Processor. The docking clause applies. For Clause 17, Option 1 applies and the governing law will be the law of the EU Member State in which the data exporter is established. For Clause 18(b), disputes will be resolved by the courts of that EU Member State. Annex I and Annex II information is supplied by this DPA, the applicable SOW, and the parties' contact information. If the SCCs conflict with this DPA, the SCCs control.