Data Processing Agreement

Reference to sales contract will be set when sending agreement

https://trust.syftdata.com

security@syftdata.com

Security Policy available at:

https://trust.syftdata.com

Provider will maintain annually updated reports or annual certifications of compliance with the following:

SOC 2 Type I

SOC 2 Type II

Penetration Testing

To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq (“CCPA”) applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement and detailed below (see Nature and Purpose of Processing), which constitutes a limited and specified business purpose. Provider will not sell or share any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph and will comply with all Applicable Data Protection Laws. Provider will notify Customer if it can no longer meet its obligations under the CCPA.

EEA Transfers: Netherlands

UK Transfers: England and Wales

Name: Customer (the entity that accesses or uses the Service)

Activities relevant to transfer: See Annex 1(B)

Role: Controller

Name: the Provider signing this DPA

Contact person: Imran Patel, CEO

Address: 4101 Dublin Blvd Ste F #3123, Dublin, California 94568, USA

Activities relevant to transfer: See Annex 1(B)

Role: Processor

The Service is:

Syft Data Platform

• Customer's authorized users, employees, and personnel who access or administer the Service.
• Customer's end users, customers, prospects, leads, and website visitors.
• Individuals who engage publicly with Customer's content on third-party platforms (for example, individuals who like, comment on, react to, or share Customer's posts on social-media platforms accessible via Customer's authorized integrations).
• Individuals identified by Provider through Graph Data as exhibiting intent signals relevant to Customer's market across third-party sources, including those who engage with content or properties not owned by Customer.

Submitted Data

• Identifiers and contact data: name, business email, personal email (where provided by Customer), LinkedIn profile URL, other social handles.
• Professional and employment data: job title, seniority, function, employer / company name, company domain, employment history.
• Online identifiers and device data collected via Provider's tracking technologies on Customer's properties: IP address, approximate geolocation derived from IP, user-agent, cookie and session identifiers, page and event activity.
• CRM record data: any fields present on Customer's Contact, Lead, Account, or Opportunity records that Customer chooses to upload or sync through the Service.
• Account and authentication data (for Customer's authorized users): name, email, SSO identifiers, session tokens, role and permission assignments, audit log entries.
• Billing contact data: name, email, and company. Payment card data is handled directly by Provider's payment processor and is not stored by Provider.

Graph Data

• Identifications of Customer's anonymous website visitors: name, business email, LinkedIn URL, title, company name, industry, employee count, estimated revenue band, geolocation.
• Social-media engagement attributes: profile identifiers, engagement events (likes, comments, reactions, shares) on Customer's content, public profile data of engagers.
• Third-party intent signals: topic engagement signals, content engagement signals, event attendance signals, and similar behavioral indicators derived from third-party data partners, public sources, and intent-signal networks.
• Firmographic and behavioral aggregates attached to identified individuals or accounts.

No

Continuous

Receiving data, including collection, accessing, retrieval, recording, and data entry

Holding data, including storage, organization, and structuring

Using data, including analysis, consultation, testing, automated decision making, and profiling

Updating data, including correcting, adaption, alteration, alignment, and combination

Protecting data, including restricting, encrypting, and security testing

Sharing data, including disclosure, dissemination, allowing access, or otherwise making available

Returning data to the data exporter or data subject

Erasing data, including destruction and deletion

Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws.

The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

See Security Policy

Add-on Services

Certain optional features ("Add-ons") may be activated by Customer's authorized administrator within the Service. Activation of an Add-on incorporates by reference the corresponding Add-on Addendum, which becomes part of this DPA upon activation. Current Add-on Addendums are published at syftdata.com/dpa/addendums. Customer's authorized administrator's affirmative consent at the point of activation, as recorded in the Service, constitutes Customer's acceptance of the corresponding Add-on Addendum. Customer is solely responsible for ensuring that only authorized administrators activate Add-ons on Customer's behalf.

Graph Data Obligations

Where the Service delivers Graph Data to Customer (as defined in the Service Provider Relationship section of this Cover Page), Customer agrees to:
(a) make all disclosures required by Applicable Data Protection Laws regarding Customer's receipt and use of Graph Data, including, where applicable, posting a "Your Privacy Choices," "Do Not Share or Sell My Personal Information," or substantially equivalent link on Customer's website;
(b) honor opt-out, deletion, and Global Privacy Control signals received by Customer with respect to Graph Data, and, to the extent reasonably practicable, communicate such signals to Provider in a manner consistent with Provider's then-current procedures;
(c) restrict Customer's use of Graph Data to its own business purposes (including marketing to its current and prospective customers and evaluating the effectiveness of its marketing campaigns) and not resell, redistribute, or make Graph Data available to third parties;
(d) not use Graph Data for purposes subject to the Fair Credit Reporting Act, including modeling or determining a consumer's credit worthiness, eligibility for employment, or eligibility for insurance.