Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Deskmantle, operated by Kurt Navale ("Processor", "we", "us") and the customer using the Service ("Controller", "you"). This DPA applies to the processing of personal data by Deskmantle on your behalf in the course of providing the Service. It is designed to meet the requirements of Article 28 of the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws. By using the Service, you enter into this DPA with respect to any personal data you submit to or process through the Service.

"Personal Data" means any information relating to an identified or identifiable natural person that you process through the Service. "Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction. "Sub-processor" means any third-party entity engaged by Deskmantle to process personal data on behalf of the Controller. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. "Service" means the Deskmantle platform and all related applications and services.

Deskmantle processes personal data solely on your documented instructions and only for the following purposes: • Providing and operating the Deskmantle platform (CRM, email, communications, AI features, automation, analytics) • Storing and managing your business data, contacts, and communications • Processing AI queries and generating AI-powered outputs on your behalf • Sending transactional communications (email, SMS) as configured by you • Processing payments and managing your subscription • Maintaining security, performing backups, and ensuring service continuity Categories of Data Subjects: Your employees, customers, contacts, leads, and other individuals whose data you input into the Service. Types of Personal Data Processed: Names, email addresses, phone numbers, company information, job titles, communication content, CRM records, deal and pipeline data, financial data, and any other personal data you choose to store in the Service.

Deskmantle shall: • Process personal data only on your documented instructions, unless required by law (in which case we will inform you before processing, unless legally prohibited) • Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality • Implement and maintain appropriate technical and organizational security measures (see Section 6) • Not engage another processor (sub-processor) without your prior general authorization and without a written contract imposing equivalent data protection obligations (see Section 5) • Assist you in responding to requests from data subjects exercising their rights under applicable data protection law • Assist you in ensuring compliance with your obligations regarding data breach notification, data protection impact assessments, and prior consultation with supervisory authorities • At your choice, delete or return all personal data upon termination of the Service (see Section 9) • Make available to you all information necessary to demonstrate compliance with these obligations • Not process personal data for any purpose other than providing the Service, and specifically shall NOT use personal data to train, fine-tune, or improve AI models

You provide general authorization for Deskmantle to engage sub-processors. We maintain the following list of sub-processors, including their function and data location: Supabase, Inc. Function: Database hosting, authentication, and row-level security Data Location: United States Data Processed: All user and application data stored in the database Google Cloud Platform (Google LLC) Function: Cloud infrastructure, hosting, AI processing (Gemini API) Data Location: United States (us-central1) Data Processed: All application data, AI queries and responses Resend, Inc. Function: Transactional email delivery Data Location: United States Data Processed: Email addresses, email content, delivery metadata Twilio, Inc. Function: SMS and voice communication services Data Location: United States Data Processed: Phone numbers, SMS content, call metadata Whop, Inc. / Stripe, Inc. Function: Payment processing and subscription billing Data Location: United States Data Processed: Billing information, subscription data, payment history We will notify you at least 30 days in advance of any intended changes to sub-processors (additions or replacements) via email to the account owner. If you object to a new sub-processor on reasonable data protection grounds, you may notify us within 14 days. We will work in good faith to address your concerns. If we cannot resolve the objection, you may terminate the affected Service without penalty. Each sub-processor is bound by a written agreement imposing data protection obligations no less protective than those in this DPA.

Deskmantle implements and maintains the following technical and organizational security measures to protect personal data: Encryption: • Data in transit: TLS 1.3 for all connections • Data at rest: AES-256 encryption on all databases and storage Access Controls: • Row-level security (RLS) enforced on all database tables, ensuring users can only access their own data • Role-based access control for all administrative functions • Secrets and credentials stored in Google Cloud Secret Manager, never in source code • Multi-factor authentication available for user accounts • Employee access to production data limited to authorized personnel on a need-to-know basis Network Security: • Rate limiting on all API endpoints • Webhook signature verification for all third-party integrations • Firewall protection on all infrastructure • DDoS mitigation via Google Cloud infrastructure Application Security: • Session-based authentication with secure HTTP-only cookies • CSRF protection on all forms and API endpoints • Input validation and sanitization on all user inputs • Regular security audits and vulnerability assessments • Automated dependency vulnerability scanning Data Isolation: • Each customer's data is logically isolated via row-level security policies • No customer can access another customer's data through the application or API

In the event of a Data Breach affecting personal data processed on your behalf, Deskmantle shall: • Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach, by email to the account owner and any designated security contact • Provide the following information (to the extent available at the time of notification, with additional details provided as they become known): — Description of the nature of the breach, including categories and approximate number of data subjects and records affected — Name and contact details of Deskmantle's Data Protection Officer — Description of the likely consequences of the breach — Description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects • Cooperate with you and provide reasonable assistance in investigating the breach, meeting regulatory notification obligations, and mitigating its effects • Document all Data Breaches, including the facts, effects, and remedial actions taken Deskmantle will not notify data subjects directly unless instructed to do so by you or required by law.

Deskmantle will assist you in responding to requests from data subjects exercising their rights under applicable law, including: • Right of access • Right to rectification • Right to erasure ("right to be forgotten") • Right to restriction of processing • Right to data portability • Right to object The Service provides self-service tools that allow you to access, export, correct, and delete personal data without requiring our intervention. For requests that cannot be fulfilled through self-service tools, contact privacy@deskmantle.com. We will respond to your assistance requests within 5 business days.

Upon termination or expiration of the Service: Data Export: You may export your data in machine-readable format (JSON/CSV) at any time during the term and for 30 days following termination, using the self-service export tools in your account settings. Data Deletion: After the 30-day post-termination period, we will permanently delete all personal data processed on your behalf, including backups, within an additional 30 days (60 days total from termination). We will provide written confirmation of deletion upon request. Exceptions: The following data may be retained beyond the deletion period: • Billing records required by applicable tax law (retained for 7 years) • Data required to be retained by law or court order • Anonymized, aggregated data that cannot be used to identify any individual Audit logs containing references to personal data are retained for 1 year and then automatically purged.

You have the right to audit Deskmantle's compliance with this DPA. This right may be exercised as follows: Information Requests: You may request information about our data processing practices and security measures at any time by emailing privacy@deskmantle.com. We will respond within 15 business days. Third-Party Audits: You may, at your own expense and upon 30 days' written notice, appoint a qualified independent third-party auditor to conduct an audit of our data processing practices. The auditor must execute a confidentiality agreement acceptable to Deskmantle. Audits shall be conducted during normal business hours and shall not unreasonably interfere with our operations. Certifications and Reports: Where available, we will provide copies of relevant security certifications, audit reports, or compliance attestations in lieu of a physical audit, where such documentation reasonably addresses your audit requirements. Audit frequency is limited to once per 12-month period, unless a Data Breach has occurred or a supervisory authority requires an audit.

Personal data processed under this DPA is stored and processed in the United States (Google Cloud Platform, us-central1 region). For transfers of personal data from the EU/EEA, UK, or Switzerland to the United States, we rely on: • Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914) • Data Processing Agreements with all sub-processors incorporating equivalent transfer safeguards We will implement any additional transfer mechanisms required by applicable law. If a transfer mechanism is invalidated by a court or regulatory authority, we will work with you to implement an alternative lawful transfer mechanism.

This DPA enters into effect when you begin using the Service and remains in effect for the duration of your use of the Service. This DPA automatically terminates when your Service agreement terminates or expires. However, our obligations regarding data deletion (Section 9) and confidentiality survive termination. Either party may terminate this DPA if the other party materially breaches its obligations under this DPA and fails to cure the breach within 30 days of written notice.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that nothing in this DPA limits either party's liability for breaches of data protection law to the extent such limitation is prohibited by applicable law.

For questions about this Data Processing Agreement or to exercise any rights under this DPA: Data Protection Officer: Kurt Navale Email: privacy@deskmantle.com Website: https://deskmantle.com