Data Processing Agreement

1. Definitions

• “Customer Data” means business contact, account, and related data submitted to or processed through the Services by or on behalf of Customer.
• “Personal Data” means any information relating to an identified or identifiable natural person contained within Customer Data.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• “Subprocessor” means a third party engaged by Hivekind to process Customer Data in connection with the Services.
• “Applicable Data Protection Law” means applicable United States federal and state privacy and data protection laws, unless otherwise agreed in writing.

2. Roles of the Parties

• Customer acts as the Data Controller (or equivalent).
• Hivekind acts as a Data Processor and will process Personal Data solely on documented instructions from Customer as set out in this DPA and the Agreement.

3. Scope and Purpose of Processing

Hivekind will process Customer Data solely to provide the Services and related support described in the Agreement, including:

• Account research and enrichment
• Outreach and communication orchestration
• Analytics and reporting
• Product functionality and support

The Services are intended for business-to-business (B2B) use involving professional contact information, not consumer personal data.

Types of Personal Data may include:

• Business contact information
• Professional details (role, company, work email, phone number etc.)
• Communication and engagement data

Hivekind does not intentionally process sensitive personal data unless explicitly agreed in writing.

Hivekind may use aggregated and de-identified data for service improvement and analytics, provided such data does not identify Customer or individuals.

4. Confidentiality

Hivekind will ensure that personnel authorized to process Customer Data are subject to appropriate confidentiality obligations and will access Customer Data only as necessary to provide the Services.

5. Security Measures

Hivekind maintains administrative, technical, and organizational safeguards appropriate to the nature of the Services and associated risks, including:

• Encryption of Customer Data in transit (TLS 1.2 or higher) and at rest
• Logical access controls and role-based restrictions
• Multi-factor authentication for privileged system access
• Segregation of customer environments at the logical layer
• Logging and monitoring of production systems
• Secure credential and API key management
• Regular vulnerability scanning and security patching

Hivekind is actively pursuing SOC 2 Type II certification, targeted for completion in Q2 2026. Upon availability, Hivekind will provide a summary SOC 2 report under NDA upon request.

Hivekind will not materially reduce the overall security posture of the Services during the term of the Agreement.

6. Subprocessors

Customer acknowledges that Hivekind may engage Subprocessors to provide portions of the Services.

Subprocessors may include providers of:

• Cloud hosting and infrastructure
• Communication infrastructure
• Analytics services
• AI / LLM services
• Telephony services
• Email and voice orchestration tools

Hivekind will take reasonable steps to ensure Subprocessors are subject to appropriate confidentiality and data protection obligations.

Hivekind will maintain a list of current primary Subprocessors and will provide at least thirty (30) days' prior notice of any new Subprocessor that will process Customer Data. Customer may object to a new Subprocessor on reasonable data protection grounds within that period. If the parties cannot resolve the objection, Customer may terminate the affected Services without penalty.

Hivekind remains responsible for the performance of its Subprocessors' data protection obligations to the same extent as if Hivekind performed the Processing directly.

Annex II contains details of some current Subprocessors, and a detailed list of primary Subprocessors will be provided upon reasonable request.

7. Use of AI and LLM Providers

Hivekind utilizes third-party AI and LLM providers solely to deliver contracted Service functionality.

Hivekind:

• Uses API-based access with commercially reasonable data protection controls.
• Does not permit Customer Data to be used to train public or shared models.
• Configures providers, where available, to disable data retention beyond what is necessary for processing.
• Enters into data protection agreements with such providers where available.

Hivekind remains responsible for ensuring that AI providers process Customer Data in accordance with this DPA. Hivekind will configure AI and hosting providers to process and store Customer Data in US-based regions during the pilot term.

Customer acknowledges that third-party providers operate under their own terms and privacy policies, and Hivekind cannot independently audit such providers.

8. Data Subject Requests

To the extent required by Applicable Data Protection Law, Hivekind will provide reasonable assistance to Customer in responding to valid data subject requests.

Customer remains responsible for responding to such requests.

9. Data Retention and Deletion

Upon termination or expiration of the Agreement, Hivekind will, within thirty (30) days of written request:

• Delete Customer Data from active production systems, or
• Provide a commercially reasonable export of Customer Data where technically feasible.

Customer Data contained in encrypted backups will be deleted in accordance with Hivekind's standard backup retention cycle, not to exceed ninety (90) days.

Hivekind may retain limited data as required by law or for legitimate security and fraud prevention purposes.

Hivekind will provide written confirmation of deletion upon request.

10. Audit and Compliance

Upon reasonable request and no more than once annually, Hivekind will provide documentation reasonably necessary to demonstrate compliance with this DPA, including security certifications or audit summaries where available. On reasonable notice and subject to confidentiality obligations, Customer may conduct a limited audit of Hivekind's relevant controls, provided such audit does not unreasonably interfere with Hivekind's operations.

11. Security Incidents

Hivekind will notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a confirmed Security Incident affecting Customer Data.

Such notice will include:

• Description of the nature of the incident.
• Categories and approximate volume of affected data, where known.
• Likely consequences.
• Measures taken or proposed to address the incident.

Hivekind will provide reasonable cooperation to support Customer's regulatory or notification obligations under Applicable Data Protection Law.

12. Data Location

Hivekind will process, store, and access Customer Data exclusively within the United States and will not transfer Customer Data outside the United States.

13. Liability

Liability arising under this DPA will be subject to the limitations of liability set forth in the Agreement between the parties.

If no such limitation exists, each party's liability will be limited to the total fees paid by Customer to Hivekind under the Agreement in the preceding twelve (12) months.

14. Governing Law

This DPA will be governed by the governing law specified in the Agreement. If none is specified, the laws of the State of Delaware, USA shall apply.

15. Order of Precedence

In the event of conflict between this DPA and the Agreement, this DPA governs with respect to data protection matters.

Annex II – List of Primary Subprocessors

The subprocessors listed below represent Hivekind's primary subprocessors as of the effective date of this Agreement. This list is not exhaustive and may be updated from time to time. Hivekind may engage additional subprocessors as reasonably necessary to deliver the Service, subject to appropriate contractual safeguards and data protection obligations.

Hivekind may update this list from time to time and will maintain appropriate contractual safeguards with all subprocessors.