Data Processing Addendum

This Somplo Data Processing Addendum (hereinafter ‘DPA’) supplements the Somplo Terms of Service  (hereinafter ‘Terms’), the agreement between you (hereinafter ‘User’ ‘Client’, ‘you’, ‘your’) and Somplo Ltd. (hereinafter ‘Company’, ‘Somplo’, ‘we’, ‘us’ or ‘our’) which is governing the processing of personal data that you upload or otherwise provide Somplo with in connection with the Services or any personal data that Somplo obtains in connection with the performance of the Services, hereinafter referred to individually as a ‘Party’ or together as the ‘Parties’.

Unless otherwise defined in this DPA, all capitalised terms used in this DPA will have the meanings set forth in the Terms. This DPA shall remain in force until the termination of the Terms between you and us governing your use of the Services.

1. Definitions

“Data Protection Laws and Regulations” means all applicable laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, the United States and its states, Brazil, Switzerland, applicable to the processing of personal data under the Terms as amended from time to time, such as GDPR, UK Data Protection Laws, Brazil’s Data Protection Laws, Swiss Data Protection Laws or other applicable laws and regulations.

“General Data Protection Regulation (GDPR)” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“Brazil’s Data Protection Laws” means Law No. 13,709, of August 14, 2018, as amended by Law No. 13,853 of July 8, 2019 (Lei Geral de Proteção de Dados (LGPD)) and Resolution 19/2024, approving the Regulation on international data transfers and the content of standard contractual clauses.

“Swiss Data Protection Laws” means Federal Act on Data Protection (Data Protection Act, FADP) of 25 September 2020 and Ordinance on Data Protection (Data Protection Ordinance, DPO) of 31 August 2022.

“UK Data Protection Laws” means the Data Protection Act 2018 and the UK GDPR (retained version of the EU GDPR).

“EU Standard Contractual Clauses (EU SCCs)” means Standard Contractual Clauses for the transfer of  personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

“UK Addendum” means International Data Transfer Addendum to the EU Standard Contractual Clauses that has been issued by the Information Commissioner for Parties making Restricted Transfers in the meaning of the UK Data Protection Laws, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

“Standard Contractual Clauses published by the Brazilian Data Protection Authority” means standard contractual clauses, prepared and approved by the Brazilian Data Protection Authority (ANPD), that establish minimum guarantees and valid conditions for carrying out an international data transfer based on item II(b) of Article 33 of Law No. 13,709, of August 14, 2018, as currently set out at https://www.gov.br/anpd/pt-br/documentos-e-publicacoes/documentos-de-publicacoes/regulation-on-international-transfer-of-personal-data.pdf/.

“Standard data protection clauses in accordance with Article 16 paragraph 2 letter d FADP” means standard contractual closes, prepared and approved by the Federal Data Protection and Information Commissioner (FDPIC), available at https://backend.edoeb.admin.ch/fileservice/sdweb-docs-prod-edoebch-files/files/2024/11/19/80fbffae-8ab6-4544-960a-131aac219b58.pdf.

“controller”, “processor”, “sub-processor”, “data subject”, “personal data”, and “processing” have the meanings given in the Data Protection Laws and Regulations.

“Client Data” means personal data that you upload or otherwise provide to Somplo in connection with the Services or any personal data that Somplo obtains in connection with the performance of the Services.

“Public Authority” means a government agency or law enforcement authority, including judicial authorities.

“Supervisory Authority” means an independent public authority to be responsible for monitoring the application of the data protection legislation.

“Services” means any services provided by the Company to Clients on its platform, including Somplo CMP services and other added services, features and tools provided by the Company to Clients.

2. Roles and Responsibilities

Where Somplo processes Client Data on your behalf in connection with Services, you acknowledge and agree that with regard to the processing of Client Data, you are a controller or processor, and we are a processor or sub-processor (as defined by the Data Protection Laws and Regulations) acting on your behalf. A description of such processing is set out in Schedule 1 of this DPA. This DPA shall apply accordingly to established roles and not apply to situations where we act as a controller in accordance with Somplo’s Privacy Policy.

If Client is a processor, Client warrants to Somplo that Client’s instructions and actions in respect to personal data, including appointing Somplo as sub-processor and, where applicable, concluding the EU SCCs or any other Addenda under Section 9 of this DPA (including as they may be amended in Section 9 below), have been (and will, for the duration of this DPA, continue to be) authorised by the relevant third-party controller.

3. Instructions

The Parties agree that this DPA and the Terms constitute Client’s complete and final documented instructions regarding the processing of the Client Data on the Client’s behalf (the “Instructions”) when the Client acts as a controller or processor, and Somplo acts as a processor or sub-processor under the Data Protection Laws and Regulations. Any additional or alternate instructions must be consistent with the terms and conditions of this DPA and the Terms.

4. Description of Processing

The processing of Client Data on your behalf in connection with Services is described in Schedule 1 of this DPA. We reserve the right to update the description of processing from time to time to reflect new functionality that is part of the Services.

5. Your obligations

Within the scope of the DPA and Terms and your use of the Services you will be solely responsible for complying with all requirements that apply to you under the Data Protection Laws and Regulations. You represent and warrant that you will be solely responsible for:

(i) the accuracy, quality, integrity, confidentiality, and security of collected Client Data;

(ii) complying with all necessary transparency, lawfulness, fairness, and other requirements under the Data Protection Laws and Regulations for the collection and use of personal data by: establishing and maintaining the procedure for the exercise of the rights of the data subjects whose personal data are processed on behalf of the Client; providing us only with data that has been lawfully and validly obtained and ensuring that such data will be relevant and proportionate to the respective uses; ensuring compliance with the provisions of this DPA and Terms by your personnel or by any third-party accessing or using Client Data on your behalf; and

(iii) ensuring that your Instructions to us regarding the processing of Client Data comply with the Data Protection Laws and Regulations, including complying with principles of data minimisation, purpose and storage limitation.

6. Our obligations

6.1. General Obligations

With regard to Somplo’s processing Client Data as processor or subprocessor, we shall:

(i) process the Client Data only for established purposes, using appropriate technical and organisational security measures, and in compliance with the instructions received from the Client subject to Section 3 of this DPA;

(ii) inform the Client if Somplo cannot comply with its obligations under this DPA, in which case the Client may terminate the agreement between Parties or take any other reasonable actions, including suspending data processing operations;

(iii) inform the Client if, at Somplo’s discretion, the Client’s Instruction may be in violation of the provisions of the Data Protection Laws and Regulations;

(iv) follow the Client’s instructions regarding the collection of the Client Data (including with regard to the provision of notice and exercise of choice) in case Somplo is obtaining the Client Data from data subjects on behalf of the Client under Terms and this DPA;

(v) take reasonable steps to ensure that any sub-processor to whom Somplo authorises access to the Client Data on its behalf complies with respective provisions of the Terms and this DPA;

(vi) keep records of processing activities carried out on behalf of the Client under this DPA and present such records to the Client upon request;

(vii) make available to the Client all information necessary to demonstrate compliance with Somplo’s obligations under the Data Protection Laws and Regulations.

6.2. Notices to Client

Upon becoming aware, we shall inform you of any legally binding request for disclosure of Client Data by a Public Authority, unless we are otherwise forbidden by law to inform the Client, for instance, to preserve the confidentiality of investigation by a Public Authority. We will inform the Client if it becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of Client Data under this DPA conducted between you and us.

6.3. Security measures

We shall implement and maintain appropriate technical and organisational measures to protect Client Data from personal data breaches (hereinafter the ‘Security Incidents’) in accordance with our security standards set out in Schedule 2 of this DPA. You acknowledge that security measures are subject to technical progress so that we may modify or update Schedule 2 of this DPA at our sole discretion, provided that such modification or update does not result in a material degradation in the security measures offered by Schedule 2 of this DPA.

6.4. Security Incident

Upon becoming aware of a Security Incident, we shall:

(i) notify you without undue delay after we become aware of the Security Incident;

(ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by you; and

(iii) promptly take reasonable steps to contain and investigate any Security Incident so that you can notify competent authorities and/or affected Data Subjects of the Security Incident. Our notification of or response to a Security Incident shall not be construed as an acknowledgment by us of any fault or liability regarding the Security Incident.

6.5. Confidentiality

We will not access or use, or disclose to any third party any Client Data, except, in each case, as necessary to maintain or provide the Services or as necessary to comply with contractual and legal obligations or binding order of a public body (such as a subpoena or court order). We shall ensure that any employee/contractor whom we authorise to access Client Data on our behalf is subject to appropriate confidentiality contractual or statutory duty obligations with respect to Client Data.

6.6. Return or deletion of Client Data

Upon termination or expiration of the Terms concluded between you and us, we shall delete or return all Client Data in our possession or control; this requirement shall not apply to the extent we are required by applicable law or respective contractual obligations to retain some or all of the Client Data.

6.7. Reasonable Assistance

We agree to provide reasonable assistance to the Client regarding:

(i) any request from a data subject in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Client Data that we process on behalf of Client. In the event that a data subject sends such a request directly to us, Section 7 of this DPA shall apply;

(ii) the investigation of the Security Incident and communication of necessary notifications regarding such Security Incidents subject to Section 6.4 of this DPA;

(iii) preparation of data protection impact assessments and, where necessary, consultation of Client with the Supervisory Authority under Articles 35 and 36 of the GDPR.

6.8 Audit and Certification

6.8.1 Supervisory Authority Audit

If a Supervisory Authority requires an audit of the data processing facilities we use to process the Client Data to ascertain or monitor Client’s compliance with the Data Protection Laws and Regulations, we will cooperate with the audit. The Client is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time we expend for any such audit, in addition to the rates for services performed by us.

6.8.2 Audits

The Client may, prior to the commencement of processing and at regular intervals, thereafter, audit the technical and organisational measures taken by us. If the Client is the controller with respect to the personal data processed by us on its behalf, upon reasonable and timely advance agreement, during regular business hours and without interruption to our business operations, we may provide the Client with all information necessary to demonstrate compliance with its obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client with respect to such processing.

We shall, upon the Client’s written request and within a reasonable period, provide the Client with all information necessary for such audit, to the extent that such information is within our control and we are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

7. Data Subject Request

In the event that a data subject contacts us with regard to the exercise of their rights under the Data Protection Laws and Regulations (in particular, requests for access to, rectification, or deletion of Client Data), we will use all reasonable efforts to forward such requests to you. If we are legally required to respond to such a request, we shall immediately notify you and provide you with a copy of the request unless we are legally prohibited from doing so.

8. Sub-processors

Somplo has the general written authorisation from the Client, for the engagement of sub-processors from an agreed list. Somplo agrees to inform the Client of any intended changes to that list concerning the addition or replacement of sub-processors at least 10 days prior to the engagement of the sub-processor in question, thereby giving the Client the opportunity to object to such changes. Somplo shall provide the Client with the information necessary to enable the Client to exercise the right to object.

If Section 9 of this DPA applies, the procedure for engaging sub-processors shall be governed by the relevant provisions of Section 9 of this DPA. In such a case, the provisions of Section 9 shall prevail.

The agreed list of Sub-processors is set out in Schedule 3 of this DPA.

9. Transfers of Client Data

9.1. General

Parties agree that when the processing of Client Data on behalf of Client in connection with Services constitutes a transfer under the Data Protection Laws and Regulations and appropriate safeguards are required, such processing will be subject to the EU SCCs and/or UK Addendum and/or Brazil’s SCCs and/or Swiss Addendum which are deemed to be incorporated into and form part of this DPA as further described in subsections 9.2, 9.3, 9.4 and 9.5 of this DPA. If and to the extent the EU SCCs and/or UK Addendum and/or Swiss Addendum and/or Brazil’s SCCs, as applicable, conflict with any provision of the DPA, the EU SCCs, UK Addendum, Brazil’s SCCs, and Swiss Addendum shall prevail to the extent of such conflict.

9.2. Transfers under the GDPR

When the processing of Client Data on behalf of a Client in connection with Services constitutes a “transfer” under the GDPR, Standard Contractual Clauses shall apply. When you are a controller, and we are a processor, Module Two of the EU SCCs shall apply, and when you are a processor, and we are a sub-processor, Module Three of the EU SCCs shall apply.

For the purpose of the EU SCCs, we are a “Data Importer”, and you are a “Data Exporter”. The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs are deemed to be completed as follows:

(i) in Clause 7, the optional docking clause shall not apply;

(ii) in Clause 9, Option 2 (General written authorisation) shall apply. For the purpose of Clause 9(a), the time period for informing of the Data Exporter shall be 10 days;

(iii) in Clause 11, the optional provision shall not apply;

(iv) in Clause 13, a particular option shall apply depending on the specific case;

(v) in Clause 17, Option 1 shall apply. The EU SCCs shall be governed by the law of the Federal Republic of Germany;

(vi) in Clause 18(b), disputes shall be resolved by the courts of the Federal Republic of Germany;

(vii) Annex I of the EU SCCs is deemed completed with the information set out in Schedule 1 of this DPA;

(viii) Annex II of the EU SCCs is deemed completed with the information set out in Schedule 2 of this DPA.

9.3. Transfers under UK Data Protection Laws

When the processing of Client Data on behalf of Client in connection with Services constitutes a “restricted transfer” under UK Data Protection Laws, the UK Addendum shall apply. When you are a controller, and we are a processor, Module Two of the EU SCCs shall apply, and when you are a processor, and we are a sub-processor, Module Three of the EU SCCs shall apply, as completed in subsection 9.2 of this DPA. 

For the purpose of the UK Addendum, we are an “Importer”, and you are an “Exporter”. The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. Tables in the UK Addendum are deemed to be completed as follows:

(i) Table 1 in Part 1 is deemed completed with the information set out in Schedule 1 of this DPA, and the official registration number of the Importer is 515761708, and the official registration number of the Exporter is contained in the Client’s account, if any;

(ii) Table 2 in Part 1 is deemed completed accordingly with the information set out in subsection 9.2 of this DPA;

(iii) Table 3 in Part 1 is deemed completed with the information set out in Schedules 1, 2, and 3 of this DPA;

(iv) in Table 4 in Part 1, neither party may end this Addendum as set out in Section 19 of the UK Addendum.

9.4. Transfers under Brazil’s Data Protection Laws

When the processing of Client Data on behalf of a Client in connection with Services constitutes an “International Data Transfer” under Brazil’s Data Protection Laws, the Standard Contractual Clauses published by the Brazilian Data Protection Authority shall apply.

For the purpose of the SCCs, published by the Brazilian Data Protection Authority, we are an “Importer”, and you are an “Exporter”. The relevant provisions contained in Brazil’s Data Protection Laws are incorporated by reference and are an integral part of this DPA. Sections and Clauses of the SCCs, published by the Brazilian Data Protection Authority, are deemed to be completed as follows:

(i) in Clause 1, the tables with the information about the Exporter and Importer are deemed to be completed with the information as defined in this DPA. The Company is the ‘Importer’ and ‘Processor’, and the Client is the ‘Exporter’ and ‘Controller’ or ‘Processor’ depending on the specific case;

(ii)  in Clause 2 is deemed completed with the information set out in Schedule 1 of this DPA;

(iii) in Clause 3, Option B shall apply, which is deemed to be completed with the information set out in Schedule 1 of this DPA.

The main purpose of the onward transfer is the performance of the services.

Categories of personal data transferred are:

●      personal data related to Client’s team members (e.g., name, email, access level);

●      personal data of data subjects whose personal data is displayed in advertising creatives (e.g., photo, name, age, gender, address, telephone number, email address, etc.);

●      other personal data which may be uploaded to the Somplo platform by the Client.

The period of data storage corresponds to the duration of this DPA concluded between the Data Importer and the Data Exporter, unless otherwise agreed in writing or the Data Importer is required by applicable law to retain some or all of the transferred personal data;

(iv) in Clause 4, Option A shall apply when the Company acts as the Processor and Importer, and the Client acts as the Controller and Exporter. In this case, the Controller is responsible for the actions as defined in subsection  4.1. (a, b, and c).

Option B shall apply when the Parties act as Processors. In this case, the table provided in subsection 4.1. is deemed to be completed with the relevant information contained in the Client’s account (if any);

(v) SECTION III is deemed to be completed with the information set out in Schedule 2 of this DPA;

(vi) SECTION IV is deemed to be completed with the information set out in this DPA that is not reflected in the Clauses in this subsection.

The date of signing SCCs is the date of registering on the Platform and execution of Terms. The place of execution of the Brazilian SCCs shall be the respective addresses of the Company and the Client as set out in Schedule 1.

9.5 Transfers under Swiss Data Protection Laws

When the processing of the Client Data constitutes a “cross-border disclosure” under Swiss Data Protection Laws, the Swiss Addendum shall apply. When the Client acts as a controller, and Somplo acts as a processor, Module Two of the EU SCCs shall apply; and when the Client acts as a data processor, and Somplo acts as a sub-processor, Module Three of the EU SCCs shall apply, as completed in subsection 9.2 of this DPA.

For the purpose of the Swiss Addendum, when the Client acts as a controller or processor, and Somplo acts as a processor, the Client is a “data exporter”, and Somplo is a “data importer”. The relevant provisions contained in the Swiss Addendum are incorporated by reference and are an integral part of this DPA. In this case, the EU SCCs shall apply with the following modifications:

(i) references to the GDPR shall be understood and interpreted as references to the equivalent provisions of the Swiss Federal Act on Data Protection (“FADP”);

(ii) Clause 13 and Part C of Annex I shall include the Swiss Data Protection Authority (“FDPIC”) as competent supervisory authority when personal data is exclusively subject to the FADP;

(iii) Clause 17 shall include Swiss law as governing law in case the transfer is exclusively subject to the FADP;

(iv) Clause 18(b) shall include the courts of Switzerland as the competent jurisdiction for the resolution of disputes under FADP;

(v) the term “Member State” in Clause 18(c) shall be extended to include Switzerland for the purpose of allowing Swiss data subjects to pursue their rights in their place of habitual residence.

SCHEDULE 1 – DESCRIPTION OF PROCESSING

A.  LIST OF PARTIES

Name: You, “Client”, “User”

Address: the relevant information is contained in the Client’s account.

Contact person’s name, position, and contact details: the relevant information is contained in the Client’s account.

Activities relevant to the data transferred under these Clauses: provision of the Services.

Signature and date: the Parties agree that execution of Terms by the Data Exporter shall constitute execution of this DPA by both the Data Importer and Data Exporter. The date of the registration of the account on the Platform shall be considered the date of execution of this DPA.

Role: controller or processor

Name: Somplo Ltd.

Address: 30 Shacham, 1st Floor, Petah Tikva, Israel 4951726, IL

Contact person’s name, position, and contact details: Nadav Matz, CEO, support@somplo.com

Activities relevant to the data transferred under these Clauses: provision of the Services.

Signature and date: the Parties agree that execution of Terms by the Data Exporter shall constitute execution of this DPA by both the Data Importer and Data Exporter. The date of the registration of the account on the Platform shall be considered the date of execution of this DPA.

Role: processor

B. DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data is transferred:

●      Client’s team members;

●      data subjects whose personal data is displayed in advertising creatives;

●      other data subjects whose personal data is uploaded to the Somplo platform by the Сlient.

2. Categories of personal data transferred:

●      personal data related to Client’s team members (e.g., name, email, access level);

●      personal data of data subjects whose personal data is displayed in advertising creatives (e.g., photo, name, age, gender, address, telephone number, email address, etc.);

●      other personal data which may be uploaded to the Somplo platform by the Client.

3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

The Data Importer does not obtain access to the special categories of data (sensitive data).

4. The frequency of the transfer:

The personal data is transferred on a continuous basis.

5. Nature of the processing:

Personal data processing consists of the following: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

6. Purpose(s) of the data transfer and further processing:

The purpose of the data processing under these Clauses is the performance of the services for the Data Exporter by the Data Importer under the Terms concluded between the Data Importer and the Data Exporter.

7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

The personal data shall be stored for the duration of this DPA concluded between the Data Importer and the Data Exporter unless otherwise agreed in writing or the Data Importer is required by applicable law to retain some or all of the transferred personal data.

8. For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing:

subject matter: the performance of services

nature: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

duration: the performance of the services for the Data Importer by the (sub-) processor under the service agreement concluded between the Data Importer and (sub-) processor.

C. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, competent supervisory authority under these Clauses is determined depending on what version of Clause 13(a) applies to the Data Exporter.

SCHEDULE 2 – TECHNICAL AND ORGANISATIONAL MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the Data Importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing and the risks for the rights and freedoms of natural persons:

●      Data Importer is committed to preserving the confidentiality, integrity, availability, and resilience of all personal data in question throughout its processing activities and ensuring that personal data are protected against loss and destruction by implementing appropriate internal information security policies, procedures, and other appropriate measures.

●      Data Importer maintains information security policy that includes Disaster Recovery Policy,  Business Continuity Policy, Access Control Policy, Password Policy, Firewalls Policy, Malware Protection Policy, Intrusion Detection and Prevention Policy, Security Events Policy, Anonymisation Policy, and Backup Policy.

●      Data Importer grants access to personal data strictly on a need-to-know basis, and such data is accessible only to authorised personnel.

●      The Data Importer’s computers are protected by the Avast antivirus for business, and its management is conducted by the IT team.

●      Data Importer uses AWS backup services for its databases.

●      The Data Importer’s servers have restricted access through the implementation of IP address filtering and two-factor authentication security measures.

●      The Data Importer’s application data is systematically backed up on GitHub.

●      Data Importer has conducted information security training for its development team employees.

●      The Data Importer’s information security procedures are subject to regular reviews.

●      Data Importer uses reliable service providers and monitors what technical and organisational measures they have in place to ensure that personal data is protected at all times.

●      Data Importer has implemented measures designed to protect the confidentiality and integrity of personal data during data transfers.

●      Data Importer has implemented technical and organisational measures designed to contain security incidents and prevent further data loss and damage.

SCHEDULE 3 – SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

Name: Amazon.com, Inc.

Address: 410 Terry Avenue North, Seattle, WA 98109-5210, ATTN: AWS Legal

Contact person’s name, position, and contact details: https://console.aws.amazon.com/support/home

Description of processing: storage of personal data on the servers of Amazon.com, Inc.

Name: HubSpot, Inc.

Address: 2 Canal Park, Cambridge, MA 02141, United States

Contact person’s name, position, and contact details: HubSpot, Inc., Two Canal Park, Cambridge, MA 02141 USA, Attn: Privacy and Data Protection Officer., https://preferences.hubspot.com/

Description of processing: conducting communication with data subjects.

Name: Intercom R&D Unlimited Company

Address: 124 St Stephen’s Green, Dublin 2, DC02 C628, Republic of Ireland

Contact person’s name, position, and contact details: https://www.intercom.com/privacy-form

Description of processing: conducting communication with data subjects.

Name: Foo Monk, LLC

Address: 30 N. Gould St., Ste. R, Sheridan, Wyoming, 82801, United States

Contact person’s name, position, and contact details: privacy@instantly.ai

Description of processing: conducting communication with data subjects.