Data Processing Addendum (DPA)

Effective date: May 1, 2026

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement or Terms of Service ("Agreement") between Eido Studios, Inc. and Customer and governs the processing of Personal Data by Company on behalf of Customer.

Capitalized terms not defined in this DPA have the meaning given in the Agreement.

1. Roles of the Parties

1.1 Customer as Controller. Customer determines the purposes and means of processing Personal Data.

1.2 Company as Processor. Company processes Personal Data solely on behalf of Customer and in accordance with Customer's documented instructions under the Agreement and this DPA.

1.3 No Ownership of Data. Nothing in this DPA grants Company ownership of Personal Data.

2. Processing of Personal Data

2.1 Subject Matter. Processing of Personal Data in connection with Customer's use of the Services.

2.2 Duration. For the term of the Agreement and as required to comply with Applicable Law.

2.3 Nature and Purpose. Company processes Personal Data solely to provide, operate, support, and improve the Services in accordance with Customer's instructions, including:

  • providing and maintaining the Services;
  • enabling Customer's configured SDK-based data collection and analytics;
  • generating dashboards, insights, and reports;
  • providing support and troubleshooting; and
  • improving performance, reliability, and functionality of the Services, provided that such processing is performed using aggregated or de-identified data that does not identify Customer or any individual.

2.4 Categories of Data Subjects.

  • Customer's End Users
  • Customer's employees, contractors, or agents using the Services

2.5 Categories of Personal Data.

  • Identifiers (e.g., user IDs, device IDs, IP address)
  • Usage and interaction data (events, clicks, in-app responses)
  • Account and login data
  • Customer-defined event attributes transmitted via SDK

2.6 Special Categories. Customer shall not intentionally submit Sensitive Data. Company does not intentionally process Sensitive Data on Customer's behalf.

3. Customer Instructions

3.1 Company will process Personal Data only:

  • on documented instructions from Customer, including as set forth in the Agreement, this DPA, and any written instructions provided by Customer consistent with the Services.

3.2 Customer is responsible for ensuring its instructions comply with Applicable Law.

4. Customer Responsibilities (SDK + Product Alignment)

Customer is solely responsible for:

  • providing all required notices to end users;
  • obtaining all necessary consents and authorizations;
  • ensuring lawful basis for collection and processing of Personal Data;
  • configuring and deploying the SDK or integrations;
  • determining what events, identifiers, metadata, and user interactions are collected and transmitted to the Services;
  • ensuring that data minimization principles are followed in configuration of the Services.

Company has no responsibility for the legality of Customer's SDK implementation or data collection choices.

5. Subprocessors

5.1 Customer authorizes Company to engage subprocessors to assist in providing the Services.

5.2 Company will ensure subprocessors are subject to written obligations no less protective than this DPA.

5.3 Company will remain responsible for its subprocessors' performance.

5.4 Company will make available a current list of subprocessors, which is available upon request, and will provide reasonable notice of material changes, where practicable.

6. Security Measures

Company will implement and maintain reasonable administrative, technical, and organizational safeguards designed to protect Personal Data, including:

  • access controls
  • encryption in transit
  • encryption at rest
  • network security monitoring
  • logging and audit controls
  • employee confidentiality obligations

Company will ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

7. Data Subject Request

To the extent legally required, Company will:

  • Provide commercially reasonable assistance to Customer in responding to data subject requests (access, deletion, correction)
  • not respond directly unless legally required or instructed by Customer

Customer is responsible for primary handling of such requests.

8. Data Retention and Deletion

8.1 Company will, at Customer's direction, delete or return Personal Data within 30 days following termination, including any applicable data access or retrieval period provided under the Agreement.

8.2 Company may retain limited data:

  • for legal compliance
  • for dispute resolution
  • in anonymized or aggregated form

9. International Transfers

Company may transfer Personal Data to jurisdictions outside the Customer's location. Where required by applicable law, Company will implement appropriate safeguards to ensure such transfers are made in accordance with applicable legal requirements.

10. Data Use Restrictions

Company will not:

  • sell Personal Data;
  • share Personal Data for cross-context behavioral advertising; or
  • use Personal Data from one Customer to target or build profiles about another Customer's end users.

Company will use Personal Data solely as a processor/service provider to Customer and not for its own independent commercial purposes, except as expressly permitted under this DPA.

11. Incident Notifications

Company will notify Customer within seventy-two (72) hours after becoming aware of a confirmed or reasonably suspected unauthorized access to or disclosure of Personal Data ("Security Incident"), and will provide reasonable information to assist Customer in meeting its legal obligations.

12. Audit Rights

Company will provide reasonable information necessary to demonstrate compliance with this DPA upon written request.

Customer agrees not to exercise audit rights more than once per year unless required by law or a material security incident occurs. Any audit will be conducted in a manner that minimizes disruption to Company's business operations and protects the confidentiality of other customers.

13. Liability

Liability under this DPA is subject to the limitation of liability provisions in the Agreement.

14. Conflict

If there is a conflict between this DPA and the Agreement, this DPA will control with respect to data processing obligations.

15. Changes

Company may update this DPA from time to time to reflect changes in law or business practices, provided such updates do not materially reduce protections.