Data Protection Agreement

Whereas:

A. Business Description

TAMradar is in the business of developing and providing software-as-a-service solutions for B2B sales and marketing teams with an aim to enable efficient total addressable market (TAM) monitoring and intelligence. TAMradar's services are based primarily on aggregating, structuring, and monitoring publicly available business information, including by but not limited to (i) tracking companies and contacts within a customer's target market, (ii) monitoring organizational changes such as job changes, new hires, and job openings from public sources, (iii) enriching company and contact data from publicly available sources, (iv) providing automated alerts ("radars") for market changes and signals, and (v) aggregating and structuring publicly available business intelligence data (the Business).

B. Service Agreement

Customer uses TAMradar's services, which are subject to TAMradar's Terms of Service.

C. Data Processing Relationship

In doing so, TAMradar will be Processing Personal Data on behalf of Customer, whereby TAMradar will be acting as Data Processor and Customer will be acting as Data Controller.

D. GDPR Compliance

The Parties seek to implement this DPA to comply with the requirements of the GDPR.

E. Supplemental Nature

This DPA will be supplemental to the Terms of Service, and this DPA will follow the terms thereof and definitions therein.

THEREFORE IT IS HEREBY AGREED as follows:

1. Definitions

Unless the context requires otherwise, capitalized terms and expressions are defined terms and expressions which will have the meaning as set out in this Section:

1.1 Unless the context requires otherwise, capitalized terms and expressions are defined terms and expressions which will have the meaning as set out in this Section:

(a) Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to transmitted, stored, or otherwise Processed Personal Data.

(b) Data Controller: a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law.

(c) Data Processing Agreement or DPA: this agreement including its appendices.

(d) Data Processor: a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of the Data Controller.

(e) Data Subject: an identified or identifiable natural person to whom the Processed Personal Data relates.

(f) GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(g) Personal Data: any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

(h) Process, Processes, Processed or Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data.

(i) Processing Purposes: the purposes for which Personal Data are Processed, as described in Annex A.

(j) Sub-Processors: those who Process (part of) the Personal Data on behalf of the Data Processor.

(k) Supervisory Authority: an independent public authority responsible for monitoring compliance with the law in relation to the Processing of Personal Data.

(l) Terms of Service: means the terms of service available on the TAMradar website or as otherwise provided to Customer.

2. Scope

In providing its services, TAMradar will Process Personal Data on behalf of Customer and in accordance with applicable laws and regulations. The relevant Personal Data Processed under this DPA are described in Annex A. TAMradar Processes the Personal Data solely for the specified purpose or purposes of Processing (the Processing Purposes), as described in Annex A, unless further written instructions are provided by Customer.

3. Nature of Processing

3.1 TAMradar Processes the Personal Data solely on behalf of Customer and based on Customer's instructions. TAMradar Processes the Personal Data only to the extent necessary for providing the services and in accordance with the documented instructions of Customer. Customer may reasonably provide additional or different instructions in writing. TAMradar will follow all instructions from Customer regarding the Processing of Personal Data. TAMradar will immediately notify Customer if, in its opinion, an instruction is in violation of applicable laws and regulations concerning the Processing of Personal Data.

3.2 If TAMradar determines the purpose and means for the Processing of Personal Data, TAMradar will be considered a Data Controller for those Processing activities.

3.3 Without prejudice to any other contractual confidentiality obligation binding on TAMradar, TAMradar guarantees that all Personal Data will be treated as strictly confidential. In this regard, TAMradar will inform all its employees, representatives, and subcontractors (Sub-Processors, see Section 7) involved in this Processing of this confidentiality requirement and ensure that they will act accordingly.

4. Security of Personal Data

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk and severity for the rights and freedoms of natural persons, TAMradar shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. An overview of the security measures is included in Annex B.

4.2 In assessing the appropriate level of security, TAMradar shall take account of the risks that are presented by Processing, in particular from a Data Breach.

4.3 TAMradar will monitor security breaches and maintain a record of any security incidents.

4.4 In the event of a Data Breach, whether actual, potential, or suspected, TAMradar will notify Customer as soon as possible, but no later than 36 hours after TAMradar becomes aware of the breach. The notification will include all relevant information regarding the nature of the incident, the affected Personal Data, and any measures taken or to be taken to mitigate the consequences.

4.5 TAMradar will always investigate any Data Breach, determine an appropriate response, and take necessary measures, including potentially informing the Supervisory Authority and the Data Subjects.

5. Audit

TAMradar makes available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

6. Data Transfers

TAMradar will not transfer Personal Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of Customer. If Personal Data Processed under this DPA is transferred from a country within the European Economic Area to a country outside the EEA, the Parties shall ensure that the Personal Data is adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

7. Sub-processors

TAMradar shall only grant Sub-Processors access to Personal Data with prior written consent from Customer, which consent shall not be unreasonably withheld. TAMradar confirms that a Sub-Processor shall be held to the same conditions as outlined in this DPA. A current list of Sub-Processors is available upon request as described in Annex C.

8. Data Subject Rights

When Customer receives a request from a Data Subject regarding the exercise of their rights under Chapter III of the GDPR, TAMradar will promptly cooperate and provide reasonable assistance to Customer in responding to such requests.

9. Liability

9.1 TAMradar shall not be liable for any indirect, consequential, special, incidental, or punitive damages, including but not limited to loss of profits, business interruption, loss of data, or loss of goodwill, arising out of or in connection with this DPA.

9.2 Customer shall indemnify TAMradar against all claims, fines, and/or measures from third parties, including Data Subjects and the Supervisory Authority, brought against or imposed upon TAMradar due to a breach of the GDPR and/or other applicable laws and regulations concerning the Processing of Personal Data by TAMradar and/or Sub-Processors engaged by TAMradar, except for when TAMradar (or any Sub-Processor engaged by TAMradar) has materially breached the provisions of this DPA or provisions of the GDPR directly applicable to TAMradar as Data Processor.

10. Term

10.1 This DPA is effective while Customer uses the Service and terminates automatically upon termination of the Service in accordance with the Terms of Service.

10.2 Within two (2) months after termination, TAMradar shall destroy or return all Personal Data and/or transfer it to Customer and/or another party designated by Customer, as chosen by Customer. All existing (other) copies of Personal Data, whether with Sub-Processors engaged by TAMradar or not, will be demonstrably permanently deleted or made inaccessible, unless storage of the Personal Data is legally required. Customer shall bear the costs for the destruction, return, and/or transfer of the Personal Data.

10.3 Obligations from the DPA that, by their nature, are intended to continue after the termination of the DPA, shall continue to apply after the termination of the DPA.

11. Applicable Law and Dispute Resolution

11.1 The DPA and its execution are governed by [applicable law]. Any disputes arising between the Parties in connection with the DPA shall be submitted to the competent court of [jurisdiction].

11.2 This DPA is an integral part of the Order Form and the Terms of Service. Therefore, all rights and obligations from the Order Form and the Terms of Service also apply to the DPA.

11.3 Deviations from this DPA are only valid if agreed upon in writing by the Parties.

ANNEX A: Processing Details

1. Subject Matter and Duration of Processing

The subject matter and duration of the Processing are determined by Customer's use of the Service and the Terms of Service.

2. Nature and Purpose of Processing

TAMradar processes Personal Data for the following purposes:

- Monitoring and tracking companies and contacts within Customer's defined target market

- Detecting and alerting Customer to organizational changes (job changes, new hires, departures) from publicly available sources

- Enriching company and contact information from publicly available sources

- Aggregating publicly available business intelligence and market signals

- Providing automated notifications ("radars") based on Customer-defined criteria

- Storing and organizing market intelligence data on behalf of Customer

Important Note: The vast majority of Personal Data processed by TAMradar originates from publicly available sources such as professional networking platforms, company websites, and other public business directories. TAMradar does not actively solicit or collect non-public Personal Data.

3. Types of Personal Data

The Personal Data processed consists primarily of publicly available professional information and may include:

- Professional contact information (names, job titles, work email addresses, LinkedIn profile URLs)

- Employment information (current and previous employers, job history, role changes)

- Company affiliation data

- Publicly available professional information from business platforms and directories

- Any other Personal Data Customer chooses to import or track within the Service

4. Categories of Data Subjects

The Data Subjects are:

- Business professionals and contacts tracked by Customer

- Employees of companies monitored by Customer

- Job applicants at tracked companies (via public job postings)

5. Customer's Obligations

Customer is responsible for:

- Ensuring lawful basis for processing the Personal Data

- Providing clear privacy notices to Data Subjects where required

- Obtaining necessary consents where required by applicable law

- Ensuring compliance with applicable data protection laws in their use of the Service

ANNEX B: Technical and Organizational Measures

TAMradar implements appropriate technical and organizational measures to protect Personal Data, including but not limited to:

Technical Measures

- Encryption of data in transit and at rest

- Access control and authentication mechanisms

- Secure cloud infrastructure deployment

- API security and authorization controls

- Security monitoring and logging

Organizational Measures

- Confidentiality obligations for all personnel with data access

- Data minimization and access limitation policies

- Incident response procedures

- Regular security assessments and updates

Data Retention

Personal Data is retained only as long as necessary to provide the Service and is securely deleted upon Customer request or service termination.

ANNEX C: Sub-Processors

TAMradar uses select third-party service providers (Sub-Processors) to support the delivery of the Service, including but not limited to cloud infrastructure, database hosting, and related services.

A current list of Sub-Processors is available upon request by contacting TAMradar at compliance@tamradar.com

Effective Date: This DPA becomes effective upon Customer's execution of an Order Form that references this DPA.