1. Preamble

This Data Processing Agreement ("DPA" or "Agreement"), together with all Annexes hereto, forms part of the agreement between UXIFY (CY) LIMITED ("Uxify" or "Processor") and the Customer identified in the applicable Order Form, Terms of Service, or other agreement executed between the parties ("Controller") for the provision of Uxify's real user monitoring, UX analytics, and website optimisation platform (the "Service").

This DPA reflects the parties' agreement with respect to the processing of Personal Data by Uxify on behalf of the Controller in connection with the Service. It is effective as of the date the parties execute the applicable agreement or the Controller first uses the Service, whichever is earlier.

The terms of this DPA are incorporated into and supplement the Terms of Service. In the event of any conflict between this DPA and the Terms of Service with respect to data protection obligations, this DPA shall prevail.

2. Definitions

In this Agreement, the following terms have the meanings set out below. Capitalised terms not defined herein have the meanings given in Applicable Data Protection Law.

"Applicable Data Protection Law"
means all laws and regulations applicable to the processing of Personal Data under this Agreement, including without limitation: (i) the EU General Data Protection Regulation 2016/679 ("GDPR"); (ii) the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 ("UK GDPR"); (iii) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act 2020 (together, "CCPA/CPRA"); and (iv) any other applicable national or regional data protection laws, in each case as amended, replaced, or supplemented from time to time.

"Controller"
means the entity that determines the purposes and means of the processing of Personal Data — being the Customer in the context of this Agreement.

"Data Breach"
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this Agreement.

"Data Subject"
means an identified or identifiable natural person whose Personal Data is processed.

"EEA"
means the European Economic Area.

"Personal Data"
means any information relating to an identified or identifiable natural person collected or processed through the Service on behalf of the Controller, including but not limited to account information, browsing behaviour, session data, device identifiers, IP addresses, and interaction data as further described in Annex I.

"Processing"
means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction (and "Process", "Processes" and "Processed" shall be construed accordingly).

"Processor"
means the entity that processes Personal Data on behalf of the Controller — being UXIFY (CY) LIMITED in the context of this Agreement.

"Restricted Transfer"
means a transfer of Personal Data to a third country or international organisation not recognised as providing adequate protection under Applicable Data Protection Law.

"Service"
means the real user monitoring, UX analytics, competitive intelligence, Navigation AI, and conversion optimisation platform provided by Uxify under the Terms of Service.

"Services Agreement"
means the Terms of Service, Order Form, or other agreement between the parties governing the Controller's use of the Service.

"Standard Contractual Clauses" or "SCCs"
means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021, as set out in Annex IV.

"Sub-processor"
means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.

"UK Addendum"
means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018.

3. Details of Processing

3.1  Subject matter

The Processor shall process Personal Data on behalf of the Controller for the purpose of providing the Service as described in the Services Agreement and in Annex I to this Agreement.

3.2  Duration

The Processor shall process Personal Data for the duration of the Services Agreement, unless otherwise agreed in writing or required by Applicable Data Protection Law. Upon termination or expiry of the Services Agreement, the Processor shall, at the Controller's election, delete or return all Personal Data in accordance with Clause 4.8 of this Agreement.

3.3  Nature and purpose

The Processor processes Personal Data solely for the following purposes:

• Providing, maintaining, and improving the Service;

• Enabling real user monitoring (RUM), session analytics, user journey analysis, funnel analysis, and behavioural analytics for the Controller;

• Enabling Navigation AI features and conversion optimisation functions;

• Generating performance, engagement, and business metric reports for the Controller;

• Enabling competitive intelligence and benchmarking features using anonymised, aggregated data that cannot be linked to any individual user or specific website;

• Ensuring the security, stability, and integrity of the Service;

• Complying with legal obligations applicable to the Processor.

The Processor shall not process Personal Data for any purpose beyond those set out above without the prior written consent of the Controller, except where required by Applicable Data Protection Law.

3.4  Types of personal data and categories of data subjects

The types of Personal Data processed and categories of Data Subjects are set out in Annex I to this Agreement.

4. Obligations of the Processor

4.1  General

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Applicable Data Protection Law; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law on grounds of public interest;

• Immediately inform the Controller if, in the Processor's opinion, an instruction infringes Applicable Data Protection Law;

• Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

• Take all appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Clause 4.3 and Annex II;

• Respect the conditions referred to in Clauses 4.4 and 4.5 for engaging another processor;

• Assist the Controller to ensure compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security, data breach notification, data protection impact assessment, and prior consultation), taking into account the nature of processing and information available to the Processor;

• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of processing services, and delete existing copies unless Applicable Data Protection Law requires storage of the Personal Data;

• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Clause and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor.

4.2  Confidentiality

The Processor shall ensure that access to Personal Data is limited to those employees, agents, and contractors who need access in order to provide the Service, and that all such persons are subject to written obligations of confidentiality no less protective than those set out in this Agreement. The obligations of confidentiality survive termination of this Agreement.

4.3  Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against Data Breaches. Such measures are described in Annex II and shall include, at a minimum:

• Pseudonymisation and encryption of Personal Data where appropriate;

• Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

• Restoring the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

4.4  Sub-processing

4.4.1 General authorisation
The Controller provides general authorisation to the Processor to engage Sub-processors, subject to the conditions set out in this Clause 4.4. The Processor's current list of approved Sub-processors is set out in Annex III.

4.4.2 Changes to Sub-processors
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance (where reasonably practicable) by updating Annex III or by providing written notice. The Controller may object in writing to the engagement of a new or replacement Sub-processor within fourteen (14) days of receipt of notice, provided that such objection is based on reasonable grounds relating to data protection. If the parties cannot resolve such objection, the Controller may terminate the applicable Services Agreement on reasonable written notice without penalty as its sole and exclusive remedy.

4.4.3 Sub-processor obligations
Where the Processor engages a Sub-processor, the Processor shall impose data protection obligations on that Sub-processor by way of a written contract that provides at least the same level of protection for Personal Data as this Agreement and that meets the requirements of Article 28 of the GDPR. The Processor shall remain fully liable to the Controller for the performance of Sub-processor obligations.

4.5  Data subject rights

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subjects' rights under Applicable Data Protection Law, including:

• Right of access (Article 15 GDPR);

• Right to rectification (Article 16 GDPR);

• Right to erasure (Article 17 GDPR);

• Right to restriction of processing (Article 18 GDPR);

• Right to data portability (Article 20 GDPR);

• Right to object (Article 21 GDPR).

The Processor shall promptly notify the Controller, and in any event within five (5) business days, if it receives a request from a Data Subject exercising their rights under Applicable Data Protection Law, and shall not respond to any such request except on the documented instructions of the Controller or as required by Applicable Data Protection Law.

4.6  Data breach notification

The Processor shall notify the Controller without undue delay, and in any event within forty-eight (48) hours of becoming aware of a Data Breach affecting Personal Data processed under this Agreement. Such notification shall include, to the extent then known:

• A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and records concerned;

• The name and contact details of the data protection officer or other contact point from whom more information can be obtained;

• A description of the likely consequences of the Data Breach;

• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

Where the Processor cannot provide all information in the initial notification, it shall provide the information in phases without undue further delay. The Processor shall provide all reasonable assistance to the Controller in complying with any applicable obligation to notify Data Breaches to Supervisory Authorities or affected Data Subjects.

4.7  Data protection impact assessment and prior consultation

The Processor shall provide the Controller with reasonable assistance in carrying out data protection impact assessments ("DPIAs") and prior consultations with Supervisory Authorities where required under Applicable Data Protection Law, taking into account the nature of the processing and the information available to the Processor.

4.8  Deletion and return of personal data

Upon termination or expiry of the Services Agreement, or upon the written request of the Controller, the Processor shall, at the Controller's election:

• Securely delete or destroy all Personal Data (including copies and backups) within sixty (60) days; or

• Return all Personal Data to the Controller in a commonly used machine-readable format within thirty (30) days.

The Processor shall provide the Controller with written certification of deletion upon request. Nothing in this Clause shall require the Processor to delete Personal Data to the extent that Applicable Data Protection Law requires its retention, in which case the Processor shall inform the Controller and shall isolate and protect such Personal Data from any further processing except as required by law.

4.9  Audit rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this Agreement. The Processor shall permit the Controller (or a mandated third-party auditor bound by confidentiality obligations) to conduct audits, including inspections, on reasonable notice of no less than thirty (30) calendar days, during normal business hours, and no more than once per calendar year, except where a Supervisory Authority requires more frequent audits or where the Controller reasonably suspects a material breach of this Agreement.

As an alternative to an on-site audit, the Processor may provide relevant third-party audit reports, certifications (e.g., ISO 27001, SOC 2), or other documentation demonstrating compliance, which the Controller may accept in its reasonable discretion. The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this Agreement.

5.  Obligations of the controller

The Controller represents, warrants, and agrees that:

• It has a valid legal basis under Applicable Data Protection Law for processing Personal Data through the Service, including obtaining valid consents from Data Subjects where required;

• It has provided and will continue to provide all necessary notices and disclosures to Data Subjects as required by Applicable Data Protection Law, including information about the use of Uxify as a data processor;

• All Personal Data provided to or collected through the Service has been collected lawfully and in compliance with Applicable Data Protection Law;

• Its instructions to the Processor shall at all times comply with Applicable Data Protection Law;

• It is solely responsible for configuring the Service, including any cookie consent mechanisms, data minimisation settings, and IP anonymisation features made available by the Processor;

• It shall not instruct the Processor to process Special Category Data or data relating to children without prior written agreement and implementation of appropriate additional safeguards;

• It shall promptly inform the Processor of any changes to its legal basis for processing or any regulatory restrictions applicable to Personal Data processed through the Service;

• It shall cooperate with the Processor in good faith to give effect to both parties' obligations under Applicable Data Protection Law.

6.  International data transfers

6.1  Transfers within the EEA

Where Personal Data is processed within the EEA, no additional transfer mechanism is required beyond compliance with the GDPR.

6.2  Restricted transfers

Where the Processor or any Sub-processor processes Personal Data outside the EEA (or outside the UK for UK GDPR purposes) and such transfer constitutes a Restricted Transfer, the parties agree that:

• The SCCs set out in Annex IV shall apply and are incorporated into this Agreement by reference, with Module Two (Controller to Processor) applying as between the Controller and the Processor;

• For transfers subject to UK GDPR, the UK Addendum shall also apply and is incorporated by reference;

• Where a Sub-processor is located in a third country, the Processor shall ensure that an appropriate transfer mechanism is in place before transferring Personal Data to such Sub-processor, including back-to-back SCCs where applicable.

6.3  Adequacy decisions

To the extent that a Restricted Transfer is covered by an adequacy decision issued by the European Commission or the UK Government, the parties may rely on such adequacy decision in lieu of the SCCs or UK Addendum for that specific transfer.

6.4  Supplementary measures

Where required by Applicable Data Protection Law or following a transfer impact assessment, the parties shall implement appropriate supplementary technical and organisational measures to ensure an essentially equivalent level of protection to that guaranteed within the EEA or UK, as applicable. The Processor shall cooperate with the Controller in conducting any necessary transfer impact assessment.

7.  CCPA/CPRA provisions

7.1  Service provider designation

To the extent Applicable Data Protection Law includes the CCPA/CPRA, the Processor is a "Service Provider" as defined under the CCPA/CPRA and shall process Personal Information (as defined under the CCPA/CPRA) only:

• For the business purpose of providing the Service as set out in this Agreement and the Services Agreement;

• As otherwise permitted by the CCPA/CPRA for Service Providers.

7.2  Prohibited uses

The Processor shall not:

• Sell or Share (as those terms are defined under the CCPA/CPRA) Personal Information processed under this Agreement;

• Retain, use, or disclose Personal Information for any commercial purpose other than providing the Service;

• Retain, use, or disclose Personal Information outside the direct business relationship with the Controller;

• Combine Personal Information received under this Agreement with Personal Information received from or collected in connection with another business, except as permitted by the CCPA/CPRA.

7.3  Consumer rights assistance

The Processor shall assist the Controller in responding to verifiable consumer requests to exercise rights under the CCPA/CPRA, including rights of access, deletion, correction, and opt-out of Sale or Sharing, in accordance with Clause 4.5 of this Agreement.

7.4  Certification

The Processor certifies that it understands the restrictions in this Clause 7 and will comply with them. Uxify does not sell users' personal information.

8.  Liability

8.1 Each party shall be liable to Data Subjects and, where applicable, to Supervisory Authorities for damage caused by processing that infringes Applicable Data Protection Law, in accordance with the allocation of responsibility set out therein.

8.2 As between the parties, each party's liability under this Agreement shall be subject to the limitations and exclusions set out in the Services Agreement. The parties agree that any limitation of liability in the Services Agreement shall apply to this DPA and the SCCs to the maximum extent permitted by Applicable Data Protection Law.

8.3 To the extent any limitation of liability is inconsistent with the obligations imposed on processors under the GDPR (including Articles 82 and 83), the applicable GDPR provisions shall prevail to the extent required by law.

9.  Term and termination

9.1 This Agreement shall commence on the effective date of the Services Agreement and shall continue for so long as the Processor processes Personal Data on behalf of the Controller.

9.2 This Agreement shall automatically terminate upon termination or expiry of the Services Agreement, subject to any obligations that by their nature survive termination (including Clauses 4.2, 4.8, 6, and 8).

9.3 Either party may terminate this Agreement with immediate effect by written notice if the other party commits a material breach of this Agreement that is incapable of remedy, or that is not remedied within thirty (30) days of receipt of written notice specifying the breach and requiring remedy.

10.  Governing law and jurisdiction

10.1 This Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of Cyprus, without regard to its conflict of law provisions.

10.2 The parties irrevocably submit to the exclusive jurisdiction of the courts of the Republic of Cyprus to settle any dispute arising out of or in connection with this Agreement.

10.3 The foregoing is without prejudice to the mandatory provisions of Applicable Data Protection Law and the jurisdiction of competent Supervisory Authorities.

10.4 For the purposes of the SCCs, the governing law and choice of forum clauses within the SCCs shall apply in addition to, and shall not be affected by, this Clause 10.

11.  General provisions

11.1 Entire Agreement. This Agreement (together with the Services Agreement and the Annexes) constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior agreements and representations with respect thereto.

11.2 Amendments. This Agreement may only be modified by a written instrument signed by authorised representatives of both parties, except that Annex III (Sub-processor list) may be updated unilaterally by the Processor subject to the notification requirements in Clause 4.4.

11.3 Severability. If any provision of this Agreement is held invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

11.4 Waiver. No failure or delay by a party to exercise any right or remedy under this Agreement shall constitute a waiver of that right or remedy.

11.5 Notices. Notices under this Agreement shall be in writing and sent by email or registered post to the addresses specified in the Services Agreement or as otherwise notified in writing by either party.

11.6 Counterparts. This Agreement may be executed in counterparts and by electronic signature, each of which shall be deemed an original and together shall constitute one agreement.

11.7 Precedence. In the event of any conflict or inconsistency between the documents forming the agreement between the parties, the order of precedence shall be: (i) this DPA; (ii) the SCCs (if applicable); (iii) the Services Agreement; (iv) any order forms or statements of work.

ANNEX I

Details of Processing Activities

A. List of parties

B. Categories of data subjects

C. Categories of personal data

D. Purposes and legal bases

e. Retention periods

F. Frequency and nature of transfers

Frequency: Continuous, as Personal Data is generated by visitors to the Controller's digital properties in real time.

Nature: Collection, recording, organisation, structuring, storage, retrieval, analysis, aggregation, visualisation, and transmission to the Controller.

ANNEX II

Technical and Organisational Security Measures

Uxify implements and maintains the following technical and organisational measures to protect Personal Data:

A.  Access controls

• Role-based access control (RBAC) limiting access to Personal Data to authorised personnel on a need-to-know basis.

• Multi-factor authentication (MFA) required for access to production systems containing Personal Data.

• Privileged access management with just-in-time access provisioning for administrative tasks.

• Regular review and revocation of access rights upon role changes or employment termination.

• Audit logging of all access to Personal Data and systems.

B.  Data encryption

• All Personal Data transmitted over public networks is encrypted using TLS 1.2 or higher.

• Personal Data stored at rest is encrypted using AES-256 or equivalent standards.

• Database encryption at the storage layer.

• Encryption keys managed using dedicated key management systems with strict access controls.

C.  Pseudonymisation and anonymisation

• IP addresses are truncated or anonymised during ingest where configured by the Controller.

• Session identifiers are pseudonymous and do not directly identify natural persons.

• Data used for industry benchmarking is fully anonymised and cannot be linked to any individual user or specific website.

D.  Network and infrastructure security

• Firewalls and intrusion detection/prevention systems protecting production environments.

• Network segmentation separating production, staging, and development environments.

• Regular vulnerability scanning and penetration testing conducted at least annually by qualified third parties.

• Patch management programme ensuring timely application of security updates.

• DDoS mitigation measures via Cloudflare.

E.  Physical security

• Personal Data is processed in data centres operated by cloud providers (see Annex III) that maintain industry-standard physical security controls including biometric access, CCTV surveillance, and 24/7 on-site security.

• Cloud infrastructure providers maintain SOC 2 Type II and ISO 27001 certifications for their data centres.

F.  Incident response and business continuity

• Documented incident response plan with defined roles, responsibilities, and escalation procedures.

• Regular backups with tested restore procedures.

• Business continuity and disaster recovery plans tested at least annually.

• Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

G.  Personnel security

• Background checks conducted on employees with access to Personal Data (subject to applicable employment law).

• Mandatory data protection and security training for all employees upon onboarding and annually thereafter.

• Confidentiality agreements with all employees and contractors.

• Disciplinary procedures for security policy violations.

H.  Data minimisation and retentions

• Data minimisation principles applied in the design of the Service.

• Automated deletion processes aligned with retention periods specified in Annex I.

• Configurable data collection settings enabling Controllers to minimise collection at source.

• Payment card data is never stored by Uxify; all payment processing is handled by PCI-DSS compliant third parties.

I.  Security governance

• Designated data protection contact responsible for overseeing compliance with data protection obligations.

• Regular internal security audits and risk assessments.

• Vendor security assessment programme for Sub-processors.

• Security policies reviewed and updated at least annually.

ANNEX III

List of Approved Sub-processors

The following Sub-processors are approved to process Personal Data in connection with the Service. Uxify shall maintain and update this list in accordance with Clause 4.4 of the Agreement.

For each Sub-processor, Uxify has entered or will enter into a written data processing agreement imposing obligations at least equivalent to those imposed on Uxify under this DPA. The current version of this list is maintained at uxify.com/legal.

ANNEX IV

Standard Contractual Clauses

Module Two: Controller to Processor — EU Commission Decision (EU) 2021/914

The Standard Contractual Clauses set out in this Annex IV are the clauses adopted by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

The parties agree that Module Two (Transfer controller to processor) of the SCCs applies to any Restricted Transfer from the Controller (as data exporter) to the Processor (as data importer) under this Agreement. The SCCs are incorporated by reference and supplemented as set out in the completion table below.

Completion of the SCCs (Module Two)

UK international data transfer addendum

For transfers subject to the UK GDPR, the parties agree to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information Commissioner's Office under section 119A of the Data Protection Act 2018, as follows:

Key obligations under Module Two

The parties acknowledge and agree to the following key obligations incorporated by reference from Module Two of the SCCs:

Clause 8 - Data Protection Safeguards

• The data importer (Uxify) shall process personal data only on documented instructions from the data exporter (Customer).

• The data importer shall inform the data exporter immediately if it is unable to comply with the SCCs.

• The data importer shall process personal data in accordance with the technical and organisational measures in Annex II.

Clause 9 - Use of Sub-processors

• The data importer has the data exporter's general authorisation to engage sub-processors listed in Annex III.

• The data importer shall notify the data exporter of any intended changes to sub-processors at least 30 days in advance.

• The data importer shall impose equivalent data protection obligations on all sub-processors by written contract.

Clause 10 - Data subject rights

• The data importer shall promptly notify the data exporter of any request received directly from a data subject and shall not respond without the data exporter's authorisation.

Clause 15 - Obligations in case of access by public authorities

• The data importer shall notify the data exporter of any legally binding request for disclosure of personal data by a public authority, unless prohibited by law.

• The data importer shall review the legality of any such request and challenge it if permitted by law.

Clause 16 - Non-compliance and suspension

• The data importer shall inform the data exporter if it is unable to comply with the SCCs for whatever reason.

• The data exporter shall be entitled to suspend personal data transfers if non-compliance presents a substantial risk to data subjects.