This Data Processing Addendum (“DPA”) is an agreement between Influencers Club (referred to as “Processor”) and each business customer of Influencers Club (referred to as “Customer” or “Controller”) that uses the Influencers Club platform or services under a master agreement or terms of service (the “Main Agreement”). This DPA reflects the parties’ obligations regarding the Processing of Personal Data in compliance with applicable privacy laws. By using Influencers Club’s services, the Customer agrees to the terms of this DPA, which is incorporated into and forms part of the Main Agreement. In case of any conflict between this DPA and the Main Agreement on matters of data protection, this DPA will prevail. (If Standard Contractual Clauses apply, they will prevail over both this DPA and the Main Agreement.)

1. Definitions

For purposes of this DPA, the following capitalized terms have the meanings set out below. Terms not defined here or in the Main Agreement shall have the meaning given by applicable Data Protection Laws (as defined).

• “Personal Data” means any information relating to an identified or identifiable individual that is protected as personal data, personal information, or similar under Data Protection Laws.
• “Processing” (and “Process”) means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, use, disclosure, erasure, or destruction.
• “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For this DPA, the Customer is the Controller.
• “Processor” means the entity that Processes Personal Data on behalf of the Controller. For this DPA, Influencers Club is the Processor.
• “Data Protection Laws” means all applicable laws and regulations relating to privacy, data protection, and the Processing of Personal Data, including (where applicable) the EU General Data Protection Regulation (GDPR) and any national implementing laws, the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and any similar privacy laws in other jurisdictions[1][2].
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “Customer Data” (or “Controller Data”) means any Personal Data that the Customer provides or makes available to the Processor for Processing under the Main Agreement.
• “Subprocessor” means any third party (including any Influencers Club affiliate) engaged by the Processor to assist in Processing Customer Data on behalf of the Customer.
• “Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted or stored by the Processor or its Subprocessors[3]. This does not include unsuccessful or insignificant incidents that do not compromise the security of Personal Data (such as blocked malware or unsuccessful login attempts).
• “Standard Contractual Clauses” or “SCCs” means the standard data protection contract clauses issued by the European Commission for transfers of personal data to third countries. Specifically, this refers to the EU Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 (the controller-to-processor SCCs), including the UK International Data Transfer Addendum and any relevant Swiss addendum or amendments for transfers from those jurisdictions[4]. The SCCs (including applicable modules and appendices) are hereby incorporated into this DPA by reference and will apply to the extent required by Data Protection Laws for cross-border transfers (see Section 10 below).
• Other terms like “Controller,” “Processor,” “Personal Data,” “Processing,” “Data Subject,” and “Supervisory Authority” shall, to the extent not defined above, have the meanings given in the GDPR or applicable Data Protection Laws[5].

2. Scope and Details of Processing

Roles of the Parties: The parties acknowledge and agree that, in the context of the services provided under the Main Agreement, the Customer acts as a Data Controller and Influencers Club acts as a Data Processor on behalf of the Customer. The Customer determines the purposes and means of the Processing of Customer Data, and Influencers Club will Process Customer Data only on the Customer’s documented instructions and as described in this DPA.

Subject Matter and Duration: The subject matter of the Processing is the performance of the services and any related technical support or other activities as described in the Main Agreement. The Processing will continue for the duration of the Main Agreement (including any post-termination retention period permitted under this DPA or required by law).

Nature and Purpose of Processing: Influencers Club will Process Customer Data solely for the following purposes: (a) to provide, maintain, and support the Influencers Club platform and services in accordance with the Main Agreement (including data analytics or enrichment features expressly offered as part of the service); (b) to carry out Customer’s written instructions (including through Customer’s configurations of the service); and (c) to comply with applicable law or other lawful requirements (in which case Processor shall inform Customer of that legal requirement before Processing, unless such notice is legally prohibited). No Processing will be done outside of these purposes.

Types of Personal Data: The types of Personal Data processed under this DPA include any Personal Data that Customer submits or uses within the Influencers Club services. Typical categories may include: identification and contact information (names, social media handles, email addresses, phone numbers); professional or public profile information (social media metrics, public content, location or demographic info inferred from profiles); communications data (content and metadata of messages sent through the platform); technical usage data (IP addresses, device and log information for platform use); and any other Personal Data that Customer uploads or inputs into the service. Special Category (sensitive) personal data is not sought or required for the services, and this DPA prohibits its intentional upload. Customer should refrain from uploading any sensitive or special-category Personal Data unless explicitly agreed to by Processor in advance. Influencers Club does not intentionally collect or use any sensitive personal data in providing its core services.

Categories of Data Subjects: The Personal Data to be Processed will concern the following categories of Data Subjects, as applicable: – Influencer or Creator Individuals: Social media content creators, influencers, or similar individuals in the creator economy whose information is being researched or managed by the Customer (even if these individuals are public figures, the data may include personal data about them). – Outreach Recipients: Individuals who are recipients of outreach communications initiated by the Customer through the platform (e.g., those influencers or representatives of brands that the Customer contacts). – Customer’s Personnel: Employees or contractors of Customer who are authorized users of the Influencers Club platform (limited personal data such as their name, contact info, and usage logs for authentication and support purposes). – Other Third Parties (Incidental): Any other individuals whose Personal Data is included incidentally in Customer Data (for example, persons mentioned in email threads or documents uploaded by Customer). The Customer is responsible for minimizing any incidental inclusion of third-party data.

(For further specification of the processing details required by Article 28 GDPR and SCC Appendix, see Annex 1 to this DPA.)

3. Obligations of the Processor (Influencers Club)

Influencers Club, as the Processor of Customer Data, agrees to the following obligations:

• 3.1 Compliance with Instructions: Processor will Process Customer Personal Data only on documented instructions from the Customer, unless otherwise required by applicable law[6]. Processor shall not retain, use, disclose, or otherwise Process Customer Data for any purpose other than as necessary to perform the services and carry out Customer’s instructions, or as required by law. Processor will promptly inform Customer if it believes an instruction violates Data Protection Laws or if Processor is unable to comply with any Customer instruction.
• 3.2 No Secondary Use or “Selling” of Data: Processor shall not “sell” or “share” Personal Data (as those terms are defined under the CCPA) and shall not Process Personal Data for any purposes other than those specified in Section 2 of this DPA or as explicitly directed by Customer[7]. This means, without limitation, that the Processor will not disclose Customer Data to third parties for targeted advertising or other commercial purposes, nor will it combine Customer Data with information from other sources (except as needed to perform the services for Customer). Processor certifies that it understands these restrictions and will comply with them[8]. If applicable law (such as CCPA/CPRA) defines Processor as a “Service Provider” or “Contractor,” the parties intend that Influencers Club operates in that capacity, and this DPA shall be interpreted to reflect that intent (including compliance with the requirements of 11 CCR §7051, such as prohibitions on selling, retaining, or using personal information except as permitted[9][10]).
• 3.3 Security Measures: Processor will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, or disclosure[11]. These measures are designed to ensure a level of security appropriate to the risk, including (as applicable) the measures referenced in Article 32(1) GDPR (pseudonymization and encryption of data, ongoing confidentiality, integrity, availability and resilience of processing systems, ability to restore data, and regular testing of effectiveness). A description of the specific security measures maintained by Influencers Club is provided in Annex 2 (Technical and Organizational Measures) to this DPA (or in a similar Security Policy document made available to Customer), and is incorporated herein. At a high level, Influencers Club’s security program includes, but is not limited to:
• Access Controls: Enforcing role-based access and the principle of least privilege so that only authorized personnel with a need to access Personal Data can do so. Administrative access to systems processing Personal Data requires strong authentication (e.g., multi-factor authentication) and is logged and audited. User access rights are reviewed periodically and promptly revoked upon staff changes.
• Encryption: Personal Data is protected by encryption in transit and at rest. Influencers Club uses industry-standard protocols (such as TLS 1.2 or higher) to encrypt data transmitted over public networks, and strong encryption algorithms (e.g., AES-256) to encrypt data stored in databases or file systems. Encryption keys are managed securely, and where applicable additional measures like pseudonymization or hashing are applied to sensitive identifiers.
• Network & System Security: Production systems are hosted in secure, modern infrastructure (e.g., reputable cloud providers or data centers) with robust physical security and environmental controls. Networks are segmented and protected by firewalls and intrusion detection systems. Regular vulnerability scanning, intrusion detection, and other monitoring tools are employed to detect and prevent unauthorized access or anomalies. Systems are kept updated with security patches, and anti-malware protections are in place.
• Monitoring & Logging: Influencers Club continuously monitors its systems for security events. Key activities (such as access to Personal Data, system errors, and security events) are logged in a tamper-evident manner. Logs are analyzed through automated alerts and regular reviews. Any suspicious activity or potential incident generates alerts to the security team (on call 24/7) who follow defined incident response procedures to quickly investigate and address issues.
• Organizational & Personnel Security: All employees and contractors with access to Personal Data undergo background checks (as allowed by law) and are bound by confidentiality agreements. Influencers Club provides privacy and security training at onboarding and on a regular basis to ensure staff understand their data protection responsibilities. Internal policies govern the handling of Personal Data and security practices (e.g., clean desk, device security), and compliance with these policies is enforced.
• Reliability & Backup: Systems are built with redundancy and fault-tolerance to ensure high availability. Regular backups of critical Customer Data are performed (with encryption) and stored securely. Backup and recovery procedures are tested periodically to ensure data can be restored in case of accidental loss or corruption, and disaster recovery plans are in place and maintained.
• Testing & Assessment: Influencers Club periodically tests, assesses, and evaluates the effectiveness of its security measures. This includes at least annual penetration testing and security assessments by independent experts, as well as regular internal risk assessments. Any findings are promptly remediated in accordance with a documented vulnerability management process.
• Vendor Management: When Influencers Club uses Subprocessors or third-party services that may have access to Personal Data, it conducts due diligence on their security practices and requires them to meet standards equivalent to those in this DPA. Influencers Club maintains a vendor management program to assess third-party risks and ensure Subprocessors’ ongoing compliance with data protection requirements (for example, by reviewing their third-party security audit reports annually).

These measures, together with the additional measures detailed in Annex 2, are in place to protect Personal Data against anticipated threats or hazards and to ensure compliance with applicable security requirements. Influencers Club will regularly update and refine its security measures in light of technological developments, emerging threats, and industry best practices, provided that no such update will materially reduce the level of protection for Personal Data. Processor will not materially decrease the overall security of the services during the term of the Main Agreement. (See Annex 2 for the full details of current measures.)

• 3.4 Confidentiality: Processor will ensure that any persons it authorizes to Process Customer Data (including its employees and contractors) are under appropriate obligations of confidentiality. Processor will strictly limit access to Personal Data to personnel who need such access to perform the services and meet Processor’s obligations under the Main Agreement. All such personnel are bound by contract or statutory obligations to protect the confidentiality and security of Personal Data, even after their engagement ends[12]. If Processor uses subcontracted personnel (staff provided by temp agencies, consultants, etc.), it will ensure they are held to the same confidentiality standards.
• 3.5 Subprocessors: Processor is authorized to engage Subprocessors to assist in the Processing of Personal Data only in accordance with the terms of Section 6 (Subprocessors) of this DPA. Processor will impose data protection obligations on any Subprocessor it appoints that are at least as protective as those in this DPA, and will remain fully liable to the Customer for any acts or omissions of its Subprocessors in violation of this DPA (subject to the overall liability cap agreed in the Main Agreement)[13].
• 3.6 Assistance with Data Subject Rights: Processor will assist the Customer in responding to and fulfilling any requests by Data Subjects to exercise their rights under Data Protection Laws, as detailed in Section 5 (Data Subject Rights and Requests). This includes promptly notifying Customer of any such requests received directly by the Processor and providing reasonable measures or tools for Customer to comply with its obligations to respond (e.g., providing the Customer with the ability to search, retrieve, or delete data within the service)[14][15].
• 3.7 Assistance with Compliance and DPIAs: Taking into account the nature of the Processing and the information available to it, Processor shall provide reasonable cooperation to assist the Customer in fulfilling the Customer’s own obligations under Data Protection Laws. This includes, where applicable, assisting the Customer in conducting data protection impact assessments (DPIAs) and consulting with supervisory authorities, solely in relation to Processor’s Processing of Customer Data and to the extent Customer does not otherwise have access to the relevant information[16]. Processor will also make available to Customer, upon request, information necessary to demonstrate Influencers Club’s compliance with its obligations under this DPA and Data Protection Laws[17]. (See also Section 9 of this DPA regarding audit rights.)
• 3.8 Personal Data Breach Notification: In the event Processor becomes aware of a Personal Data Breach affecting Customer Data, Processor will notify Customer without undue delay (and within any timeframe required by Data Protection Laws or specifically agreed in Annex 2, if applicable)[18]. Such notification will include all information reasonably available to Processor regarding the nature of the breach, affected data, and any measures taken or proposed to address it, as further described in Section 8 (Personal Data Breach Management). Processor will not delay notification beyond the time required by law, even if full details are not yet known, and will provide supplemental information as it becomes available.
• 3.9 Return or Deletion Upon Termination: Upon termination or expiration of the Main Agreement, Processor will, at Customer’s choice, return or delete all Customer Personal Data, except to the extent retention of certain data is required by applicable law or permitted for legitimate business needs (in which case Processor will continue to protect that data as required by this DPA). This obligation is further detailed in Section 11 (Deletion or Return of Data) of this DPA.

4. Obligations of the Controller (Customer)

The Customer, as Data Controller, agrees to the following obligations and responsibilities:

• 4.1 Compliance with Laws: Customer shall ensure that Customer’s use of the Influencers Club services, and all Customer instructions to the Processor regarding Personal Data, are in compliance with all applicable Data Protection Laws[28]. The Customer is responsible for determining that the Processing activities and security measures described in this DPA meet its needs and legal obligations.
• 4.2 Lawful Basis and Notices: Customer represents and warrants that it has obtained and will maintain all necessary rights, consents, and legal bases for the Processing of Personal Data by Processor as described in this DPA. This includes providing any required privacy notices to Data Subjects and obtaining any necessary consents or authorizations for the collection, use, and transfer of Personal Data to Influencers Club. If Customer relies on an alternative legal basis (other than consent) under Data Protection Laws for certain Processing (e.g., legitimate interests, performance of a contract, etc.), Customer guarantees that such basis is valid and applicable to Processor’s Processing of the Personal Data.
• 4.3 Data Quality and Minimization: Customer is responsible for the accuracy, quality, and legality of the Personal Data provided to Processor. Customer should only disclose or upload Personal Data that is adequate, relevant, and limited to what is necessary for the specified purposes. Customer will not instruct Processor to Process any Personal Data that is not necessary to achieve the relevant purposes, and will refrain from uploading any sensitive or special-category data unless this has been explicitly agreed to by Processor in advance.
• 4.4 Instructions to Processor: Customer will only give documented instructions that are consistent with the terms of the Main Agreement and this DPA. If the Customer’s use of the services or instructions to Processor would violate applicable laws, the Customer will promptly address and correct such instruction. Customer shall not use the service to collect or Process Personal Data in a manner that would violate Data Protection Laws (for example, by uploading Personal Data that has been unlawfully obtained, or by using the service to send unsolicited or unlawful communications).
• 4.5 Customer as Processor for Third-Party Controller: If the Customer itself is a data processor acting on behalf of another organization or end client (i.e. a third-party data controller), the Customer warrants that it is authorized by the relevant data controller(s) to appoint Influencers Club as a Subprocessor and to enter into this DPA on the controller’s behalf. The Customer will ensure it has obtained any necessary permissions from the ultimate controller for use of Influencers Club’s services as a sub-processor. In such cases, the Customer agrees that it will assume the responsibilities of a controller under this DPA as needed to enable Influencers Club’s compliance (for example, by forwarding any relevant instructions from the ultimate controller to Influencers Club).
• 4.6 Handling Data Subject Requests and Notices: Customer is responsible for handling any Data Subject requests or complaints (e.g., requests for access, correction, deletion) and for making any required disclosures or communications to Data Subjects or regulators concerning the Personal Data. While the Processor will assist as described in this DPA, it remains Customer’s obligation as Controller to determine how to respond to Data Subject requests and to fulfill any requirements to notify regulators or individuals (for example, in the event of a breach), except as otherwise explicitly agreed or required by law. Processor will provide necessary information and support to enable Customer to meet these obligations, as outlined in Sections 3.6, 3.7, and 3.8 above.
• 4.7 Security Responsibilities of Customer: Customer shall use the services in a manner that enables Processor to maintain appropriate security. For example, Customer will maintain the confidentiality of its account credentials and API keys, utilize the security features provided by the service (such as access controls or two-factor authentication) appropriately, and not introduce any malicious data or code into the platform. Customer is also responsible for reviewing the information made available by Influencers Club about its data security measures and determining for itself whether the services (and those measures) meet Customer’s requirements and obligations under law. Customer acknowledges that, except as provided in this DPA, it is best positioned to assess the risks of its processing of Personal Data and must notify Processor if any of Customer’s use of the service or instructions might require additional security measures.

5. Data Subject Rights and Requests

Data Protection Laws (such as the GDPR and CCPA) grant certain rights to individuals (Data Subjects) over their personal data, including rights to access, correct, or delete their data, or to object to or restrict certain processing. The parties agree to handle Data Subject requests (“DSRs”) as follows:

• 5.1 Notification of Requests: If Processor receives any request from a Data Subject (for example, a request to access, rectify, or erase Personal Data, or to exercise any right under Data Protection Laws) with respect to Customer Data, Processor will promptly inform the Customer of the request. Processor will not respond directly to the Data Subject unless legally required to do so, or as set out below. Instead, Processor will await and follow Customer’s instructions on how to respond, to the extent permitted by law[15].
• 5.2 Reasonable Assistance: Taking into account the nature of the Processing and the functionality of the services, Processor will assist the Customer in fulfilling verified Data Subject Requests to exercise their rights under Data Protection Laws[14]. This assistance will be provided to the extent the Customer does not have the ability to address the request independently through use of the service. For example, Influencers Club may provide administrative tools or APIs that allow Customer to retrieve, correct, or delete Personal Data on its own. If such tools are insufficient for a particular request, Customer may request additional assistance from Processor. Processor will make commercially reasonable efforts to help Customer by providing available information about the data, executing necessary actions on Customer’s behalf (e.g. deleting or exporting specific data upon request), and/or otherwise cooperating as reasonably required for Customer to comply with applicable law.
• 5.3 Timing and Costs: Processor recognizes that Controllers generally must respond to Data Subject requests within deadlines mandated by law (such as one month under the GDPR). Upon Customer’s request, Processor will provide further reasonable cooperation to enable Customer’s timely compliance with such deadlines. If responding to a Data Subject’s request requires Processor to undertake significant additional steps not readily available through the service’s standard functionality, the parties will discuss in good faith an appropriate cost reimbursement (if any) for such assistance. To the extent permitted by law, Processor may charge a reasonable fee for requests that are manifestly unfounded, excessive, or repetitive, or for any additional assistance that is not included in the standard services – but any such fee will be agreed in advance with Customer.
• 5.4 Restrictions: Processor shall not independently make any decision to honor or deny a Data Subject’s request regarding Customer Data, except as instructed by Customer or as required by applicable law. If Processor is obligated by law to respond directly to a Data Subject (for example, if a law requires Processor to delete data upon a Data Subject’s direct request), Processor will inform Customer of that requirement (unless legally prohibited from doing so) and will limit its response strictly to what is required by law.
• 5.5 Documentation: Processor will maintain records of Data Subject Requests it receives and how each request is resolved, to the extent necessary to demonstrate compliance. Upon Customer’s request, Processor will provide information about such requests and Processor’s responses, as needed for Customer to fulfill its own record-keeping or regulatory reporting obligations.

6. Subprocessors

The Customer provides the Processor a general authorization to engage Subprocessors (subcontractors) to assist in the Processing of Personal Data under this DPA, subject to the following conditions and procedures:

• 6.1 Approved Subprocessors: A list of Influencers Club’s current Subprocessors (for example, cloud infrastructure providers, email delivery services, analytics providers, etc.) shall be made available to Customer. This list is provided in Annex 3 of this DPA or otherwise made available to Customer (e.g. via Influencers Club’s website or by written notice). As of the effective date of this DPA, Customer generally authorizes the use of the Subprocessors listed. Typical categories of Subprocessors include infrastructure providers (data center or cloud services), communication and email providers, and other services necessary for delivering the platform’s functionality.
• 6.2 Subprocessor Obligations: Processor will enter into a written agreement with each Subprocessor imposing data protection obligations that are no less protective than those set forth in this DPA[29], including appropriate data protection and security requirements. Where required by the SCCs or other Data Protection Laws, Processor will also execute the applicable Standard Contractual Clauses (or equivalent transfer safeguards) with Subprocessors to ensure adequate protection for cross-border data transfers. In particular, Influencers Club will impose on Subprocessors the same duty of confidentiality (see Section 3.4) and requirements to implement technical and organizational measures (see Section 3.3 and Annex 2) as apply to Influencers Club under this DPA.
• 6.3 Notification of New Subprocessors: Processor will inform Customer in advance of any intended changes to the Subprocessor list, by providing notice (via email or via the service/website) at least 10 days prior to authorizing any new Subprocessor to Process Customer Data. This notice will give Customer the opportunity to review the proposed Subprocessor and raise any reasonable objections. The notice will include the name of the Subprocessor and the nature of the Processing it will perform. In urgent cases where a new Subprocessor is needed to maintain service continuity (e.g. an emergency replacement), Processor will notify Customer as soon as practicable.
• 6.4 Customer Objection Rights: If Customer has a legitimate, material reason to object to the use of a new Subprocessor (for example, if adding the Subprocessor would cause Customer to violate applicable Data Protection Laws), Customer must notify Processor in writing within the 10-day notice period. The parties will then discuss the objection in good faith with the aim of finding a mutually acceptable resolution. Processor may choose to: (a) refrain from using the proposed Subprocessor for Customer’s Personal Data, or (b) take reasonable steps to address Customer’s concerns (for example, by imposing additional safeguards or limitations on the Subprocessor’s handling of Customer Data). If neither of those options is feasible and Processor intends to proceed with using the Subprocessor, Customer may as a final resort terminate the Main Agreement (or the affected services) by providing written notice within a reasonable period. In such case, Processor will refund any prepaid fees covering the remainder of the term for the terminated services (unless otherwise provided in the Main Agreement). If Customer does not object within the notice period, the new Subprocessor will be deemed accepted.
• 6.5 Liability for Subprocessors: Influencers Club remains fully liable to the Customer for the performance of any Subprocessor with respect to that Subprocessor’s Processing of Customer Data. Any breach of this DPA caused by a Subprocessor will be deemed a breach by Influencers Club, and Influencers Club will be responsible for taking appropriate remedial actions to cure the breach. However, nothing in this section relieves a Subprocessor of its own direct responsibilities or liabilities under Data Protection Laws. (For example, major cloud providers that act as Subprocessors might be considered independent “data processors” under certain laws in some respects; nonetheless, Influencers Club will ensure they meet the obligations required of Subprocessors under this DPA.)
• 6.6 Subprocessors as Service Providers (CCPA): If the California Consumer Privacy Act (as amended) applies, Influencers Club will ensure that any Subprocessor it engages qualifies as a “service provider” or “contractor” under that law. Influencers Club will include terms in its contracts with Subprocessors prohibiting the Subprocessor from selling or sharing Personal Data, or from retaining, using, or disclosing it for any purpose other than the specific business purposes of providing the services to Customer[9][10]. In other words, each Subprocessor will be held to the same restrictions regarding Personal Data that apply to Influencers Club itself under Section 3.2 of this DPA.
• 6.7 International Subprocessors: If Influencers Club intends to engage a Subprocessor in a country that does not provide an “adequate” level of data protection (as determined under applicable Data Protection Laws), Influencers Club will ensure that lawful transfer mechanisms are in place for any Personal Data that the Subprocessor will Process (as described in Section 10 on Data Transfers). Typically, this means Influencers Club will sign the appropriate module of the Standard Contractual Clauses with the Subprocessor (with Influencers Club acting as data exporter on Customer’s behalf and the Subprocessor as data importer). By signing this DPA, Customer authorizes and instructs Influencers Club to enter into such SCCs with Subprocessors as agent on Customer’s behalf where required.

In summary, Influencers Club may use carefully selected third parties to help provide its services. Influencers Club will give Customer transparency into its Subprocessors and advance notice of changes, and will ensure all Subprocessors are contractually bound to protect Customer’s Personal Data to the same standard required of Influencers Club. The Customer retains the right to reasonably object to changes in Subprocessors and, if necessary, to discontinue using the service (with a refund for any unused prepaid fees) if an acceptable resolution cannot be reached.

7. Security Measures

Influencers Club maintains a comprehensive information security program with technical and organizational measures (TOMs) to safeguard Personal Data. These measures are designed to ensure the ongoing confidentiality, integrity, availability, and resilience of Influencers Club’s processing systems and services. Annex 2 – Technical and Organizational Security Measures provides a detailed list of the specific security controls in place. The following is a summary of key security measures and practices (as also outlined in Section 3.3 above):

• Access Control: Access to Customer Data is strictly controlled. Influencers Club employs role-based access controls and the principle of least privilege, ensuring that only authorized personnel who need access to Personal Data to perform their job duties have such access. Administrative access to systems processing Personal Data requires strong authentication (e.g., multi-factor authentication) and all such access is logged.
• Encryption: All Personal Data in transit between Customer (or its users) and Influencers Club’s platform is encrypted using HTTPS/TLS with up-to-date protocols and strong cipher suites. Data at rest in databases and storage is encrypted (e.g., using AES-256). Encryption keys are managed securely. Email notifications from the platform that contain Personal Data are encrypted in transit where supported (e.g., via STARTTLS), or otherwise limited to minimal content.
• Network Security: Influencers Club’s hosting infrastructure is protected by network security measures including firewalls, intrusion detection systems, and network segmentation. The infrastructure is monitored for vulnerabilities and attacks. Internal service-to-service communications occur over secure, encrypted channels or within private networks not exposed to the internet. Regular vulnerability scans and security audits are conducted to identify and address potential weaknesses.
• Physical Security: Personal Data is processed in secure data centers with robust physical security controls (security personnel, CCTV, badge or biometric access, etc.). Only authorized data center staff can access the facilities. Influencers Club’s office environments (where applicable) are also secured by access control systems and visitor logs.
• Monitoring & Logging: Systems that process Personal Data generate logs of key events (such as data access, modifications, or system configuration changes). These logs are stored in a tamper-resistant manner and are regularly reviewed. Automated alerts notify the security team of suspicious events. Influencers Club’s security team has defined incident response plans to handle any security incidents swiftly (see Section 8).
• Business Continuity & Backup: Influencers Club’s systems employ redundant architecture and regular backups to ensure data availability and rapid recovery in case of an outage or data loss incident. Backup data is encrypted and stored securely. Restoration procedures are tested periodically. Influencers Club maintains disaster recovery and business continuity plans.
• Employee Training & Policies: Influencers Club personnel are trained on data protection and security practices upon hiring and through regular refreshers. Employees must follow internal security policies (such as appropriate use of devices and data, clean desk policy, etc.). Compliance with these policies is enforced, and violations can result in disciplinary action.

(The above is a high-level summary; see Annex 2 for full details of technical and organizational measures. Influencers Club will maintain at least the measures described and will update them as needed to adapt to evolving security risks. Processor will not materially decrease the security measures during the term of the Main Agreement.)

8. Personal Data Breach Management

(Note: Personal Data Breaches are addressed generally as part of the Processor’s obligations in Section 3.8. This Section 8 provides additional procedures and details for clarity.)

• 8.1 Breach Detection: Influencers Club maintains measures to detect and respond to security incidents, including potential Personal Data Breaches. This includes the monitoring and logging systems described in Section 7 (Security Measures), which are designed to provide prompt awareness of anomalous activities or unauthorized access to Personal Data. Influencers Club’s security team is on-call to investigate alerts of any such incidents.
• 8.2 Breach Notification to Customer: If Influencers Club becomes aware of a confirmed Personal Data Breach that affects Customer’s Personal Data, it will notify the Customer without undue delay (and no later than 72 hours after confirming that a breach has occurred, to the extent feasible)[30][19]. “Becoming aware” of a breach means that Influencers Club has a reasonable degree of certainty that a security incident has occurred which has led to Personal Data being compromised. Notification will be made to Customer’s designated security or privacy contact (e.g., via email or phone, or through the agreed security incident portal) and will include, to the extent known at the time: a description of the nature of the breach, the categories and approximate volume of data and Data Subjects affected, the likely consequences of the breach, and the measures taken or proposed by Influencers Club to address the breach (including, as appropriate, measures to mitigate its possible adverse effects). Where it is not possible to provide full details in the initial notice, Influencers Club will provide supplemental information to Customer as it becomes available.
• 8.3 Updates and Collaboration: Influencers Club will investigate the Personal Data Breach and will provide timely updates to Customer with more details as they become available. Processor will work diligently to identify the root cause of the breach and take steps to remediate it. Customer agrees to reasonably cooperate with Influencers Club’s efforts by providing any available information that may assist in the investigation and mitigation of the breach.
• 8.4 Regulatory and Data Subject Communication: The Customer (as Controller) has the primary responsibility for determining whether to notify any supervisory authorities and/or affected Data Subjects of a Personal Data Breach, and for making any required notifications or communications. Influencers Club will not communicate with any regulator or Data Subject regarding a breach involving Customer Data without Customer’s prior consent, unless required by law. If Influencers Club is legally required to notify a regulator (such as a data protection authority) of a breach, it will inform Customer and coordinate such notification, unless prohibited by law. The parties will consult with each other about any press releases or public statements related to a breach, to ensure accurate and coordinated communication.
• 8.5 No Acknowledgment of Fault: The parties agree that any breach notification provided by Influencers Club to Customer shall not be construed as an acknowledgment by Influencers Club of any fault or liability for the incident. The cause of a security incident may be outside of Influencers Club’s control or otherwise not due to negligence by Influencers Club. Any such determination will be subject to legal and forensic investigation.
• 8.6 Customer Cooperation: Customer agrees that, in the event of a Personal Data Breach, it will also notify Influencers Club without undue delay if Customer becomes aware of any breach or suspected breach that might involve the Influencers Club services (for example, if Customer discovers that an unauthorized person accessed Customer’s Influencers Club account or API key). Timely notice by Customer can help both parties respond effectively. Customer will cooperate in good faith with Influencers Club to investigate and remediate any such incident, and to fulfill any legal obligations that may arise (such as notifying affected individuals or authorities).

(Both Influencers Club and Customer will cooperate in good faith in the event of a Personal Data Breach to contain and minimize its impact and to fulfill all legal requirements for breach handling.)

9. Audits and Compliance Verification

• 9.1 Information and Documentation: Influencers Club will make available to Customer all information reasonably necessary to demonstrate Influencers Club’s compliance with this DPA and its obligations under applicable Data Protection Laws. This obligation includes providing responses to security and privacy questionnaires, audit reports or certifications to the extent they exist (subject to Section 9.3 below), and other documentation regarding Influencers Club’s data protection practices, upon Customer’s reasonable request.
• 9.2 Audit Rights: To the extent required by Data Protection Laws (including Article 28 of the GDPR), and in any event upon reasonable request by Customer, Influencers Club shall allow for and contribute to audits or inspections of its processing facilities and procedures that are relevant to Customer Data. Customer (or its mandated third-party auditor that is not a competitor of Influencers Club and is bound by appropriate confidentiality) may perform such an audit no more than once per year, except if required more frequently by a competent supervisory authority or in case of a significant data security incident. Customer must provide at least 30 days’ prior written notice of its intent to audit, and will conduct the audit in a manner that minimizes disruption to Influencers Club’s business. Any on-site audit shall be conducted during regular business hours and in accordance with Influencers Club’s applicable workplace security policies. Customer shall be responsible for its costs and expenses of any audit. Influencers Club will reasonably cooperate with the audit by providing access to relevant knowledgeable personnel and documentation. Before the commencement of any on-site audit, the parties shall mutually agree upon the scope and timing of the audit.
• 9.3 Confidentiality of Audit Findings: Customer shall use the information obtained during an audit (including any reports or records) only for the purpose of assessing Influencers Club’s compliance with this DPA and fulfilling Customer’s own legal obligations. Customer shall treat such information as confidential and shall not disclose it to any third party, except to the extent required by law or to a regulator. Influencers Club may require Customer’s auditor or representative to sign a customary nondisclosure agreement prior to the audit.

For clarity, nothing in this Section 9 limits any audit or inspection rights that Customer or a data protection authority may have under the Standard Contractual Clauses or other applicable Data Protection Laws. The parties agree that, where the SCCs apply, Customer will exercise any audit rights thereunder as described above (to avoid duplication).

10. International Data Transfers

Influencers Club is a global service provider, and Customer Personal Data may be transferred to or accessed in countries outside of the country in which it was originally collected. All such cross-border transfers of Personal Data will be conducted in compliance with Data Protection Laws governing international data transfers, as follows:

• 10.1 Locations of Processing: Influencers Club may Process Customer Data in any country in which Influencers Club or its Subprocessors maintain facilities, subject to the restrictions of this Section 10. This typically includes the United States (where Influencers Club may have operations or infrastructure) and other countries as needed to provide global availability and redundancy of the services (for example, data centers in the European Union for EU customers, and other jurisdictions as disclosed to Customer). Influencers Club will inform Customer of the specific countries or regions where Customer’s Personal Data is stored or processed, either in the Main Agreement, in a provided document, or upon request.
• 10.2 Adequacy and Authorized Transfers: For transfers of Personal Data from the European Economic Area (EEA), Switzerland, or the United Kingdom to Influencers Club in a country that is not deemed by the respective authorities to provide an “adequate” level of data protection, the parties agree to rely on approved transfer mechanisms to legitimize the transfer[33]. By entering into this DPA, the parties are deemed to be simultaneously entering into the relevant Standard Contractual Clauses (SCCs) (Controller-to-Processor) to cover such transfers, as follows:
• EU Standard Contractual Clauses: The SCCs promulgated by EU Commission Decision 2021/914 (Module 2, Controller-to-Processor) are incorporated by reference. For the purposes of the SCCs: Customer is the “data exporter” and Influencers Club is the “data importer.” Annex I of the SCCs (List of Parties and Description of Transfer) is set forth in Annex 1 of this DPA; Annex II of the SCCs (Security Measures) is set forth in Annex 2 of this DPA; the optional Docking Clause 7 is enabled to allow additional parties to join; for Clause 9(a) (Use of Subprocessors) the option “General Written Authorization” applies and the initial list of Subprocessors and notification mechanism are set forth in Section 6 and Annex 3 of this DPA; for Clause 17 (Governing law), the parties select the law of the EU Member State in which the data exporter is established (and if such law does not allow third-party beneficiary rights, then the law of Germany); for Clause 18 (Choice of forum and jurisdiction), the parties select the courts of the data exporter’s Member State.
• UK Transfers: Insofar as any Customer Personal Data is subject to UK Data Protection Law (UK GDPR) and is transferred from the UK to a country not deemed “adequate” by the UK authorities, the EU SCCs (Module 2) as incorporated above shall also apply to such transfers, as modified and interpreted by the UK “International Data Transfer Addendum” (template Addendum B.1.0 issued under Section 119A of the UK Data Protection Act 2018). The parties agree that the information required for the Addendum’s Part 1 Tables is provided by the details of this DPA and the incorporated SCCs (e.g., Table 1: Parties as per Annex 1; Table 2: Selected SCCs are Module 2 as set out above; Table 3: List of parties, description of transfer, and security measures as per Annexes 1 and 2; Table 4: Exporter is the Customer and Importer is Influencers Club). The parties further agree that the UK Addendum shall be interpreted to give full effect to the SCCs incorporated between Customer and Influencers Club. If the UK Addendum is updated or replaced by the UK authorities, the parties will work together in good faith to adapt this DPA accordingly.
• Switzerland Transfers: Insofar as any Customer Personal Data is subject to the Swiss Federal Act on Data Protection (FADP) and is transferred from Switzerland to a country not deemed to provide an adequate level of protection by Swiss authorities, the above EU SCCs (Module 2) are also adopted with the following modifications: the terms “Member State” and “Supervisory Authority” in the SCCs shall be interpreted to include Switzerland and the Swiss Federal Data Protection and Information Commissioner (FDPIC); references to the “GDPR” in the SCCs shall be understood as references to the FADP or Swiss law, as applicable; for Clause 17 (Governing law), the parties select the law of Switzerland insofar as it relates to data protection (unless the parties agree to select the law of an EU Member State that permits third-party beneficiary rights); for Clause 18 (Jurisdiction), the parties agree that disputes shall be resolved by the courts of Switzerland. If the data exporter (Customer) is not established in an EU/EEA Member State, the parties agree, for the SCCs’ purposes, to select the law and courts of the Netherlands to govern Clauses 17 and 18 (solely to ensure the SCCs have effect, as a fallback).

Both parties agree to abide by the obligations and rights set forth in the SCCs. If at any time the European Commission, UK authorities, or Swiss authorities approve an alternative data transfer mechanism (or issue updated SCCs/Addenda) that would govern the transfers under this DPA, the parties will work together in good faith to implement such mechanism or updates as needed to ensure continued compliance.

• 10.3 Additional Transfer Safeguards: The Processor represents that it has taken and will continue to take additional steps to ensure that Personal Data transferred under the SCCs (or other transfer mechanisms) is protected in line with European standards. This includes carefully evaluating any applicable laws of the destination country that might allow government or law enforcement access to personal data without equivalent safeguards, and implementing supplementary technical and organizational measures as needed (such as strong encryption in transit and at rest, strict access controls, and transparency reporting). Influencers Club will also, to the extent possible, challenge or oppose any legally binding request for disclosure of Customer Personal Data from a law enforcement or government authority that conflicts with the SCCs or applicable data protection law, and will promptly notify Customer of any such request (unless legally prohibited from doing so).
• 10.4 Other Transfer Mechanisms: In addition to or in lieu of SCCs (where permitted by law), Processor may rely on other recognized compliance measures for international transfers. For example, if binding corporate rules (BCRs) approved under Article 47 GDPR or an appropriate statutory exemption under GDPR Article 49 applies to a specific transfer, those mechanisms may be utilized to facilitate lawful transfers. Processor shall inform Customer of the transfer mechanism it relies on for a given cross-border transfer if not the SCCs. If a court or regulator determines that the agreed transfer mechanism (e.g., SCCs) is insufficient to lawfully transfer Personal Data, the parties will work together in good faith to promptly suspend the affected transfers or implement appropriate alternative measures to ensure compliance.
• 10.5 Data Localization (if applicable): If Customer is subject to any law or regulation that requires Personal Data to remain within a certain territory or jurisdiction, Customer must inform Influencers Club in writing. Influencers Club will make reasonable efforts to accommodate such requirements (for example, by offering EU-based data hosting for an EU Customer). However, unless a specific written agreement for data localization is in place, Customer acknowledges that use of a cloud-based, globally accessible service inherently involves some cross-border data flows (e.g., global content delivery networks, support personnel accessing data remotely for troubleshooting), and consents to such Processing as long as it is performed in accordance with this DPA and the applicable Data Protection Laws.

11. Deletion or Return of Data

As detailed below and as referenced in Section 3.9, upon termination or expiration of the Main Agreement, Influencers Club will, at Customer’s election, return or delete Customer Personal Data. Specifically:

• 11.1 Deletion Process: If Customer opts for deletion of data (which shall be the default if Customer does not request return of data within a reasonable time after termination), Influencers Club will systematically delete or irreversibly anonymize all Customer Personal Data in its systems. Deletion will cover all production systems and backups, within a reasonable timeframe in accordance with Influencers Club’s standard backup retention schedule. Personal Data will be securely erased using industry-standard methods. Influencers Club shall provide confirmation of deletion upon Customer’s request.
• 11.2 Return Process: If Customer opts to have Personal Data returned instead of deleted, Influencers Club will provide Customer with a complete copy of the Customer Personal Data in a common machine-readable format (for example, a CSV or JSON export, database backup, or another format as agreed) within a reasonable time after termination. After providing the data export to Customer, Influencers Club will then delete the data from its systems (per 11.1). Any costs associated with a specialized data export (beyond a standard format) will be agreed upon by the parties.
• 11.3 Limited Retention for Legal Purposes: Notwithstanding the above, Influencers Club is permitted to retain copies of Personal Data after termination to the limited extent required by applicable law, regulation, or legitimate business needs. Examples include: retention of accounting records containing Personal Data (for tax or audit purposes), retention of system logs and security records for breach analysis, or data retained in archival backups that are impractical to isolate. Any retained data will remain subject to the confidentiality and security obligations of this DPA, and will not be actively processed except for such required purposes.
• 11.4 Suspension for Litigation Hold: If Customer notifies Influencers Club that Customer needs the Personal Data to be preserved (for example, due to a litigation hold or an ongoing legal matter), Influencers Club will suspend deletion of the data upon such notice and maintain the data for an agreed period. Customer must reasonably cooperate in specifying the scope and duration of the required preservation. During this preservation period, the data will continue to be protected under the terms of this DPA.
• 11.5 Confirmation of Completion: If Customer does not provide any instruction post-termination regarding data return or deletion, Influencers Club will attempt to contact Customer’s administrative contact to confirm the desired action. If no response is received within a reasonable time, Influencers Club will proceed with deletion of the data as per Section 11.1. Upon Customer’s request, Influencers Club will confirm in writing that deletion or return (as applicable) has been completed. Any minimal data that may be retained as per Section 11.3 will be disclosed upon request.

(During the term of the Main Agreement, Customer may also delete certain data at any time through the platform’s functionality, in which case that data will be removed from active systems promptly. Some limited metadata or records may persist in backups or logs for a longer period as described in this Section 11.)

12. Miscellaneous Provisions

• 12.1 Data Protection Officer: Where required by Data Protection Laws, Influencers Club has appointed a Data Protection Officer (DPO) or an equivalent privacy official. The DPO (or privacy contact) can be reached at legal@influencers.club.
• 12.2 Liability: Each party’s liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Main Agreement. In no event shall either party’s aggregate liability under this DPA exceed the limitations specified in the Main Agreement. No terms of this DPA shall be construed to limit liability of either party in a manner that is not permitted by applicable law.
• 12.3 Order of Precedence: In the event of any conflict or inconsistency between this DPA and the Main Agreement, the terms of this DPA shall prevail with regard to the parties’ data protection obligations. In case of conflict between this DPA and any Standard Contractual Clauses or other data transfer addendum incorporated pursuant to Section 10, the terms of the Standard Contractual Clauses or such transfer addendum will prevail (insofar as they apply to the protected transfers).
• 12.4 Amendments: If changes in Data Protection Laws or regulations, or the issuance of new or updated Standard Contractual Clauses or other transfer mechanisms, necessitate changes to this DPA, the parties agree to negotiate in good faith to amend this DPA as needed to ensure continued compliance. Any amendments shall be in writing and signed by both parties (unless a change in law automatically amends the DPA).
• 12.5 Governing Law: This DPA shall be governed by and interpreted in accordance with the governing law specified in the Main Agreement, except to the extent that applicable Standard Contractual Clauses or other international transfer addenda require otherwise. For clarity, if and to the extent the SCCs apply, the governing law specified in the SCCs (as set forth in Section 10.2) will govern the SCCs.
• 12.6 Jurisdiction: Any disputes arising from or in connection with this DPA will be subject to the jurisdictional terms of the Main Agreement, unless otherwise required by applicable Standard Contractual Clauses or other mandatory provisions of Data Protection Law. In such case, jurisdiction shall be determined in accordance with those mandatory terms.
• 12.7 Severability: If any provision of this DPA is found to be invalid or unenforceable by a competent court or regulatory authority, the remainder of this DPA shall remain in full force and effect. The parties shall discuss in good faith any necessary amendments to replace the invalid or unenforceable provision with a valid provision that reflects the original intent as closely as possible.
• 12.8 Entire Agreement; No Waiver: This DPA (including its Annexes and any attached schedules, which form an integral part of it) constitutes the parties’ entire agreement with respect to its subject matter (the Processing of Personal Data in connection with the services). It supersedes any prior or contemporaneous agreements or representations on that subject. No waiver of any breach of this DPA will be effective unless made in writing. The failure of either party to enforce any provision of this DPA shall not constitute a waiver of that provision or of any other provision.
• 12.9 Execution of DPA: The execution of this DPA may be carried out by electronic signature or other agreed means. This DPA may be incorporated into the Main Agreement by reference. If the Main Agreement has been executed in writing (or electronically), the parties may execute this DPA in a similar manner or evidence their acceptance by other legally sufficient means. This DPA is effective as of the Effective Date of the Main Agreement, or as of the date of the parties’ latest signature below (if this DPA is executed separately).
• 12.10 Third-Party Beneficiaries: Except as expressly provided in Section 10 (with respect to certain rights granted to Data Subjects as third-party beneficiaries of the SCCs or similar transfer clauses), there are no third-party beneficiaries to this DPA. This DPA is intended to govern the rights and obligations between the Processor and Customer only, and does not grant any rights to any other person.
• 12.11 Relationship with Privacy Policy: This DPA is distinct from Influencers Club’s public Privacy Policy. The Privacy Policy governs how Influencers Club processes personal data as a data controller in the context of its own business (for example, data about visitors to Influencers Club’s website or marketing contacts), whereas this DPA governs how Influencers Club processes Personal Data on behalf of Customer as part of providing the services. In the event of any overlap, this DPA (as between the parties) will control with regard to Customer Data.

End of Data Processing Addendum

This DPA is hereby agreed to and incorporated into the Main Agreement by reference. Each party’s authorized representative has duly agreed to the terms of this DPA as of the effective date of the Main Agreement, or as of the date of the parties’ latest signature below (if this DPA is executed separately).

<br>

Customer: _______   (Name, Title, Date)
Influencers Club: _______   (Name, Title, Date)

Annex 1 – Details of Processing (Specification for SCCs)

This Annex forms part of the DPA and summarizes the details of Processing of Customer Personal Data as required by Article 28 GDPR and relevant clauses of the Standard Contractual Clauses.

Data Exporter (Controller): The Customer, as identified in the Main Agreement (and any authorized affiliates who use the services under that agreement). The data exporter’s contact information and the nature of its relevant business are as set out in the Main Agreement or the Customer’s account details. The Customer’s use of the services involves uploading or making Personal Data available to Influencers Club’s platform in order to manage and analyze information about social media influencers and to conduct outreach communications, which necessitates the transfer of certain Personal Data to Influencers Club for processing.

Data Importer (Processor): Influencers Club (OneMore InfluencersClub OÜ, a company registered in Estonia, or the relevant affiliate entity providing the services). Contact: legal@influencers.club. Influencers Club processes the data only as needed to provide, secure, and improve the contracted services as described in the DPA and Main Agreement.

Subject Matter of Processing: The subject matter of the Processing is the provision of Influencers Club’s influencer discovery, data enrichment, and outreach services to Customer. This involves Processing Personal Data under Customer’s control for the specific purpose of enabling Customer to find information on social media creators, enrich data (e.g., find emails or profile details for known usernames), and manage outreach campaigns on the platform.

Duration of Processing: For the duration of the Main Agreement and any applicable post-termination retention period as specified by the agreement or law. In general, Customer Personal Data will be Processed until the Main Agreement is terminated and all Personal Data is deleted or returned, in accordance with Section 11 of the DPA. (Certain data may have shorter retention periods if deleted by Customer during the term, as those deletions propagate to Influencers Club’s systems within a short period.)

Nature of Processing: Collection, storage, organization, retrieval, analysis, and other use of Personal Data within the Influencers Club platform on behalf of Customer. The Processing may include automated indexing of public social media profiles, matching or enrichment of data (adding contact details or profile info to records provided by Customer), sending communications (emails or messages) as initiated by Customer through the platform, and generating analytics or reports for Customer’s use. Data may be transmitted between data centers for redundancy and may be shared with authorized Subprocessors who provide infrastructure and support services, under the terms of the DPA.

Purpose of Processing: To fulfill the services and activities as set out in the Main Agreement, which include: helping the Customer discover and research social media influencers or creators worldwide; enriching the Customer’s existing lists of influencer identities with additional information (such as contact details or follower metrics); facilitating Customer’s communications with those influencers (e.g., via an email outreach tool within the platform); and providing analytics and insights related to influencer marketing campaigns. All Processing by Influencers Club is directed toward these business purposes initiated by Customer.

Categories of Personal Data: As provided by Customer and described in Section 2 of the DPA. The typical categories of Personal Data processed may include: – Identification Data: Names, social media usernames/handles, profile images or avatars. – Contact Data: Email addresses, phone numbers or other contact information (if provided by Customer or obtained at Customer’s direction for outreach purposes). – Public Profile Data: Information from influencers’ public social media profiles (such as follower counts, engagement metrics, content categories, location (city/country), demographics inferred from profiles). – Communication Data: Content and metadata of communications sent through the platform (e.g., emails to influencers), which may include Personal Data about the recipients (such as name, email address, and any personal details included in message text). – Technical Data: IP addresses, device/browser information, and usage logs relating to how Customer’s authorized users interact with the platform (collected for security, monitoring, and audit logging purposes). – User-Provided Data: Any other Personal Data that Customer chooses to input into the platform, such as free-form notes about influencers, tags or labels, campaign data, or file attachments. (The service is not intended to Process special categories of personal data or highly sensitive information such as government IDs, financial information, health or biometric data, etc., and Customer should avoid uploading any such data. Influencers Club does not intentionally collect or use any sensitive personal data in providing the services.)

Categories of Data Subjects: – Social media content creators, influencers, or similar individuals whose information is researched or managed by Customer via the service (these individuals are often public figures on social platforms, but the data processed may still be personal data about them). – Individuals who are recipients of outreach communications sent by Customer through the platform (which could include the above influencers or other business contacts relevant to Customer’s marketing campaigns). – Customer’s own personnel who are users of the platform (limited to their work contact details and usage/activity logs on the platform). – Any other individuals whose personal data is incidentally included in Customer Data (e.g., persons mentioned in correspondence or included in a contact list uploaded by Customer). Customer should minimize any such incidental data.

Special Categories of Data: The services are not designed to Process special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health, or sexual orientation). The DPA prohibits Customer from intentionally uploading such sensitive data. Influencers Club does not need or seek any special-category data for providing the service. In the unlikely event any special-category data is processed, it would be only as an incidental inclusion by Customer, and not by design.

Frequency of Transfer: Continuous or on-demand, as determined by Customer’s use of the services. Personal Data is transferred to Influencers Club when Customer initially inputs or uploads it to the platform, and thereafter as needed (for example, when Customer triggers an enrichment function or sends an outreach message, relevant data is processed through Influencers Club’s systems and Subprocessors).

Retention Period: Influencers Club will retain Personal Data for the duration of the Main Agreement. After termination, Personal Data will be returned or deleted as described in Section 11 of the DPA. Certain data may be retained in minimal form for a longer period if required for legal, compliance, or backup purposes (per Section 11.3 of the DPA).

Competent Supervisory Authority: For the purposes of the SCCs, the competent supervisory authority will be determined as follows: (i) if Customer is established in an EU Member State, the supervisory authority of that Member State shall act as competent authority; (ii) if Customer is not established in the EEA but has appointed an EU representative, the supervisory authority of the Member State where the representative is located; (iii) if the above do not apply, then the Data Protection Commission of Ireland (or such authority as agreed by the parties).

Contact Points:
– Customer: As specified in the Main Agreement or Customer’s account (Customer should ensure a current contact email for privacy/security notices is on file).
– Influencers Club: legal@influencers.club (or see DPO contact in Section 12.1).

(The above details are intended to satisfy Annex I requirements of the EU SCCs and similar provisions of other transfer frameworks.)

Annex 2 – Technical and Organizational Security Measures

(This Annex corresponds to Annex II of the EU SCCs, detailing the specific measures in place to ensure the security of data. Influencers Club will maintain at least the measures listed here and will update them as needed to enhance security.)

1. Access Control – Systems and Physical Access:
   – Personal Data is hosted in secure cloud data centers with robust physical security controls (on-site security personnel, CCTV surveillance, badge or biometric access systems, etc.). Only authorized data center staff can enter the facilities.
   – Influencers Club’s office premises (to the extent any Personal Data might be accessible there) are secured by controlled access (e.g., key card entry), and visitor access is logged and supervised.
   – Within systems, unique user IDs are assigned to each employee or service account that needs access to Customer Data. Access rights are granted based on role and follow the principle of least privilege. Privilege escalation is tightly controlled and logged.
   – Administrative access to production environments requires multi-factor authentication and is limited to a small number of engineers with an operational need. All such access is logged (recording user, time, and activity) and logs are monitored. Unused or unnecessary access rights are promptly revoked. Regular reviews (at least quarterly) of user and administrator access permissions are conducted.
2. Data Access Control (Authorization):
   – Application-level controls ensure that each Customer’s data is logically segregated so that one customer cannot access another customer’s data. This is achieved through separate databases or robust tenant isolation in multi-tenant systems.
   – Influencers Club employees’ access to Customer Data is restricted strictly to those with a need to know (e.g., support or engineers investigating a specific issue, and even then only with Customer’s permission whenever feasible). Any temporary access for support purposes is time-limited and revoked once the issue is resolved.
   – Systems enforce strong password policies (requiring minimum length and complexity) for both Customer user accounts and internal employee accounts. All production system passwords or secrets are stored in encrypted form. Where possible, single sign-on (SSO) and/or MFA are utilized for internal administrative systems.
   – Session management in the platform uses secure tokens with appropriate expiration times. Idle user sessions time out after a defined period to reduce the risk of unauthorized use.
3. Transmission Control:
   – All data in transit between the Customer’s systems (or users) and Influencers Club’s platform is encrypted using HTTPS/TLS with up-to-date protocols (TLS 1.2 or higher) and strong cipher suites. The TLS configuration is regularly reviewed against industry best practices (e.g., maintaining Perfect Forward Secrecy, using trusted certificates).
   – Internal service-to-service communication within Influencers Club’s cloud environment also occurs over encrypted channels or via private secure networks not exposed to the public internet.
   – If any transfer of data occurs via physical media or portable devices (generally avoided), such media are encrypted and sent via secure courier or similar protected means. Influencers Club policies forbid copying Customer Personal Data to unencrypted portable storage.
   – Email notifications or system-generated emails from the platform (if they contain any Personal Data) are transmitted using encryption when possible (e.g., STARTTLS for SMTP). If the recipient’s mail server does not support encryption, only minimal necessary Personal Data is included in the email content.
4. Input Control (Logging and Traceability):
   – Influencers Club maintains detailed logs of data modifications and accesses within the system. For example, when Customer Data records are added, modified, or deleted through the application, the system logs the timestamp, the user/account that performed the action, and what was changed. These logs are available to Customer via the application or upon request, as appropriate.
   – Administrative actions on systems (such as database queries executed by support staff or configuration changes by engineers) are recorded in secure audit logs with details of the user, action, and time. These logs are stored in append-only or otherwise tamper-resistant storage and are regularly reviewed for anomalies.
   – The platform may also log usage metrics and API calls for security analytics and to trace issues. Sensitive values (like passwords or API keys) are never logged in plaintext.
   – Upon request, Influencers Club can provide records of processing activities and/or relevant log excerpts to assist Customer in demonstrating compliance or investigating security events.
5. Job/Process Control (Instructional Control):
   – Influencers Club personnel process Customer Personal Data only in accordance with documented instructions from Customer, as defined in internal policies reflecting this DPA. New projects or use cases involving Customer Personal Data undergo a review to ensure they align with the agreed purposes and instructions.
   – All employees are trained that they must not use Personal Data for anything other than the specific task at hand in service of the Customer. Disciplinary measures are in place for violations of data use policies.
   – If Influencers Club receives conflicting instructions or requests related to Personal Data (for example, a law enforcement request that has not come through Customer), there are procedures to handle such scenarios (e.g., escalate to legal counsel, attempt to have the requesting party redirect the request to Customer) to ensure no processing outside Customer’s authority occurs unless legally compelled.
6. Availability Control:
   – Influencers Club’s infrastructure is designed with redundancy and fault tolerance to ensure high availability of the services. Servers are deployed in a clustered architecture, and critical systems have failover support across multiple availability zones or data centers.
   – Regular data backups are performed for critical data (including Customer Personal Data). Backups are encrypted and stored in geographically separate locations to support disaster recovery.
   – Disaster recovery and business continuity plans exist and are tested. The objectives for recovery time (RTO) and recovery point (RPO) are defined based on the service level commitments in the Main Agreement, and the architecture is built to meet those objectives under typical disaster scenarios.
7. Separation Control:
   – Influencers Club ensures that data collected for different purposes can be processed separately. In multi-tenant environments, robust logical separation prevents data mix-up. Development and testing environments are segregated from production, and no live Personal Data is used in development or test environments unless absolutely necessary and with equivalent protections in place (and typically only with Customer permission for troubleshooting).
   – Where subprocessors are used, data shared with them is limited to what is necessary for their function, and contracts ensure they keep data separate from data they process for their other clients.
8. Audit and Compliance Measures:
   – Influencers Club conducts regular internal and external assessments of its security controls. This includes periodic vulnerability scanning and at least annual penetration testing by independent experts. Results are evaluated and remediated based on severity.
   – The security program is aligned with industry standards and frameworks (such as OWASP Top 10 for web application security and the Cloud Security Alliance controls). Compliance with relevant best practices is continuously pursued.
   – Influencers Club’s security team provides management with reports on security posture and issues. Any significant incidents or identified vulnerabilities are reviewed by senior management, and appropriate actions are taken.
   – Upon Customer’s request (and subject to reasonable confidentiality constraints), Influencers Club may provide high-level summaries of independent audit findings or certifications (if available) to give assurance of its security posture.

(The measures listed in this Annex 2 reflect Influencers Club’s current controls. Influencers Club is committed to maintaining these measures and will update or augment them as needed to adapt to new security challenges. Customer may request more detailed information about specific measures as needed to comply with Customer’s own obligations.)

Annex 3 – Authorized Subprocessors

The following third-party Subprocessors are currently authorized to Process Personal Data on behalf of Influencers Club for the delivery of services to Customer. All Subprocessors are bound by written agreements requiring them to implement data protection measures equivalent to those in this DPA, including compliance with applicable international transfer safeguards:

• Amazon Web Services (AWS) – Cloud infrastructure provider hosting the main application, databases, and storage.
  Location: EU (Frankfurt) primary data center, with backups and certain global services in US (N. Virginia).
  Safeguards: EU SCCs (Module 2, Controller-to-Processor) in place for any EU->US transfers. AWS is a widely certified cloud provider (e.g., multiple ISO certifications) and maintains robust security controls in its data centers. Customer data in AWS is encrypted in transit and at rest.
• Twilio SendGrid – Email delivery service used to send outreach emails and platform notifications on Customer’s behalf.
  Location: USA (with global infrastructure).
  Safeguards: SCCs (Module 2) in place for EEA/UK data. Twilio SendGrid contractually commits to GDPR compliance and qualifies as a “Service Provider” under CCPA. Data (email content and recipient addresses) is used solely for delivering Customer’s communications.
• Google Cloud Platform (GCP) – Cloud infrastructure for specific platform components (e.g., data analytics, additional storage or compute services for certain features).
  Location: EU (Belgium) and US (Iowa) data centers, used in a geo-redundant configuration.
  Safeguards: SCCs (Module 2) executed for EEA/UK data. Google maintains high security standards and numerous certifications. Data entrusted to GCP services is encrypted at rest and in transit.
• MongoDB Atlas – Managed NoSQL database service, hosting certain data collections (for example, cached influencer profile information for fast lookup).
  Location: EU (Ireland) primary database, with backup storage in EU and US regions.
  Safeguards: SCCs in place for any international data flow. MongoDB Atlas employs strong encryption in transit and at rest and has robust security controls. Data stored in this service is limited to what is needed for caching and performance, not primary records.
• Cloudflare, Inc. – Content Delivery Network and security provider (caching of static content, DDoS protection, DNS management).
  Location: Global edge network (with data centers worldwide; Customer traffic is served from the nearest location).
  Safeguards: Cloudflare’s services involve minimal Personal Data (primarily IP addresses and basic device geo-information for users accessing the platform). Cloudflare’s DPA incorporates the EU SCCs for data transfers. Cloudflare is certified under ISO 27701 and participates in the EU-U.S. Data Privacy Framework, indicating its adherence to high privacy standards.
• Zendesk, Inc. – Customer support ticketing platform used by Influencers Club’s support team.
  Location: USA (with option for EU data centers; currently using US region for support data).
  Safeguards: SCCs in place for EU/UK data. Support ticket data (which may include names and emails of Customer’s users and any Personal Data they provide in their support requests) is kept separate from production systems and is used solely for providing support to the Customer. Zendesk contractually commits to GDPR compliance and provides appropriate technical measures to protect support data.

(Note: The above is an illustrative list of key subprocessors. Influencers Club will update this list as needed in accordance with Section 6 of the DPA. If Influencers Club adds or replaces any Subprocessor, it will provide advance notice to Customer as described in Section 6.3.)

For any questions or to request the most up-to-date list of Subprocessors, Customer can contact legal@influencers.club. Influencers Club will also endeavor to provide notice of any changes to this list in accordance with Section 6.3 of the DPA.