This Data Processing Addendum (“DPA”) is an agreement between OneMore InfluencersClub OÜ, a company registered in Estonia, registry code 16123472, registered address Tartu mnt 67/1-13b, Kesklinna linnaosa, 10115 Tallinn, Estonia (“Influencers Club” or “Processor”), and each business customer (“Customer” or “Controller”) that uses the Influencers Club platform or services under the Terms of Service or a master agreement (the “Main Agreement”). This DPA reflects the parties’ obligations regarding the Processing of Personal Data in compliance with applicable privacy laws. By using Influencers Club’s services, the Customer agrees to the terms of this DPA, which is incorporated into and forms part of the Main Agreement. In case of any conflict between this DPA and the Main Agreement on matters of data protection, this DPA prevails. If Standard Contractual Clauses apply, they prevail over both this DPA and the Main Agreement.

1. Scope of this DPA — what it does and does not cover

1.1 Processor role (covered by this DPA). This DPA applies where Influencers Club Processes Customer Data — that is, Personal Data that the Customer provides, uploads, or makes available to the services (for example: contact lists, campaign data, CRM notes, outreach content, account user data) — on the Customer’s behalf and on its documented instructions.

1.2 Independent controller activities (not covered by this DPA). This DPA does not apply to Processing activities for which an Influencers Club group company acts as an independent controller. In particular, the database of creator profiles compiled from publicly available sources is maintained by Influencers Club DOO (North Macedonia) as an independent data controller, as described in the Privacy Policy and the Creator Privacy Notice. When the Customer retrieves Creator Data through the services, the Customer becomes an independent controller of that data and is responsible for its own compliance with Data Protection Laws, including lawful basis, transparency, and electronic marketing rules. Neither party Processes Creator Data on behalf of the other.

2. Definitions

“Personal Data” means any information relating to an identified or identifiable individual that is protected as personal data, personal information, or similar under Data Protection Laws.

“Processing“ (and ”Process”) means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, use, disclosure, erasure, or destruction.

“Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For this DPA, the Customer is the Controller of Customer Data.

“Processor” means the entity that Processes Personal Data on behalf of the Controller. For this DPA, OneMore InfluencersClub OÜ is the Processor of Customer Data.

“Data Protection Laws” means all applicable laws and regulations relating to privacy, data protection, and the Processing of Personal Data, including (where applicable) the EU General Data Protection Regulation (GDPR) and national implementing laws, the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, and the California Consumer Privacy Act (CCPA) as amended by the CPRA.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“Customer Data” means any Personal Data that the Customer provides or makes available to the Processor for Processing under the Main Agreement. Customer Data does not include Creator Data made available by Influencers Club to the Customer.

“Creator Data” has the meaning given in the Main Agreement.

“Subprocessor” means any third party (including any Influencers Club affiliate) engaged by the Processor to assist in Processing Customer Data on behalf of the Customer.

“Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data transmitted or stored by the Processor or its Subprocessors. This does not include unsuccessful or insignificant incidents that do not compromise the security of Personal Data.

“Standard Contractual Clauses“ or ”SCCs” means the standard contractual clauses approved by European Commission Implementing Decision (EU) 2021/914 for transfers of personal data to third countries, as amended or replaced from time to time.

3. Details of Processing

• Roles of the parties: For Customer Data, the Customer acts as Controller and Influencers Club acts as Processor on the Customer’s behalf.
• Subject matter and duration: The Processing consists of the performance of the services and related technical support as described in the Main Agreement, for the duration of the Main Agreement.
• Nature and purpose: Influencers Club will Process Customer Data solely to: (a) provide, maintain, and support the platform and services; (b) carry out the Customer’s documented instructions; and (c) comply with applicable law.
• Types of Personal Data: identification and contact information; professional or public profile information; communications data; technical usage data; and any other Personal Data the Customer uploads or inputs into the service.
• Categories of Data Subjects: individuals whose data the Customer uploads or inputs, including creator or influencer individuals, outreach recipients, the Customer’s personnel and authorized users, and other incidental third parties.

4. Obligations of the Processor

4.1 Compliance with instructions. Processor will Process Customer Data only on documented instructions from the Customer (including this DPA and the Main Agreement), unless required otherwise by applicable law — in which case Processor will inform the Customer of that legal requirement before Processing, unless the law prohibits doing so. Processor will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

4.2 No secondary use or sale. Processor shall not “sell” or “share” Customer Data (as those terms are defined in the CCPA) and shall not Process Customer Data for any purpose other than those specified in this DPA.

4.3 Security measures. Processor will implement and maintain appropriate technical and organizational measures as described in Annex 2, covering access controls, encryption, network and system security, monitoring and logging, organizational and personnel security, reliability and backup, testing and assessment, and vendor management.

4.4 Confidentiality. Processor will ensure that all persons authorized to Process Customer Data are bound by appropriate confidentiality obligations.

4.5 Subprocessors. Processor may engage Subprocessors only in accordance with Section 7.

4.6 Assistance with Data Subject rights. Taking into account the nature of the Processing, Processor will assist the Customer with appropriate technical and organizational measures in responding to Data Subject requests under Data Protection Laws.

4.7 Assistance with compliance and DPIAs. Processor will provide reasonable cooperation and information to assist the Customer with data protection impact assessments, prior consultations with supervisory authorities, and other compliance obligations under Articles 32–36 GDPR.

4.8 Breach notification. In the event of a Personal Data Breach affecting Customer Data, Processor will notify the Customer without undue delay and, where feasible, no later than 48 hours after becoming aware of it. The notification will describe, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and mitigate possible adverse effects.

4.9 Return or deletion on termination. Upon termination or expiry of the Main Agreement, Processor will, at the Customer’s choice, delete or return all Customer Data, and delete existing copies, except where applicable law requires retention (Section 12).

4.10 Records. Processor will maintain records of its Processing activities on behalf of the Customer as required by Article 30(2) GDPR.

5. Obligations of the Controller

5.1 Compliance with laws. Customer shall comply with all applicable Data Protection Laws in its use of the services and its instructions to Processor.

5.2 Lawful basis and notices. Customer represents that it has obtained all rights, consents, and legal bases necessary for Processor to Process Customer Data as contemplated by the Main Agreement and this DPA, and that it has provided any required notices to Data Subjects.

5.3 Data quality and minimization. Customer is responsible for the accuracy, quality, and legality of Customer Data and the means by which it was acquired.

5.4 Instructions. Customer will only issue documented instructions that are lawful and consistent with the Main Agreement and this DPA.

5.5 Customer as processor for a third-party controller. Where Customer acts as a processor for a third-party controller, Customer warrants that it is authorized to engage Influencers Club as a subprocessor and that its instructions reflect the third-party controller’s instructions.

5.6 Data Subject requests. As between the parties, Customer is responsible for responding to Data Subject requests and complaints relating to Customer Data.

5.7 Security responsibilities. Customer shall configure and use the services in a manner consistent with appropriate security, including managing its users, credentials, and API keys.

6. Data Subject rights and requests

6.1 Notification. Processor will promptly inform the Customer of any Data Subject request it receives that relates to Customer Data, and will not respond to it directly except as instructed by the Customer or required by law.

6.2 Assistance. Processor will provide reasonable assistance to enable the Customer to respond to verified Data Subject requests within the timeframes required by Data Protection Laws.

6.3 Documentation. Processor will keep records of Data Subject requests it receives that relate to Customer Data and of the assistance provided.

7. Subprocessors

7.1 General authorization; current list. Customer provides general written authorization for Processor to engage Subprocessors. The current list of Subprocessors — including each Subprocessor’s name, location, function, and transfer mechanism — is published at https://influencers.club/subprocessors/ and is incorporated into this DPA by reference.

7.2 Notice of changes. Processor will update the published list and notify subscribed Customers at least 14 days before authorizing any new Subprocessor to Process Customer Data. Customers can subscribe to change notifications as described on the Subprocessor List page.

7.3 Objection right. Customer may object on reasonable data-protection grounds to a new Subprocessor within the notice period. The parties will work in good faith to resolve the objection (including by Processor offering an alternative); if no resolution is reached, Customer may terminate the affected services and receive a pro-rata refund of prepaid fees for the unused period.

7.4 Subprocessor obligations. Processor will enter into written agreements with each Subprocessor imposing data protection obligations no less protective than those in this DPA, to the extent applicable to the services the Subprocessor provides.

7.5 Liability. Processor remains fully liable to the Customer for the performance of its Subprocessors’ obligations.

8. Security

Processor maintains the technical and organizational measures set out in Annex 2. Processor may update those measures from time to time, provided the updates do not materially reduce the overall level of protection.

9. Audits and compliance verification

9.1 Information. Processor will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including security documentation and, where available, summaries of third-party audit reports.

9.2 Audits. Customer may conduct an audit (itself or through an independent auditor bound by confidentiality) no more than once per year, on at least 30 days’ written notice, during business hours, and without unreasonable disruption to Processor’s operations. Where a recognized third-party audit report or certification covers the scope of the request, the parties agree it satisfies the audit right to that extent.

9.3 Confidentiality. All information obtained through audits is Confidential Information under the Main Agreement.

10. International data transfers

10.1 Locations. Customer Data is hosted in the European Union. Processor may Process Customer Data in other countries where it or its Subprocessors maintain facilities, subject to this Section.

10.2 Transfer mechanisms. Where Processing involves a transfer of Customer Data from the EEA to a country without an adequacy decision, the parties (or Processor and the relevant Subprocessor) rely on the Standard Contractual Clauses (Implementing Decision (EU) 2021/914), with Module Two (controller-to-processor) or Module Three (processor-to-processor) as applicable, which are incorporated by reference. For transfers subject to UK law, the UK International Data Transfer Addendum issued by the UK Information Commissioner applies; for Swiss law, the SCCs as adapted by the FDPIC’s requirements apply.

10.3 Supplementary measures. Processor implements supplementary technical and organizational measures supporting transferred data, including encryption in transit and at rest, access controls and least-privilege policies, data minimization, and a documented policy of reviewing and challenging government access requests that lack a valid legal basis.

11. Personal Data Breach management

11.1 Detection. Processor maintains measures designed to detect, assess, and respond to security incidents.

11.2 Notification. As set out in Section 4.8, Processor notifies the Customer without undue delay and, where feasible, no later than 48 hours after becoming aware of a Personal Data Breach affecting Customer Data.

11.3 Cooperation. Processor will investigate the breach, take reasonable steps to mitigate its effects, and provide the Customer with timely updates.

11.4 Regulatory communications. As between the parties, the Customer is responsible for notifications to supervisory authorities and Data Subjects concerning Customer Data, and Processor will provide reasonable assistance.

11.5 No acknowledgment of fault. A breach notification is not an acknowledgment of fault or liability.

12. Deletion or return of data

12.1 Upon termination or expiry of the Main Agreement, Processor will, at the Customer’s choice, delete or return all Customer Data within 30 days, and delete remaining copies from live systems; residual copies in encrypted backups are deleted in the ordinary course of backup rotation.

12.2 Processor may retain Customer Data only to the extent required by applicable law, for the period required, and protected by the terms of this DPA.

13. Miscellaneous

13.1 Privacy contact. privacy@influencers.club (data protection inquiries); legal@influencers.club (contractual matters).

13.2 Liability. The parties’ liability under this DPA is subject to the limitations and exclusions set out in the Main Agreement.

13.3 Order of precedence. This DPA prevails over the Main Agreement with respect to data protection obligations; the SCCs prevail over this DPA where they apply.

13.4 Amendments. The parties will negotiate in good faith any amendments required by changes in Data Protection Laws.

13.5 Governing law and jurisdiction. This DPA is governed by the law and subject to the jurisdiction specified in the Main Agreement, except where the SCCs require otherwise.

Annex 1 — Details of Processing

• Data exporter (Controller): the Customer, as identified in the Main Agreement.
• Data importer (Processor): OneMore InfluencersClub OÜ. Contact: privacy@influencers.club.
• Subject matter: provision of creator discovery, data enrichment, and outreach services.
• Categories of Personal Data: identification data, contact data, public profile data, communications data, technical data, user-provided data.
• Categories of Data Subjects: creator/influencer individuals whose data the Customer uploads, outreach recipients, the Customer’s personnel, incidental third parties.
• Frequency: continuous, for the duration of the Main Agreement.
• Retention: as set out in Section 12.

Annex 2 — Technical and Organizational Security Measures

• Access control: role-based access, multi-factor authentication, least privilege, quarterly access reviews.
• Data access control: logical tenant isolation, strict need-to-know access, strong password policies, session management.
• Transmission control: HTTPS/TLS 1.2+, encrypted internal communications, no unencrypted portable storage.
• Input control: detailed audit logs, tamper-resistant log storage, no plaintext secrets in logs.
• Job/process control: Processing only per documented instructions, employee training, escalation procedures.
• Availability control: redundant architecture, encrypted backups, disaster recovery plans.
• Separation control: logical multi-tenant separation, no live data in development/test environments.
• Audit and compliance: regular vulnerability scanning, annual penetration testing, management reporting.

Annex 3 — Authorized Subprocessors

The authorized Subprocessor list, including each provider’s location, function, and transfer mechanism, is maintained at https://influencers.club/subprocessors/ and is incorporated into this DPA by reference. Changes are notified in accordance with Section 7.