Data Processing Addendum (DPA)

GliminTor OS Data Processing Addendum (DPA) GDPR Article 28 Agreement — Customer (Controller) and Xblanc (Processor) Processor XBLANC SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ Registered office ul. Henryka Sienkiewicza 22, 60-818 Poznań, Poland KRS / NIP / REGON 0001206396 / 7812100149 / 543298631 Privacy contact [email protected] Effective date April 2026 *v3.0 — April 2026* *This DPA governs processing of personal data that the Customer (controller) instructs Xblanc (processor) to process using GliminTor OS. Incorporated by reference into the Terms of Service.*

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Special Category Data", and "Supervisory Authority" have meanings given in GDPR (Regulation (EU) 2016/679).

Xblanc processes personal data solely to provide GliminTor OS as described in the Terms of Service, including: AI operations via OpenRouter, fal.ai, and ElevenLabs; social platform publishing and messaging; Contacts/CRM management; Auto-Engage automated responses; Broadcast outreach messaging; Live Studio multi-platform streaming; CRM integrations; brand intelligence (workspace-isolated pgvector embeddings); and analytics and reporting.

Account identifiers Names, email addresses, platform usernames, organisation details. Contacts/CRM data Audience member records including names, emails, platform handles, scores, and tags. Broadcast data Message content, delivery logs, opt-out records, consent timestamps. Auto-Engage data Incoming comments and DMs processed for AI response generation. Zoom Studio data Meeting metadata, participant data, streaming activity logs. Usage and analytics data Feature usage patterns, credit consumption, session data. Content data Text, images, and video uploaded or generated through the Service.

The Customer confirms it has a lawful basis for instructing Xblanc to process personal data; has provided required transparency notices to data subjects; and will not instruct Xblanc to process special-category data without appropriate safeguards. For Broadcast, the Customer confirms it holds valid consent records for all message recipients.

Xblanc shall: (a) process data only on Customer's documented instructions; (b) ensure personnel are bound by confidentiality obligations; (c) implement appropriate technical and organisational security measures; (d) assist with data subject requests, DPIAs, and breach notifications; (e) delete or return data upon termination.

General authorisation granted for the following sub-processors. Xblanc will provide 14 days' notice of material changes: Railway (US) Infrastructure hosting — PostgreSQL, Redis, API, Worker. Clerk (US) Identity and access management. Stripe (US) Payment processing and billing. Cloudflare (US) CDN, DDoS protection, R2 object storage. OpenRouter (US) AI model routing (LLM text operations). fal.ai (US) Image generation (all plans); video generation (all paid tiers via Kling and Seedance). Zoom Video Communications (US) Live meeting hosting and live stream relay for Zoom Studio. Resend (US) Transactional and marketing email delivery. Transfers outside the EEA are covered by Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914.

Minimum measures: TLS 1.2+ encryption in transit and at rest; access controls and least-privilege; audit logging; vulnerability management; incident response procedures; regular security reviews.

Xblanc will notify the Customer within 72 hours of becoming aware of a breach affecting Customer data, including information required by GDPR Article 33(3) to the extent available.

Xblanc will notify the Customer of any data subject requests received and assist in fulfilling GDPR Chapter III obligations through reasonable technical and organisational measures.

On 30 days' written notice, no more than once per year, the Customer may audit Xblanc's processing activities. Auditor must sign a confidentiality agreement. Audit costs borne by Customer unless a Xblanc breach is identified.

This DPA is governed by Polish law and applicable EU law. Disputes: courts of Poznań, Poland.

Data protection: [email protected]