Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the business customer ("Controller") and Xblanc Sp. z o.o. ("Processor") and forms part of the Terms of Service. It applies where the Controller uses GliminTor OS to process personal data of third parties — the Controller's own customers, contacts, or audience members. This DPA does not apply to GliminTor's processing of the Controller's own account data, which is governed by the Privacy Policy.

"Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Supervisory Authority" have the meanings in GDPR (EU) 2016/679. "Controller Data" means personal data submitted by the Controller to the Service. "Sub-processor" means any third party engaged by the Processor to process Controller Data.

Field Details Subject matter Processing of personal data through GliminTor OS features including unified inbox, contact database, Outreach, auto-engage, and analytics Duration Duration of the Controller's subscription plus applicable retention periods Nature Storage, retrieval, transmission, analysis, and deletion of Controller Data Purpose To provide the GliminTor OS Service as contracted Types of personal data Contact information, social identifiers, message content, engagement data, and any other data submitted by the Controller Categories of data subjects The Controller's customers, subscribers, followers, inbox contacts, and Outreach recipients

A current list of sub-processors is published at glimintor.com/legal/subprocessors. At least 30 days advance notice is provided of material changes. The Controller may object to a new sub-processor within the notice period on reasonable data protection grounds.

The Processor implements the following measures appropriate to the risk: • Encryption of data in transit using TLS 1.2 or higher • Encryption of data at rest for database and file storage • Role-based access controls limiting data access to authorised personnel • Multi-factor authentication for administrative access • Regular security assessments and vulnerability management • Logical workspace isolation preventing cross-customer data access These measures are subject to periodic review and update. Material changes will be communicated to Controllers.

## 6.1 Processing on Instructions The Processor processes Controller Data only on the Controller's documented instructions. The Controller's use of the Service constitutes documented instructions for the processing described in this DPA. The Processor will promptly inform the Controller if an instruction would infringe applicable data protection law. ## 6.2 Confidentiality Persons authorised to process Controller Data are subject to appropriate confidentiality obligations. ## 6.3 Sub-processors Sub-processors are engaged under written agreements imposing data protection obligations equivalent to this DPA. The Processor remains liable to the Controller for the performance of sub-processors. ## 6.4 Data Subject Rights Assistance The Processor provides reasonable technical assistance to help the Controller respond to data subject requests. The Controller is responsible for handling requests and communicating with data subjects. ## 6.5 Security Incident Notification In the event of a personal data breach affecting Controller Data, the Processor notifies the Controller without undue delay after becoming aware of the breach. Notification will include available information about the nature, scope, likely consequences, and measures taken or proposed to address the breach and mitigate its effects. ## 6.6 DPIA Assistance The Processor provides reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations where required. ## 6.7 Deletion and Return On termination of the subscription or written request, the Processor deletes all Controller Data unless applicable law requires continued storage. The Processor certifies deletion in writing upon request. ## 6.8 Audit Rights The Processor makes available information necessary to demonstrate compliance and contributes to audits and inspections by the Controller or authorised auditor on reasonable written notice and at the Controller's cost.

The Controller represents that it has a lawful basis for all Controller Data submitted to the Service, has provided required notices to data subjects, and complies with applicable data protection law in its use of the Service.

Where Controller Data is transferred outside the EEA, transfers are made under Standard Contractual Clauses (SCCs, European Commission, June 2021), Module 2 (Controller-to-Processor). Details are at glimintor.com/legal/subprocessors. The Processor will execute additional transfer addenda with Controllers who require them under applicable law.

This DPA is governed by Polish law and the GDPR. Disputes are resolved per the Terms of Service dispute resolution provisions.

DPA and data protection enquiries: [email protected] Registered address: Xblanc Sp. z o.o., ul. Henryka Sienkiewicza 22, 60-818 PoznaĹ„, Poland