Data Processing Addendum

1. Definitions

Capitalised terms not defined here have the meanings in the EU GDPR (Regulation (EU) 2016/679), the UK GDPR, or the Agreement. “Personal Data,” “Processing,” “Controller,” “Processor,” “Sub-Processor,” “Data Subject,” and “Supervisory Authority” have the meanings given to them in the GDPR. “Applicable Data Protection Law” means the EU GDPR, the Romanian implementing Law no. 190/2018, the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (revFADP), and any other data-protection law applicable to the parties’ Processing under this DPA.

2. Roles of the parties

For Personal Data submitted by Customer or its end users through the Services (“Customer Personal Data”), Customer is the Controller and Shadow Pages is the Processor. Where Shadow Pages independently determines the means and purposes of Processing (e.g., account administration of the Customer’s own users, billing of the Customer, analytics of its own service), Shadow Pages acts as Controller and the Processing is governed by our Privacy Policy.

3. Subject matter, duration, nature & purpose

• Subject matter: Processing of Customer Personal Data necessary to provide the Services described in the Agreement.
• Duration: the term of the Agreement plus any period during which Shadow Pages retains Customer Personal Data in line with this DPA.
• Nature and purpose: hosting, processing, storage, transmission, AI inference, analytics, and related operations carried out to deliver the Services.

4. Types of personal data & categories of data subjects

Types of Personal Data: identification and contact data; account credentials; professional information; payment metadata (no full card numbers); content of communications; usage and technical data; AI inputs and outputs that may contain Personal Data submitted by Customer.

Categories of Data Subjects: Customer’s personnel, contractors, end users, audience members, leads, and any other individuals whose Personal Data Customer submits via the Services.

5. Processor obligations (Art. 28(3) GDPR)

• Process Customer Personal Data only on documented instructions from Customer, including the Agreement, this DPA, and lawful written instructions. Shadow Pages will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
• Ensure that personnel authorised to Process Customer Personal Data are bound by written confidentiality obligations or statutory duty of confidentiality.
• Implement and maintain the security measures set out in Annex II.
• Engage Sub-Processors only on the terms in Section 7.
• Provide reasonable assistance to Customer in fulfilling Data Subject requests (Art. 12–23 GDPR), DPIAs and prior consultations (Art. 35–36 GDPR), and security obligations (Art. 32–34 GDPR), taking into account the nature of the Processing and the information available.
• At Customer’s choice, delete or return Customer Personal Data on termination of the Services and delete existing copies unless retention is required by law.
• Make available to Customer the information necessary to demonstrate compliance with Art. 28 GDPR, and allow for audits as described in Section 8.

6. Security measures & breach notification

Shadow Pages will maintain the technical and organisational measures described in Annex II, designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk to the rights and freedoms of natural persons.

Shadow Pages will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 72 hoursof becoming aware, in line with Article 33 GDPR. Notifications will describe, to the extent known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address it. We will further cooperate with Customer’s reasonable requests for additional information.

7. Sub-Processors

Customer grants Shadow Pages a general written authorisation (Art. 28(2) GDPR) to engage Sub-Processors to deliver the Services. The current list is set out in Annex III.

Sub-Processor change notification mechanism. Shadow Pages will: (i) impose data-protection obligations on each Sub-Processor by written contract that are no less protective than those in this DPA; (ii) remain liable to Customer for the acts and omissions of its Sub-Processors as for its own; (iii) provide Customer with at least 30 days’ prior written noticeof the addition or replacement of a Sub-Processor by email to the Customer’s registered billing or admin contact (a posting on a public sub-processor page does not satisfy this notice on its own). The notice will identify the new Sub-Processor, the categories of Personal Data involved, the processing location, and the relevant transfer mechanism.

Right to object. Customer may object on reasonable data-protection grounds within that 30-day notice period by emailing legal@shadowpages.ai. The parties will work in good faith to resolve the objection, including by Shadow Pages proposing an alternative Sub-Processor or additional safeguards. If the objection cannot be resolved within 30 days, Customer may, as its sole and exclusive remedy, terminate the affected Services on written notice and receive a pro-rata refund of pre-paid Subscription Fees for the unused portion of the Subscription Term.

8. Audits

Audit reports first.Shadow Pages will make available, on written request and subject to confidentiality undertakings, summaries of its most recent third-party audits and security certifications. In most cases, these will satisfy Customer’s audit rights under Article 28(3)(h) GDPR.

On-site / direct audit rights. Where Applicable Data Protection Law requires more, Customer (or an independent auditor agreed by the parties, not a competitor of Shadow Pages) may conduct an audit subject to the following conditions:

• Frequency: no more than once per 12-month period, except where a prior audit identified a material non-compliance or where a supervisory authority mandates a follow-up.
• Notice: at least 30 days’ prior written notice.
• Timing:during normal business hours, on a schedule agreed by the parties, in a manner that does not disrupt Shadow Pages’ operations or compromise the security of other customers’ data.
• Confidentiality: the auditor and Customer personnel must sign a mutually acceptable non-disclosure agreement before access.
• Costs: each party bears its own internal costs; the direct external costs of an on-site audit are split equally between the parties as is standard in the industry, unless the audit identifies a material breach by Shadow Pages of this DPA, in which case Shadow Pages will bear those direct costs.
• Scope:limited to information reasonably necessary to verify Shadow Pages’ compliance with this DPA.

Supervisory-authority-mandated audits are not subject to the frequency or notice limitations above.

9. International transfers (SCCs / UK Addendum / Swiss FADP)

Where Processing involves the transfer of Customer Personal Data from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, the parties agree to incorporate by reference:

• The European Commission’s Standard Contractual Clauses (Decision 2021/914), Module Two (Controller-to-Processor), with Customer as “data exporter” and Shadow Pages as “data importer,” including the optional docking clause; Clause 7 (governing law) elected as Romania; Clause 18 (forum) elected as Romania;
• The UK Information Commissioner’s International Data Transfer Addendum (Version B1.0) (“UK Addendum”) for transfers subject to the UK GDPR; and
• For transfers subject to the Swiss FADP, the SCCs apply with the following adaptations: (a) references to the GDPR are read as references to the FADP; (b) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC); (c) the term “Member State” is read to include Switzerland so that data subjects in Switzerland may bring claims in Switzerland.

Annexes I, II and III to this DPA serve as the corresponding annexes to the SCCs and UK Addendum.

10. Data subject requests

Where Shadow Pages receives a request from a Data Subject in relation to Customer Personal Data, it will, without undue delay, inform Customer and will not respond directly except on Customer’s instructions or as required by law. Shadow Pages will provide reasonable technical and organisational assistance to enable Customer to respond.

11. Deletion or return

On termination of the Services, Shadow Pages will, at Customer’s written direction within 30 days, delete or return Customer Personal Data and delete existing copies, unless applicable law requires further storage. Routine backups will expire on standard cycles and remain protected by this DPA until expiry.

12. Liability & precedence

Each party’s liability under this DPA is subject to the limitations of liability in the Agreement. In the event of a conflict, this DPA prevails over the Agreement on data-protection matters; the SCCs prevail over both for the transfers they govern.

Annex I — Details of processing

A. List of parties.

• Data exporter: Customer, as identified in the Agreement.
• Data importer: Ares Online S.R.L., trading as Shadow Pages, [ROMANIAN REGISTERED ADDRESS], CUI [CUI / TRADE REGISTER NO.], contact legal@shadowpages.ai.

B. Description of transfer.

• Categories of Data Subjects: as set out in Section 4.
• Categories of Personal Data: as set out in Section 4.
• Special categories of data: none expected; Customer must not submit special-category data without prior written agreement.
• Frequency: continuous, for the duration of the Services.
• Nature and purpose: provision of the Services under the Agreement.
• Retention: as set out in this DPA and the Privacy Policy.

C. Competent supervisory authority:the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) for EU SCC transfers; the UK Information Commissioner’s Office (ICO) for the UK Addendum; the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers subject to the Swiss FADP.

Annex II — Technical and organisational measures

• Encryption in transit: TLS 1.2+ on all public endpoints; HSTS enforced; modern cipher suites only.
• Encryption at rest: AES-256 for production databases, object storage, and backups; managed-KMS key custody.
• Pseudonymisation: where compatible with the purpose of Processing, identifiers are pseudonymised in analytics and AI inference logs.
• Access controls: role-based access (RBAC), least privilege, quarterly access reviews, automatic deprovisioning on personnel offboarding.
• Authentication: mandatory multi-factor authentication for all staff with access to production systems and admin tooling; SSO with hardware-key support for privileged accounts where available.
• Network security: environment segmentation, default-deny firewalls, edge DDoS protection through the hosting provider, automated intrusion detection.
• Logging & monitoring: centralised audit logging, alerting on anomalous activity, log retention aligned with the Privacy Policy and Romanian record-keeping law.
• Vulnerability management: dependency monitoring, automated security advisories, periodic patching, and third-party penetration testing on a risk-based cadence.
• Personnel: background checks where lawful, security and privacy training on hire and annually, written confidentiality undertakings, signed acceptable-use policy.
• Vendor management: data-protection due diligence on Sub-Processors, written contracts incorporating Article 28 obligations and SCCs where relevant.
• Incident response: documented IR plan, on-call rotation, tabletop exercises, post-incident review, 72-hour breach notification under Section 6.
• Business continuity: automated backups with tested restore procedures, redundant infrastructure across cloud-provider regions, documented RPO/RTO targets.
• Data minimisation: we collect only what is needed and apply retention limits set out in the Privacy Policy.
• Deletion: documented deletion workflows triggered on Customer instruction, contract termination, or statutory expiry of retention periods.

Annex III — Approved sub-processors

• Vercel Inc.— hosting and edge delivery (United States). Transfer mechanism: SCCs Module Two.
• Calendly LLC— scheduling (United States). Transfer mechanism: SCCs.
• Google LLC / Google Ireland Ltd.— Workspace email and Google Analytics 4 (United States / EU). Transfer mechanism: SCCs.
• [PAYMENT_PROCESSOR]— payment processing, billing, fraud prevention, tax compliance. Transfer mechanism: SCCs where applicable.
• OpenAI / OpenAI Ireland Ltd.— large-language-model inference for in-product AI features. No-training contractual terms; transfer mechanism: SCCs.
• Anthropic PBC— large-language-model inference for in-product AI features. No-training contractual terms; transfer mechanism: SCCs.
• Customer support / CRM tooling— ticket handling and lifecycle communications. Current vendor list available on request.

Contact

For DPA requests, signed copies, or sub-processor change notifications, email legal@shadowpages.ai.