Data Processing Agreement

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Swyft on behalf of Client in connection with the Services.
• "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
• "Processor" means an entity that processes Personal Data on behalf of the Controller.
• "Subprocessor" means any Processor engaged by Swyft to assist in fulfilling its obligations that involves the processing of Personal Data.
• "Aggregated Usage Data" means data derived from Client's use of the Services that has been de-identified and aggregated such that it cannot reasonably be used to identify any individual.
• "Applicable Privacy Laws" means the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, GDPR, and any other applicable data protection laws.
• "Security Incident" means any confirmed unauthorized access to, disclosure of, or destruction of Personal Data that compromises its confidentiality, integrity, or availability.

2.1 Controller and Processor. As between the parties, Client is the Controller of Personal Data submitted to the Services, and Swyft is the Processor, processing Personal Data solely on Client's behalf and pursuant to Client's documented instructions.

2.2 Aggregated Usage Data. Notwithstanding the above, Swyft may act as an independent Controller with respect to Aggregated Usage Data. Such data does not constitute Personal Data and is not subject to the obligations of this DPA.

2.3 Client's Obligations. Client represents and warrants that it has the legal authority to submit Personal Data to the Services, has provided all required notices and obtained all required consents, and that its instructions comply with Applicable Privacy Laws.

2.4 Processing Instructions. Swyft will process Personal Data only in accordance with Client's documented instructions. If Swyft believes an instruction infringes Applicable Privacy Laws, it will promptly notify Client.

Swyft agrees that it will not:

• Sell or share Personal Data. Swyft will not sell, rent, or disclose Personal Data to any third party for monetary consideration or for cross-context behavioral advertising purposes.
• Use for unauthorized purposes. Swyft will not retain, use, or disclose Personal Data for any purpose other than providing the Services, except as permitted by Client's instructions or required by law.
• Combine data across clients. Swyft will not combine Personal Data received from Client with Personal Data received from other clients, except as permitted by Applicable Privacy Laws.
• Train general-purpose AI models. Swyft will not use Client's Personal Data to train, improve, or fine-tune general-purpose AI or machine learning models.

3.1 Personnel Confidentiality. Swyft will ensure all personnel authorized to process Personal Data are subject to binding confidentiality obligations and receive appropriate privacy and security training.

4.1 Authorization. Client authorizes Swyft to engage Subprocessors to assist in providing the Services, subject to the requirements of this Section.

4.2 Notice of Changes. Swyft will provide at least 30 days' prior written notice before engaging any new Subprocessor or making material changes to existing Subprocessor arrangements.

4.3 Objection Rights. Client may object in writing within 30 days if it reasonably believes a new Subprocessor would cause Swyft to breach this DPA. Swyft will work in good faith to address the objection. If unresolved, either party may terminate the affected Services upon 30 days' written notice without penalty.

4.4 Subprocessor Obligations. Swyft will impose data protection obligations on each Subprocessor no less protective than those in this DPA. Swyft remains liable for the acts and omissions of its Subprocessors.

Swyft will implement and maintain appropriate technical and organizational security measures to protect Personal Data, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
• Access controls with role-based permissions, least-privilege principles, and multi-factor authentication.
• Vulnerability management including regular scanning, penetration testing, and a responsible disclosure program.
• Audit logging of all access to Personal Data with tamper-resistant audit trails.
• SOC 2 Type II certification in progress. Upon certification, summary reports will be available under NDA upon written request.
• Physical security via U.S.-based data centers with 24/7 monitoring and redundant infrastructure.

6.1 Notification. Upon becoming aware of a confirmed Security Incident affecting Personal Data, Swyft will notify Client without undue delay and within 72 hours of confirmation. Notification will be sent to Client's designated security contact by email.

6.2 Notification Content. Swyft's notice will include: a description of the incident and categories of data affected; the name and contact details of Swyft's data protection contact; likely consequences of the incident; and measures taken or proposed to address it.

6.3 Cooperation. Swyft will cooperate fully with Client in investigating the Security Incident, notifying affected Data Subjects where required, and responding to regulatory inquiries.

7.1 Assistance. Swyft will provide Client with reasonable technical and organizational assistance to fulfill Client's obligations to respond to Data Subject requests exercising rights under Applicable Privacy Laws, including access, correction, deletion, portability, restriction, and objection.

7.2 Direct Requests. If Swyft receives a data subject request directly relating to Personal Data processed on Client's behalf, Swyft will promptly notify Client and will not respond without Client's prior written authorization, except as required by law.

7.3 Timing. Swyft will provide assistance within a timeframe enabling Client to respond within the period required by Applicable Privacy Laws (typically 30–45 days from receipt).

8.1 Post-Termination. Upon expiration or termination, Swyft will make Client's Personal Data available for export for 30 days. Following this window, Swyft will securely delete all Personal Data in its possession, including copies held by Subprocessors, except where retention is required by law.

8.2 Deletion Certification. Upon Client's written request, Swyft will provide written certification of deletion within 60 days of the deletion date.

9.1 Documentation. Swyft will make available all information reasonably necessary to demonstrate compliance with this DPA upon written request, responding within 30 business days.

9.2 Audit Rights. To the extent required by GDPR Article 28(3)(h) or other Applicable Privacy Laws, Client may conduct audits with at least 30 days' prior written notice, during normal business hours, and under a mutually agreed NDA. Audits are limited to one per calendar year at Client's expense.

9.3 Certification as Alternative. Swyft may satisfy audit requests by providing current third-party audit reports, certifications, or SOC 2 Type II reports where such materials adequately address the scope of Client's request.

The following details apply to Swyft's processing of Personal Data under this DPA, as required by GDPR Article 28 and equivalent provisions.