Data Processing Agreement (DPA)

pursuant to Art. 28 GDPR

between the customer / principal – hereinafter "Controller" – and LeadTS (sole proprietorship) Owner: Rotinda Getiren Gruenhainer Str. 8 08340 Schwarzenberg Germany – hereinafter "Processor" –

1. Subject of the contract

This contract governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of the SaaS platform "LeadTS". Processing is carried out exclusively for the provision and execution of the contractually agreed SaaS services.

2. Duration of processing

Processing takes place for the duration of the main contract between the parties regarding the use of LeadTS. Upon termination of the main contract, this DPA also ends automatically, subject to statutory retention obligations.

3. Type and purpose of processing

Processing includes in particular: * storage and management of lead and CRM data * structuring and categorization of contact data * processing of pipeline, funnel and status information * import and synchronization via APIs / integrations / webhooks * provision of analytics and workflow features * dispatch of system-related notifications / transactional emails

4. Type of personal data

Depending on use, the following data may in particular be processed: * master data (name, company) * contact data (email, phone number) * communication data * lead / campaign data * funnel/pipeline data * revenue / conversion data * custom fields of the Controller

5. Categories of data subjects

Processing may in particular affect: * prospects / leads * customers / end customers * company contacts * employees / users of the Controller

6. Controller's right to issue instructions

The Processor processes personal data only on documented instructions of the Controller, unless there is a legal obligation to process.

7. Confidentiality

The Processor undertakes to bind all persons involved in data processing to confidentiality and to ensure confidentiality is maintained.

8. Technical and organizational measures (TOMs)

The Processor implements appropriate technical and organizational measures pursuant to Art. 32 GDPR. The currently applicable TOMs are set out in Annex 1 to this contract.

9. Subprocessors

The Controller grants general authorization for the engagement of subprocessors. The currently engaged subprocessors are set out in Annex 2 to this contract. The Processor will inform the Controller about material changes.

10. Assistance obligations

The Processor supports the Controller to an appropriate extent with: * data subject access requests * deletion/rectification requests * data protection impact assessments * security incidents / data breaches * evidence obligations towards supervisory authorities Where this requires substantial additional effort, reasonable compensation may be requested.

11. Notification of data breaches

The Processor informs the Controller without undue delay after becoming aware of personal data breaches, insofar as they affect data processed under this contract.

12. Audit rights

The Controller is entitled to verify compliance with this contract to an appropriate extent or have compliance verified by suitable evidence. The Processor may provide suitable evidence, certificates, documentation or self-assessments. On-site audits require appropriate prior notice and must not disproportionately impair business operations.

13. Return and deletion of data

After termination of the main contract, the Processor shall, at the Controller's option, delete or return personal data, unless statutory retention obligations prevent this. Backups and technically required backup copies remain unaffected until routine deletion.

14. Liability

The statutory liability provisions of the GDPR apply, supplemented by the liability provisions of the main contract.

15. Final provisions

Should individual provisions of this contract be invalid, the validity of the remaining provisions remains unaffected. The law of the Federal Republic of Germany applies.

Annex 1 – Technical and Organizational Measures (TOMs)

Confidentiality * access only for authorized persons * role and authorization concepts * password protection / authentication systems * confidentiality obligations Integrity * TLS/HTTPS encryption * protection against unauthorized alteration * logging of relevant system events Availability * backup and recovery mechanisms * monitoring of critical systems * protection against outages / load peaks Resilience / security * security updates / patch management * firewalls / infrastructure protection mechanisms * rate limits / abuse protection Segregation / multi-tenancy * logical separation of customer data * role-based access restrictions * workspace/tenant concepts within the platform

Annex 2 – Subprocessors

Provider Purpose Location / transfer Supabase Database / backend / auth EU Vercel Hosting / frontend EU / USA Stripe Payment processing EU / USA Resend Email delivery USA Nango OAuth / integrations USA / EU Google OAuth / integrations USA Meta Platforms Lead integrations USA

Annex 3 – Instruction scheme

Controller instructions are generally issued via: * platform configuration by the Controller * settings / usage within the account * written or text-form instructions via email / support