Data Processing Addendum

Last Updated: May 27, 2026

This Processing Addendum (“DPA”) supplements the Storysnap, LLC Main Services Agreement (“Agreement”) entered into by and between the customer signing this DPA (“Customer”) and Storysnap, LLC. (“Company”). By executing the DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Affiliates, if any. This DPA is incorporated into and governed by the terms of the Agreement.

1. Definitions

“Authorized Sub-Processor” means a third-party who has a need to know or otherwise access Customer’s Personal Data to enable Company to perform its obligations.
“Data Exporter” means Customer (the Data Controller).
“Data Importer” means Company (the Data Processor).
“Data Protection Laws” means all applicable laws relating to privacy and the processing of Personal Data, including but not limited to the CCPA, EU GDPR, UK GDPR, and the Swiss Federal Act on Data Protection (“Swiss FADP”), as each may be amended or revised.
“Standard Contractual Clauses” (“EU SCCs” or “SCCs”) means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021.
“UK Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office (Version B1.0, in force 21 March 2022).
Capitalized terms not defined in this DPA shall have the same meanings as set forth in the Agreement or applicable Data Protection Laws.

2. Relationship of the Parties; Processing of Data

2.1 The parties acknowledge and agree that with regard to the processing of Personal Data, Customer is the Controller and Company is the Processor. Customer shall ensure that its instructions for the processing of Personal Data comply with Data Protection Laws and will not cause Company to be in breach of Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of the Personal Data provided to Company by or on behalf of Customer.

2.2 Company shall not process Personal Data (i) for purposes other than those set forth in the Agreement and/or Exhibit A, or (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer.

2.3 Company acts as a Controller for user account data (including username and password) to access and use the Services and system usage data to optimize and maintain performance of the Services and to investigate and prevent potential system abuse.

2.4 Retention, Return, and Deletion of Customer Personal Data. During the Term, Company will retain Customer’s Personal Data to enable Customer’s continued access to Deliverables and use of the Services via the Company portal. Customer may, at any time, instruct Company in writing to delete or return all or any portion of Customer’s Personal Data. Company will delete or return the specified Personal Data within thirty (30) days of receipt of Customer’s instruction, unless continued retention is required or authorized by applicable law. Following termination or expiration of the Services, Company will, at Customer’s choice, return or delete remaining Customer Personal Data within thirty (30) days of Customer’s instruction, unless continued retention is required or authorized by applicable law. Where data subjects assert rights of erasure under applicable data protection law, Company will assist Customer in fulfilling such requests per Section 7 and the applicable response timelines therein.

2.5 CCPA: Company acts as a “service provider” under the CCPA and shall not “sell” or “share” any personal information provided by the Customer (as those terms are defined in the CCPA) and otherwise comply with the service provider requirements in CCPA Section 1798.140(ag). Company certifies it understands and will comply with these obligations and restrictions in accordance with the CCPA and gives Customer permission to monitor Company’s compliance with these obligations and to take reasonable steps to remediate unauthorized use of Personal Data. Company will notify Customer if it determines or believes that it cannot meet its obligations under the CCPA.

3. Confidentiality

Company shall ensure that all team members and contractors authorized to process Personal Data are bound by written confidentiality obligations prior to receiving access. Personnel with standing access to in-scope systems complete security awareness training upon onboarding and annually thereafter. Company performs background checks where lawfully permitted and relies on equivalent vetting (including reference checks and verification of professional history) in jurisdictions where background checks are legally restricted or impractical.

4. Authorized Sub-Processors

4.1 Customer acknowledges and agrees that Company may engage Authorized Sub-Processors to access and process Personal Data in connection with the Services (e.g., cloud infrastructure providers).

4.2 A list of Company’s current Authorized Sub-Processors is available to Customer at trust.storysnap.com. Company will provide 30 days’ notification via email to subscribed Customers prior to enabling any new Sub-Processors, giving Customer ten (10) days to object based on reasonable data security concerns. (Customer may subscribe to receive the emailed notices at trust.storysnap.com.) The parties agree to cooperate in good faith to resolve Customer’s reasonable objection. If Customer’s objection cannot be resolved within a reasonable period of time, Customer may terminate the affected Service(s) by providing written notice to Company; provided, however, that termination of the affected Service(s) shall not relieve Customer from paying any fees then owed to Company under the Agreement. A signed data processing agreement (or acceptance of the Sub-Processor’s standard data processing terms) is in place with each Authorized Sub-Processor that processes Personal Data on Company’s behalf. Company conducts annual reviews of subservice organizations (including review of their SOC 2 Type 2 reports or equivalent independent assurance reports) under Company’s vendor management framework.

4.3 Sub-Processor Liability: Company shall remain fully liable for the acts and omissions of its Authorized Sub-Processors to the same extent Company would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.

5. Security of Personal Data

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Exhibit C sets forth additional information about Company’s technical and organizational security measures.

6. International Transfers of Personal Data

The parties agree that Company may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Services. The parties agree that ex-EEA or ex-Switzerland Transfers are made pursuant to the EU SCCs (Module One: Controller to Controller and Module Two: Controller to Processor, as applicable), and ex-UK Transfers are made pursuant to the UK Transfer Addendum, which are deemed entered into and incorporated by reference into this DPA in the form as set forth in Exhibit D.

7. Rights of Data Subjects

Company shall, to the extent permitted by law, promptly notify Customer upon receipt of a request by a Data Subject to exercise their privacy rights under applicable Data Protection Laws (e.g., a request to delete a video featuring their likeness or other Personal Data). Company will confirm receipt of the request with the Data Subject, forward the request to Customer without undue delay, and assist Customer in fulfilling the request on Customer’s documented instructions. Customer is solely responsible for responding to Data Subject Requests and for instructing Company on any required data deletion or modification. Where Customer is unresponsive within a reasonable timeframe or the request indicates an imminent safety concern, Company may determine appropriate next steps in consultation with applicable supervisory authorities or counsel.

8. Records; Audit Rights; Personal Data Breach; DPIA

8.1 Records. Company shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA and retain such records for a period of three (3) years after the termination or expiration of the Agreement.

8.2 Audit Rights: Upon Customer’s written request at reasonable intervals (no more than once per calendar year), Company shall make available for Customer’s review copies of certifications or reports demonstrating Company’s compliance with prevailing data security standards (e.g., SOC 2 Type 2 report). Any further audits or inspections legally required by a Supervisory Authority shall be limited to once annually, conducted at Customer’s sole expense, subject to reasonable advance notice of at least 30 days and subject to strict confidentiality obligations.

8.3 Personal Data Breach. In the event of a Personal Data Breach affecting Customer data, Company shall, without undue delay (within at least 72 hours), inform Customer of the Personal Data Breach to allow Customer to fulfill its notification obligations to Authorities and Data Subjects. Company shall take such steps as Company in its sole discretion deems necessary and reasonable to remediate such breach (to the extent that remediation is within Company’s reasonable control).

8.4 DPIA. Company will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities where required by applicable Data Protection Laws, by making available information about Company’s processing activities to the extent such information is reasonably necessary for Customer to fulfill its obligations.

8.5 Governmental Authority Inquiry or Request. Unless legally prohibited, Company will notify Customer without undue delay if a supervisory authority or other governmental authority makes any inquiry or request for disclosure of Personal Data. Company will not disclose Personal Data in response to such inquiry or request without Customer’s prior written authorization, except where required by applicable law. In such cases, Company will limit any disclosure to the minimum necessary, document the basis for disclosure, and challenge overbroad or unlawful requests where reasonably feasible.

9. Limitation of Liability

Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations of liability set forth in the Agreement.

Exhibit A: Details of Processing

Nature and Purpose of Processing: Company will process Customer’s Personal Data as necessary to provide the Services under the Agreement (e.g., B2B tech-enabled video production and hosting). The nature of processing includes storing, organizing, editing, and delivering Client Assets (raw footage, video interviews, transcripts containing visual/audio likeness).
Duration of Processing: As long as required to provide the Services under the Agreement, or until Customer requests deletion.
Frequency of the Transfer: Continuous as determined by the Data Exporter.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Authorized Sub-Processors are used to support Data Importer’s provisioning of the Services in accordance with this DPA. Data Importer’s list of Authorized Sub-Processors is available at: trust.storysnap.com.
Categories of Data Subjects: Customer’s employees, clients, actors, or end-users whose likeness, voice, or information is captured in video or other assets.
Categories of Personal Data: Client Assets (raw footage, video interviews, transcripts containing visual/audio likeness), names, email addresses, job titles, company names, and user account data and system usage data.
Sensitive Data: Customers are prohibited from routing sensitive personal data (e.g., PHI, criminal history, financial records) through the Services unless explicitly agreed upon.

Exhibit B: Parties and Competent Supervisory Authority

Data Exporter: Customer (Controller) as identified in the Agreement.
Data Importer: Storysnap, LLC. (Processor) as identified in the Agreement. (Note: Data Importer acts as a Controller for user account data and system usage data.)
Contact Persons: Data Exporter’s and Data Importer’s contact persons are identified in the Agreement.
Date and Signature: See the Data Exporter’s and Data Importer’s signatures on the Agreement.
Competent Supervisory Authority: For purposes of the EU GDPR, the competent supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the SCCs. If Clause 13 does not apply, then the Irish Data Protection Commission. For purposes of the UK GDPR, the competent supervisory authority shall be the UK Information Commissioner’s Office. For purposes of the Swiss Federal Act on Data Protection, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.

Exhibit C: Technical and Organizational Security Measures (TOMs)

Technical and Organizational Security Measure	Details
Measures of pseudonymisation and encryption of personal data	Company enforces strong cryptographic standards. Data in transit is encrypted using TLS 1.2 or higher. All production databases and cloud storage volumes housing Customer Data (e.g., AWS S3) are encrypted at rest using AES-256 or an equivalent strong protocol as implemented by the subservice organization.
Measures for ensuring ongoing confidentiality, integrity, and availability	Company enforces Role-Based Access Control (RBAC) and the Principle of Least Privilege. Access to production environments is strictly limited to authorized engineering personnel. Team members and contractors are bound by confidentiality agreements and the Acceptable Use Policy.
Measures for restoring availability and access in the event of an incident	Company maintains a documented Business Continuity and Disaster Recovery Plan with defined Recovery Time and Recovery Point Objectives. Automated, point-in-time backups of in-scope data are managed by Company’s cloud subservice organizations (e.g., AWS, Bubble.io). The Plan is reviewed at least annually and tested through a combined tabletop exercise covering both incident response and recovery scenarios.
Processes for regularly testing, assessing and evaluating the effectiveness of measures	Company utilizes automated compliance platforms (e.g., Secureframe) for continuous control monitoring across in-scope systems. Company is pursuing SOC 2 Type 2 certification, with the initial observation period commencing July 2026. Company’s policy framework and related control documentation are accessible via Company’s Trust Center at trust.storysnap.com. Following issuance, Company will make its SOC 2 Type 2 report available to enterprise Customers under appropriate confidentiality obligations upon written request. Company commissions independent web application penetration tests on a discretionary, trigger-based basis, including material changes to in-scope application logic, addition of new in-scope systems, or specific client contractual obligations.
Measures for user identification and authorization	Company enforces Multi-Factor Authentication (MFA) across all in-scope systems and any system handling Confidential or Restricted data, including subservice organization administration, code repositories, and email environments. Company operates a 100% bring-your-own-device (BYOD) model; endpoint security configuration (full-disk encryption, screen lock, automatic OS updates, and native malware protection) is monitored continuously through the Secureframe Agent installed on team members’ devices. Logical access provisioning and revocation is tied to Company’s HR system of record.
Measures for ensuring physical security of locations	Company operates a fully remote workforce. All production data and application logic are hosted by subservice organizations (e.g., AWS, Bubble.io). The physical security of these data centers is the responsibility of the subservice organizations, verified annually through Company’s Vendor Management Policy review of their SOC 2 Type 2 reports.
Measures for ensuring events logging	Native cloud logging (e.g., AWS CloudTrail) is utilized to monitor access to infrastructure. Logs are protected from tampering and reviewed during security investigations.
Measures for ensuring system configuration	Company adheres to a documented Change Management Policy. Material changes to in-scope application logic (Bubble.io workflows) and database privacy rules are developed and tested in a non-production environment, undergo peer review of logic and configuration, and are approved by Company’s Director of Product & Ops or a designated technical lead prior to production deployment. Where separation of duties between build and deploy is not feasible due to team size, post-implementation review is conducted as a compensating control.
Measures for internal IT and IT security governance	Company’s Information Security Program is operated under a distributed leadership model with shared responsibility across Company’s leadership. The Compliance Lead (President) owns the program and acts as audit liaison and Data Privacy Lead; the Director of Product & Ops owns technical security implementation; and department leaders serve as control owners within their domains. The program includes annual risk assessments, an annual combined tabletop exercise covering incident response and disaster recovery, and security awareness training for personnel with standing access upon onboarding and annually thereafter.
Measures for ensuring data quality and minimisation	Company acts strictly as a Processor. Customers unilaterally determine what video or other data is uploaded. Applications are designed with “Privacy by Design” principles to ensure tenant isolation, preventing cross-customer data exposure.
Measures for allowing data portability and ensuring erasure	Customer Data may be deleted at the Customer’s request. Upon termination of the contract, Company initiates the logical deletion of Customer Data in accordance with its Data Retention and Disposal Policy.

Policy framework. The technical and organizational measures described above are operationalized through Company’s documented information security policy framework. The published portion of the policy framework is available via Company’s Trust Center at trust.storysnap.com.

Exhibit D: International Transfers

Part 1: Ex-EEA Transfers: The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs (Module 1: Controller to Controller and Module 2: Transfer Controller to Processor), which are deemed entered into and incorporated into this DPA by this reference and completed as follows:

The optional docking clause in Clause 7 does not apply.
In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Sub-Processor changes shall be as set forth in this DPA;
In Clause 11, the optional language does not apply;
All square brackets in Clause 13 are hereby removed;
In Clause 17 (Option 1), the EU SCCs will be governed by Irish law.
In Clause 18(b), disputes will be resolved before the courts of Ireland; and
Annexes I, II and III of the EU SCCs are completed with the information in Exhibit A, B and C.

Part 2: Ex-Switzerland Data Transfers: The parties further agree that ex-Switzerland Transfers are made pursuant to the EU SCCs (Module 2: Transfer Controller to Processor) as set forth above in Part I with the following modifications:

The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Swiss FADP with respect to ex-Switzerland Transfers;
Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner of Switzerland shall have authority over data transfers governed by the FADP and the relevant EU supervisory authority shall have authority over ex-EEA Transfers. Subject to the foregoing, all other requirements of Clause 13 shall be observed;
References to Regulation (EU) 2018/1725 are removed;
In Clause 17 and Clause 18 of the EU SCCs, the governing law and forum shall be Switzerland;
The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;
Where the data transfer is exclusively subject to the Swiss FADP, all references to the EU GDPR in the EU SCCs are to be understood to be references to the Swiss FADP; and
Where the data transfer is subject to both the Swiss FADP and the EU GDPR, all references to the EU GDPR in the EU SCCs are to be understood to be references to the Swiss FADP insofar as the data transfer is subject to the Swiss FADP.

Part 3: Ex-UK Data Transfers: The parties further agree that ex-UK Transfers are made pursuant to the UK Transfer Addendum, which is incorporated into this DPA by reference and takes precedence over the rest of this DPA to the extent of any conflict. Tables 1, 2 and 3 of the UK Transfer Addendum are completed with the information provided in Exhibits A, B, and C, and the version of the approved EU SCCs is set forth above in Part 1. For purposes of Table 4 of the UK Transfer Addendum, either party may end the UK Transfer Addendum in accordance with Section 19 therein.

If the data transfer is exclusively subject to the UK GDPR, the International Data Transfer Agreement issued by the UK Information Commissioner’s Office (Version A1.0, in force 21 March 2022) is deemed entered into and incorporated by reference into this DPA.