Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Metadata, Inc. ("Metadata") and the entity identified as the customer ("Customer") in the applicable order or agreement (the "Agreement") governing Customer's use of Metadata's products and services.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

• "Agreement" means the master services agreement, subscription agreement, or other written agreement between Metadata and Customer governing Customer's use of the Services.
• "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including, where applicable, the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Privacy Rights Act ("CPRA"), the Swiss Federal Act on Data Protection, and their implementing regulations as amended from time to time.
• "Connected Ad Accounts" means the advertising platform accounts (e.g., LinkedIn, Facebook, Google Ads) that Customer connects to the Services for campaign management and optimization.
• "CPRA" means the California Privacy Rights Act of 2020, as amended, and its implementing regulations.
• "Customer Credentials" means the authentication tokens, API keys, passwords, and other credentials Customer provides to Metadata to enable access to Connected Ad Accounts and third-party integrations.
• "Customer Personal Data" means any Personal Data that Metadata Processes on behalf of Customer as a Processor in the course of providing the Services.
• "Data Subject Request" means a request from a Data Subject to exercise any rights afforded to them under Applicable Data Protection Laws with respect to their Personal Data.
• "Data Transfer Mechanisms" means the legal mechanisms for transferring Personal Data from the EEA, United Kingdom, or Switzerland to third countries, including the EU Standard Contractual Clauses, UK International Data Transfer Addendum, and adequacy decisions.
• "EEA" means the European Economic Area.
• "EU SCCs" means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914, as may be amended or replaced from time to time.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679, and, where applicable, the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
• "Instruction Logs" means the automated records Metadata generates documenting the instructions received from Customer through the Services, including MCP Features interactions, campaign configurations, and data processing directives.
• "Metadata Personal Data" means Personal Data that Metadata collects and Processes as an independent Controller, such as account registration data, usage analytics, and billing information.
• "MCP Features" means the AI-powered agent capabilities within the Services that execute campaign management tasks, generate content, analyze data, and perform automated actions based on Customer instructions.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
• "Restricted Transfer" means a transfer of Personal Data from the EEA, United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection by the relevant authority.
• "Subprocessor" means any third party engaged by Metadata to Process Customer Personal Data on behalf of Customer.
• "Subprocessor List" means the current list of Subprocessors, available at www.metadataone.com/subprocessors.
• "Supplementary Data" means additional data that Metadata provides to Customer through the Services, including enriched audience data, analytics insights, and campaign performance metrics.

2. Scope

2.1 This DPA applies to the Processing of Customer Personal Data by Metadata on behalf of Customer in connection with the Services, and to the transmission of Metadata Personal Data as described herein.

2.2 Annex 1 (European Annex) applies to the extent that the GDPR or applicable European data protection legislation governs the Processing of Customer Personal Data.

2.3 Annex 2 (California Annex) applies to the extent that the CPRA governs the Processing of Customer Personal Data.

2.4 The details of the Processing activities, including the subject matter, duration, nature and purpose of Processing, the types of Personal Data, and categories of Data Subjects, are set forth in Attachment 1 to this DPA.

3. Roles

Metadata as Processor

3.1 With respect to Customer Personal Data, Metadata acts as a Processor on behalf of Customer (the Controller). Metadata shall Process Customer Personal Data only in accordance with Customer's documented instructions, including the instructions inherent in the Agreement and this DPA, unless required to do otherwise by Applicable Data Protection Laws.

3.2 Customer's instructions include the execution of MCP Features on Customer's behalf. When Customer uses MCP Features to direct campaign actions, generate content, configure audiences, or perform other automated tasks, such use constitutes documented instructions for Metadata to Process Customer Personal Data accordingly.

3.3 Metadata shall not sell or share Customer Personal Data for any purpose other than providing the Services as instructed by Customer.

3.4 Metadata generates Instruction Logs that document the Processing instructions received from Customer. These logs serve as evidence of Customer's documented instructions and are available to Customer upon request.

Metadata as Controller

3.5 With respect to Metadata Personal Data, Metadata acts as an independent Controller. Metadata collects and Processes Metadata Personal Data for its own legitimate business purposes, including account management, service improvement, billing, and security.

3.6 Where both parties Process Personal Data as independent Controllers, each party shall comply with Applicable Data Protection Laws independently and neither party shall be responsible for the other party's compliance obligations.

4. Metadata Personnel

Metadata shall ensure that all personnel authorized to Process Customer Personal Data are bound by written confidentiality agreements or are under an appropriate statutory obligation of confidentiality. Metadata shall ensure that access to Customer Personal Data is limited to those personnel who require such access for the performance of the Services.

5. Security

5.1 Metadata shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, or disclosure. These measures are described in Annex 3 (Security Measures).

5.2 Such measures include, without limitation:

• Encryption in transit and at rest: Customer Personal Data is encrypted using industry-standard protocols during transmission and while stored.
• Role-based access control: Access to Customer Personal Data is restricted based on job function and necessity, with the principle of least privilege applied.
• Logging and monitoring: Metadata maintains comprehensive audit logs of access to and actions performed on Customer Personal Data, with automated monitoring for anomalous activity.
• Configurable guardrails: The Services provide Customer with configurable controls and guardrails to manage the scope and nature of Processing activities, including MCP Features interactions.
• Token management: Customer Credentials and authentication tokens are securely stored, rotated, and managed in accordance with industry best practices.

6. Data Subject Requests; Impact Assessments

6.1 Metadata shall assist Customer in fulfilling its obligations to respond to Data Subject Requests. Taking into account the nature of the Processing, Metadata shall provide reasonable assistance by appropriate technical and organizational measures.

6.2 Metadata shall promptly notify Customer if it receives a Data Subject Request directly, unless prohibited by Applicable Data Protection Laws. Metadata shall not respond to such requests directly unless authorized by Customer or required by law.

6.3 Metadata shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Laws and taking into account the nature of the Processing and the information available to Metadata.

7. Personal Data Breach

7.1 Metadata shall notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

7.2 Such notification shall include, to the extent available:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned;
• The name and contact details of the point of contact from whom additional information may be obtained;
• A description of the likely consequences of the Personal Data Breach;
• A description of the measures taken or proposed to be taken to address the Personal Data Breach;
• A summary of relevant Instruction Logs for the affected period.

7.3 Metadata shall cooperate with Customer in the investigation, mitigation, and remediation of any Personal Data Breach and shall provide all reasonable assistance to enable Customer to meet its notification obligations under Applicable Data Protection Laws.

8. Subprocessors

8.1 Customer provides general authorization for Metadata to engage Subprocessors to Process Customer Personal Data. The current list of Subprocessors is maintained at www.metadataone.com/subprocessors.

8.2 Metadata shall notify Customer at least fourteen (14) days in advance of any intended addition or replacement of Subprocessors, providing Customer an opportunity to object to such changes.

8.3 If Customer reasonably objects to a new Subprocessor, Metadata and Customer shall work together in good faith to find a mutually acceptable resolution. If no resolution is reached within a reasonable period, Customer may terminate the affected Services by providing written notice to Metadata.

8.4 Metadata shall impose data protection obligations on each Subprocessor that are no less protective than those set forth in this DPA and shall remain liable for the acts and omissions of its Subprocessors.

9. Return and Deletion

9.1 Upon Customer's written request or upon termination or expiration of the Agreement, Metadata shall, at Customer's election, destroy, anonymize, or return all Customer Personal Data in its possession or control, and delete existing copies unless Applicable Data Protection Laws require continued storage.

9.2 Metadata shall certify in writing the deletion of Customer Personal Data upon Customer's request.

9.3 This obligation extends to Customer Personal Data held by Subprocessors, and Metadata shall ensure Subprocessors comply with return and deletion obligations.

10. Audit Rights

10.1 Metadata shall make available to Customer all information reasonably necessary to demonstrate compliance with its obligations under this DPA and Applicable Data Protection Laws.

10.2 Customer or its authorized third-party auditor may conduct audits of Metadata's Processing activities, upon at least fourteen (14) days' prior written notice, during normal business hours, and subject to reasonable confidentiality obligations.

10.3 As an alternative to on-site audits, Metadata may provide Customer with copies of its current SOC 2 Type 2 report, ISO 27001 certification, or NIST Cybersecurity Framework assessment, which Customer agrees to accept as a reasonable substitute for an on-site audit, provided the scope of such certifications covers the relevant Processing activities.

11. Restricted Data

Neither Party shall provide the other Party with, and neither Party shall be required to Process, any of the following categories of data through the Services:

• Social Security numbers or government-issued identification numbers;
• Protected health information (PHI) as defined under HIPAA;
• Biometric identifiers or biometric information;
• Passwords, PINs, or account security credentials of Data Subjects;
• Financial account numbers, credit or debit card numbers, or financial credentials;
• Tax identification numbers or tax return data;
• Payment Card Industry (PCI) cardholder data;
• Personal Data of children under the age of 16;
• Special categories of data as defined under Article 9 of the GDPR (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning health, data concerning sex life or sexual orientation);
• Criminal conviction or offense data as defined under Article 10 of the GDPR.

12. Liability

Each Party's liability arising out of or in connection with this DPA, including the Annexes, is subject to the limitations and exclusions of liability set forth in the Agreement.

13. Precedence

13.1 In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

13.2 In the event of any conflict or inconsistency between this DPA and the Data Transfer Mechanisms (including the EU SCCs), the Data Transfer Mechanisms shall prevail.

13.3 The order of precedence is: Data Transfer Mechanisms prevail over this DPA, which prevails over the Agreement.

Annex 1: European Annex

This Annex applies to the extent that Customer Personal Data is subject to the GDPR or other European data protection legislation (including the UK GDPR and the Swiss Federal Act on Data Protection).

1. Standard Contractual Clauses

For Restricted Transfers of Customer Personal Data from the EEA, the EU SCCs are hereby incorporated by reference and form an integral part of this DPA. The Parties agree that:

• Module Two (Controller to Processor) applies where Customer is a Controller and Metadata is a Processor;
• Module Three (Processor to Processor) applies where Customer is a Processor and Metadata is a Sub-processor;
• The optional docking clause in Clause 7 is included;
• Under Clause 9, Option 2 (general written authorization) applies with a notice period of fourteen (14) days;
• Under Clause 11, the optional language is not included;
• Under Clause 17, the EU SCCs shall be governed by the laws of Ireland;
• Under Clause 18(b), disputes shall be resolved before the courts of Ireland.

2. UK Transfers

For Restricted Transfers of Customer Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office) is hereby incorporated and shall apply.

3. Swiss Transfers

For Restricted Transfers of Customer Personal Data from Switzerland, the EU SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner, including references to the Swiss Federal Act on Data Protection in place of the GDPR where applicable.

4. Supplementary Measures

Metadata shall implement supplementary technical and organizational measures as necessary to ensure that Customer Personal Data transferred outside the EEA, United Kingdom, or Switzerland receives an essentially equivalent level of protection, taking into account guidance from relevant supervisory authorities.

Annex 2: California Annex

This Annex applies to the extent that Customer Personal Data includes "Personal Information" as defined under the CPRA.

1. Roles

For purposes of the CPRA, Customer is a "Business" and Metadata is a "Service Provider" with respect to Customer Personal Data.

2. Restrictions

Metadata shall not:

• Sell or share Customer Personal Data;
• Retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, including any commercial purpose other than providing the Services;
• Retain, use, or disclose Customer Personal Data outside the direct business relationship between Metadata and Customer;
• Combine Customer Personal Data with personal information that it receives from or on behalf of other parties, or collects from its own interactions with consumers, unless expressly permitted under the CPRA.

3. Compliance

Metadata certifies that it understands the restrictions in this Annex and will comply with them. Metadata shall notify Customer if it determines that it can no longer meet its obligations under the CPRA.

4. Consumer Rights

Metadata shall assist Customer in responding to verifiable consumer requests exercising rights under the CPRA, including requests to know, delete, correct, and opt-out of sale or sharing.

Annex 3: Security Measures

Metadata implements and maintains the following technical and organizational security measures for the protection of Customer Personal Data:

1. Encryption in Transit: All Customer Personal Data transmitted over public networks is encrypted using TLS 1.2 or higher.
2. Encryption at Rest: Customer Personal Data stored in databases, file systems, and backups is encrypted using AES-256 or equivalent encryption standards.
3. Access Control: Role-based access control (RBAC) is implemented to ensure that personnel access only the Customer Personal Data necessary for their job functions, following the principle of least privilege.
4. Authentication: Multi-factor authentication (MFA) is required for all personnel accessing systems that store or process Customer Personal Data.
5. Network Security: Firewalls, intrusion detection and prevention systems, and network segmentation are deployed to protect infrastructure from unauthorized access.
6. Vulnerability Management: Regular vulnerability scans and penetration testing are conducted, with identified vulnerabilities remediated according to severity-based timelines.
7. Logging and Monitoring: Comprehensive audit logs are maintained for access to and modifications of Customer Personal Data, with automated monitoring and alerting for anomalous activity.
8. Incident Response: A documented incident response plan is maintained and tested regularly, including defined roles, communication procedures, and escalation paths.
9. Business Continuity and Disaster Recovery: Backup and recovery procedures are in place to ensure the availability and integrity of Customer Personal Data, with regular testing of recovery processes.
10. Physical Security: Data center facilities used to host Customer Personal Data maintain industry-standard physical security controls, including access controls, surveillance, and environmental protections.
11. Personnel Security: Background checks are conducted for personnel with access to Customer Personal Data, and security awareness training is provided regularly.
12. Vendor Management: Subprocessors and third-party service providers are evaluated for security practices prior to engagement, with contractual security obligations and periodic reassessment.
13. Data Minimization: Customer Personal Data collection and retention are limited to what is necessary for the purposes of Processing as defined in the Agreement and this DPA.
14. Secure Development: Secure software development lifecycle (SDLC) practices are followed, including code review, security testing, and separation of development, testing, and production environments.
15. Configuration Management: Hardened system configurations are maintained based on industry benchmarks, with change management processes to ensure controlled and documented modifications.

Attachment 1: Data Processing Details

Data Exporter (Customer)

The entity identified as the Customer in the Agreement.

Data Importer (Metadata)

Name: Metadata, Inc.
Address: 1754 Technology Drive, Suite 212, San Jose, CA 95110
Contact: privacy@metadata.io
Role: Processor (with respect to Customer Personal Data); Controller (with respect to Metadata Personal Data)

Data Subjects

The Personal Data transferred may concern the following categories of Data Subjects:

• Customer's employees and authorized users of the Services;
• Customer's prospects, leads, and contacts whose data is uploaded to or processed through the Services;
• Individuals whose data is contained in Connected Ad Accounts;
• Individuals whose data is included in audience segments created or managed through the Services;
• Individuals who interact with Customer's advertisements managed through the Services.

Categories of Data

The Personal Data transferred may include the following categories:

• Contact information (name, email address, phone number, job title, company name);
• Professional information (industry, company size, seniority, job function);
• Online identifiers (IP address, cookie identifiers, advertising identifiers, device identifiers);
• Usage data (interactions with advertisements, website visits, engagement metrics);
• Account data (login credentials, user preferences, account configurations);
• Campaign data (audience targeting criteria, ad content, budget allocations, performance metrics);
• CRM data (lead status, opportunity data, conversion data as synced by Customer).

Frequency of Transfer

Continuous, for the duration of the Agreement.

Nature and Purpose of Processing

Processing is performed for the purpose of providing the Services as described in the Agreement, including:

• Campaign creation, management, and optimization across Connected Ad Accounts;
• Audience segmentation, targeting, and enrichment;
• AI-powered agent execution of campaign management tasks via MCP Features;
• Performance analytics, reporting, and insights generation;
• Account administration and technical support;
• Integration with Customer's connected third-party platforms.

Retention Period

Customer Personal Data is retained for the duration of the Agreement and deleted or returned in accordance with Section 9 of this DPA, unless longer retention is required by Applicable Data Protection Laws.