Cloud Data Processing Addendum (Customers)

Effective Date: November 25, 2025

This Cloud Data Processing Addendum (the “DPA” ) forms part of and is incorporated into the Master Subscription Agreement, Terms of Service, Order Form, or other written agreement between Customer and Custom Product Builder, LLC (or applicable CPB contracting entity) that governs Customer’s use of CPB’s cloud services (the “Agreement” ).

If the Agreement permits CPB to process Personal Data on behalf of Customer, the parties agree to the following terms, which reflect the parties’ obligations under applicable Data Protection Laws.

1) Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

“Controller” (or “Business” ) and “Processor” (or “Service Provider” ) have the meanings given in Data Protection Laws.

“Customer Data” means data submitted to the Services by or for Customer.

“Data Protection Laws” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under the Agreement, including without limitation the EU GDPR, the UK GDPR, the Swiss FADP, the California CCPA/CPRA, Brazil’s LGPD, Canada’s PIPEDA, and any similar laws.

“EU GDPR” means Regulation (EU) 2016/679.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by CPB on behalf of Customer in connection with the Services.

“Process/Processing” means any operation or set of operations performed on Personal Data.

“Security Incident” means a breach of CPB security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

“Services” means the CPB-hosted software and related support services provided under the Agreement.

“Standard Contractual Clauses” or “SCCs” means the EU Commission Implementing Decision (EU) 2021/914, as amended or replaced.

“Subprocessor” means any Processor engaged by CPB to Process Personal Data.

“UK Addendum” means the UK Information Commissioner’s Office Addendum to the EU SCCs (version in force as of the Effective Date), as amended or replaced.

2) Role of the Parties & Scope

(a) Roles. For the Processing of Personal Data under the Agreement, Customer is the Controller/Business and CPB is the Processor/Service Provider.

(b) Purpose Limitation. CPB will Process Personal Data solely (i) to provide, secure, and improve the Services; (ii) to perform obligations under the Agreement; and (iii) as otherwise instructed in documented, lawful instructions from Customer.

(c) Customer Responsibilities. Customer is responsible for: (i) the accuracy, quality, and lawfulness of Personal Data and the means by which Customer acquired Personal Data; (ii) providing all necessary notices and obtaining all necessary consents; and (iii) configuring the Services and using available controls to comply with Data Protection Laws.

3) CPB Processing Obligations

(a) Instructions. CPB will Process Personal Data only on documented instructions from Customer. The Agreement and this DPA constitute Customer’s complete instructions; additional instructions require prior written agreement.

(b) Confidentiality. CPB will ensure personnel authorized to Process Personal Data are bound by confidentiality obligations and receive appropriate privacy and security training.

(c) Security. CPB will implement and maintain appropriate technical and organizational measures (the “Security Measures” ) described in Annex II .

(d) Subprocessors. Customer authorizes CPB to engage Subprocessors. The current Subprocessors are listed in Annex III below. CPB will impose data protection terms on Subprocessors providing at least the same level of protection as this DPA and remains responsible for their performance.

(e) Data Subject Requests. Taking into account the nature of the Processing, CPB will provide reasonable assistance to Customer in responding to requests from data subjects to exercise their rights under Data Protection Laws (e.g., access, rectification, deletion, porting, objection), via tools and processes made available through the Services or upon written request.

(f) Security Incidents. CPB will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of a Security Incident affecting Personal Data. Such notice will include information reasonably available to CPB at the time. CPB will take reasonable steps to investigate, mitigate, and remediate the Security Incident.

(g) Data Protection Impact Assessments. CPB will provide reasonable cooperation and information to support Customer’s data protection impact assessments, prior consultation, or similar obligations, to the extent related to the Services and CPB’s Processing of Personal Data.

(h) Return or Deletion. Upon termination or expiration of the Agreement, CPB will, at Customer’s choice, return or delete Personal Data (unless storage is required by law). Where deletion is requested, CPB will delete within 30 days of request or as otherwise agreed in writing.

4) International Transfers

(a) Restricted Transfers. Where CPB’s Processing involves a transfer of Personal Data from the EEA, UK, or Switzerland to a country not deemed to provide an adequate level of protection, the parties agree the transfer will be governed by the relevant transfer mechanism below.

(b) EEA Transfers. The parties incorporate the SCCs, Module 2 (Controller→Processor) , with Customer as the Data Exporter and CPB as the Data Importer. The SCCs are deemed completed as follows: (i) Clause 7 (Docking) applies; (ii) Clause 9 (Sub‑processors): general authorization; (iii) Clause 11 (Redress) not used; (iv) Clause 17 (Governing Law): Republic of Ireland; (v) Clause 18 (Forum): Ireland; and the information required by Annex I–III of the SCCs is provided in Annexes I–III to this DPA.

(c) UK Transfers. For transfers subject to the UK GDPR, the parties incorporate the UK Addendum to the SCCs; the Addendum’s tables are completed by reference to the SCCs and Annexes to this DPA. Governing law and forum for the SCCs as applied by the UK Addendum: England and Wales.

(d) Swiss Transfers. For transfers subject to the Swiss FADP, references to "EU Member State" include Switzerland; the competent authority is the FDPIC; and references to the EU GDPR are construed to include the Swiss FADP.

(e) Other Mechanisms. If a different lawful transfer mechanism becomes available (e.g., a certification program), the parties may mutually agree in writing to rely on that mechanism instead of or in addition to the above.

5) Compliance & Audit

(a) Documentation. CPB will make available upon request information demonstrating compliance with this DPA (e.g., third‑party security reports or summaries, policy documents, compliance certifications).

(b) Audit. No more than once annually (unless required by a Supervisory Authority or following a Security Incident), Customer may audit CPB’s compliance with this DPA on 30 days’ prior written notice. Audits will: (i) be limited to systems and facilities used to Process Personal Data for Customer; (ii) not interfere unreasonably with CPB operations; (iii) be conducted by Customer or an independent auditor bound by confidentiality; and (iv) be limited in time and scope. Customer will bear all audit costs; CPB will reasonably cooperate.

6) CCPA/CPRA (California) — Service Provider Terms

To the extent the CCPA/CPRA applies, CPB will: (i) Process Personal Information only for the limited and specified purposes set forth in this DPA and the Agreement; (ii) not sell or share Personal Information; (iii) not retain, use, or disclose Personal Information outside the direct business relationship with Customer; (iv) not combine Personal Information received from Customer with Personal Information received from other sources, except as permitted by law; and (v) assist Customer with consumer requests as described in Section 3(e). The parties certify they understand and will comply with these restrictions.

7) Liability & Order of Precedence

(a) Liability. Each party’s aggregate liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except to the extent prohibited by Data Protection Laws.

(b) Precedence. In the event of a conflict between the terms of this DPA and the Agreement, this DPA will control with respect to the subject matter herein. In the event of a conflict between this DPA and the SCCs/UK Addendum, the SCCs/UK Addendum will control for cross‑border transfers.

8) Miscellaneous

(a) Amendments. CPB may update this DPA as required by changes in Data Protection Laws, provided such updates do not materially diminish Customer’s rights. Material updates will be notified to Customer.

(b) Severability. If any provision of this DPA is held invalid, the remainder remains in full force.

(c) Governing Law. This DPA is governed by the governing law of the Agreement, except where the SCCs specify otherwise.

9) Publication & Incorporation

This DPA is published on CPB’s website as a publicly accessible page. It is incorporated by reference into the Agreement and applies automatically to Customer’s use of the Services as of the Effective Date above. No separate signature is required.

Annex I – Details of Processing

A. Parties

Data Exporter (Controller/Business): Customer and its Affiliates using the Services.

Data Importer (Processor/Service Provider): CPB and its Affiliates providing the Services.

B. Description of Processing

• Subject Matter: Provision of the Services under the Agreement.
• Duration: Term of the Agreement and any wind‑down period.
• Nature & Purpose: Hosting, storage, transmission, display, analytics, support, configuration, and other Processing necessary to provide and secure the Services.
• Type of Personal Data: May include names, contact details, usernames, device identifiers, order and cart data, configuration records, IP addresses, online identifiers, payment tokens (via payment processors), support communications, and other data submitted by Customer.
• Categories of Data Subjects: Customer’s end users, employees, contractors, dealers/wholesale accounts, and other individuals whose Personal Data is submitted to the Services.
• Special Categories: Not intended, but may be incidentally Processed if submitted by Customer. Customer shall not submit special categories or children’s data without prior written agreement.
• Frequency of Transfers: Continuous as needed.
• Subprocessing: As listed in Annex III and updated from time to time.

C. Competent Supervisory Authority (SCCs): For EU GDPR, the Supervisory Authority in the EEA member state of Customer’s establishment, or Ireland where not applicable.

Annex II – Technical & Organizational Security Measures

CPB maintains a security program aligned to industry standards appropriate to the nature, scope, context, and purposes of Processing, including (as applicable):

1. Information Security Policies documented, reviewed annually, and approved by management.
2. Organization of Information Security with designated security roles and employee screening, onboarding, and offboarding.
3. Access Control (least privilege, role‑based access, SSO/MFA for admin access, unique IDs, session management, periodic reviews).
4. Cryptography (TLS in transit; encryption at rest for production data using industry‑standard algorithms; key management procedures).
5. Physical & Environmental Security for hosting facilities (data centers/cloud provider controls, access badges, logging, CCTV).
6. Operations Security (secure configuration, vulnerability management, anti‑malware, change management, backups with periodic restore testing, logging/monitoring, segregation of environments).
7. Network Security (segmentation, firewalls, intrusion detection/prevention, rate limiting, DDoS protections, secure remote access).
8. Application Security (secure SDLC, code reviews, dependency scanning, secret management, static/dynamic testing, bug bounty or third‑party testing as applicable).
9. Incident Response (documented IR plan, 24×7 monitoring, breach notification procedures in Section 3(f)).
10. Business Continuity & Disaster Recovery (BC/DR plans, RTO/RPO objectives, annual testing).
11. Supplier Management (security due diligence for Subprocessors, contractual security obligations, continuous monitoring).
12. Data Protection by Design & Default (data minimization, pseudonymization where appropriate, configurable data retention, privacy reviews for new features).
13. Personnel Security & Training (mandatory security and privacy training, confidentiality agreements, disciplinary process).
14. Audit & Compliance (regular internal audits; external audits/certifications where available; remediation tracking).

Annex III – Subprocessor List

Current Subprocessors in use for CPB Services:

Notice Mechanism: This page serves as notice of CPB’s current Subprocessors. Material changes will be reflected here, and where contractually required CPB will provide advance notice via admin email.

Annex IV – CCPA/CPRA Disclosures (If Applicable)

• Nature and Purpose of Processing: to perform the Services under the Agreement; to maintain and improve the Services; to detect and prevent security incidents and fraud.
• Categories of Personal Information: identifiers; commercial information; internet or network activity; geolocation data; professional information; inferences from the foregoing.
• Retention: CPB retains Personal Information only for as long as necessary to fulfill the business purposes described above or as required by law.

Translations

For translations of this Cloud Data Processing Addendum into other languages, contact your CPB representative.

Change Log

• v1.1 — Subprocessors & publication section updated; effective date set to November 25, 2025.
• v1.0 — Initial customer DPA template prepared for GDPR/UK GDPR/CCPA/LGPD compliance.