Data Processing Agreement

Parties

• Data Processor: Cat and box LLP, a Limited Liability Partnership incorporated in England and Wales, registered office 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. ICO registration number C1791113.
• Data Controller: The Customer, as defined in the Terms and Conditions, who has entered into a subscription or other agreement with Cat and box LLP for access to the Service and on whose behalf Personal Data is processed under this DPA.

Purpose

This DPA governs the processing of Personal Data carried out by Cat and box LLP, in its capacity as Data Processor, on behalf of the Customer, in its capacity as Data Controller, in connection with the Customer's use of the Service. This includes, without limitation, files and assets uploaded by the Customer or its end users, contact records (names and email addresses) entered into the Service's Contacts and Companies CRM, sharing invitations, one-time-password (OTP) magic links, portal access links, comments, annotations, collaboration data, and any other Personal Data submitted to the Service by or on behalf of the Customer.

This DPA is intended to satisfy the written contract requirement imposed on processors under Article 28(3) of the UK GDPR and Article 28(3) of the EU GDPR, and the equivalent requirements of any other applicable data-protection law to the extent that Cat and box LLP acts as a processor (or service provider, in the language of CCPA/CPRA) for the Customer.

CCPA/CPRA — Service-Provider Addendum (U.S. Customers)

To the extent the Customer is subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and discloses "personal information" of California consumers to Cat and box LLP through the Service, Cat and box LLP acts as a "service provider" to the Customer within the meaning of Cal. Civ. Code § 1798.140(ag). The Customer is the "business" within the meaning of Cal. Civ. Code § 1798.140(d).

In that capacity, Cat and box LLP:

• Will process personal information received from, or on behalf of, the Customer only for the limited and specified business purpose of providing the Service to the Customer as set out in this DPA and the Terms and Conditions, and not for any other commercial purpose;
• Will not "sell" or "share" (as those terms are defined in Cal. Civ. Code § 1798.140(ad) and (ah)) the Customer's personal information for monetary or other valuable consideration, and will not engage in cross-context behavioural advertising on the basis of personal information received from the Customer;
• Will not retain, use, or disclose the Customer's personal information outside of the direct business relationship with the Customer, or combine it with personal information Cat and box LLP receives from any other source, except as permitted under the CCPA/CPRA;
• Will assist the Customer in responding to verifiable consumer requests received under the CCPA/CPRA — including requests to know, delete, correct, opt out of sale/sharing, and limit the use of sensitive personal information — using the in-product tools made available by the Service, and will provide additional assistance on reasonable request;
• Will notify the Customer if Cat and box LLP determines that it can no longer meet its obligations under the CCPA/CPRA.

The opt-out flow that the Customer (or any California consumer) may use to exercise the right to opt out of "sale" or "sharing" is published at /legal/do-not-sell-or-share-my-personal-information/.

• "Personal Data" — any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the UK GDPR and EU GDPR, that is processed by Cat and box LLP on behalf of the Customer in connection with the Service.
• "Processing" — any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in Article 4(2) of the UK GDPR and EU GDPR.
• "Data Subject" — an identified or identifiable natural person to whom the Personal Data relates, as defined in Article 4(1) of the UK GDPR and EU GDPR. For the purposes of this DPA, Data Subjects typically include the Customer's workspace members, the Customer's external contacts, and individuals whose Personal Data appears in files uploaded to the Service.
• "Sub-processor" — any third party engaged by Cat and box LLP to process Personal Data on behalf of the Customer in support of the Service. The current list of authorised Sub-processors is set out in Section 8 of this DPA.
• "Standard Contractual Clauses" or "SCCs" — (a) for transfers subject to the EU GDPR, the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor, as applicable); and (b) for transfers subject to the UK GDPR, the International Data Transfer Agreement ("IDTA") issued by the UK Information Commissioner, or the UK Addendum to the EU SCCs, in each case as in force from time to time.
• "Data Protection Laws" — all laws relating to the protection of Personal Data that apply to a party in its performance of this DPA, including: (a) the United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018; (b) Regulation (EU) 2016/679 (the European Union General Data Protection Regulation, "EU GDPR"); (c) the EU ePrivacy Directive (2002/58/EC) and any national implementing law (including the UK Privacy and Electronic Communications Regulations 2003); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); (e) the Brazilian Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018 ("LGPD"); (f) the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"); and (g) any other applicable data protection law.
• "Personal Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, as defined in Article 4(12) of the UK GDPR and EU GDPR.

Subject Matter

The subject matter of the processing is the provision of YetOnePro, a cloud-based Digital Asset Management ("DAM") platform that includes file storage and delivery, asset processing (encoding, thumbnailing, metadata extraction, image optimisation, automatic tagging), sharing (asset shares, portals, upload links, OTP magic links), and the Contacts and Companies CRM features.

Duration

Processing under this DPA continues for the duration of the Customer's active subscription to the Service, and thereafter for any period during which Cat and box LLP retains Personal Data in accordance with Section 9 (Termination and Return of Data), the retention periods described in the Privacy Policy, or any retention obligation imposed by applicable law.

Categories of Data Subjects

• The Customer's employees, contractors, and other workspace members who hold an account on the Service.
• External contacts entered by the Customer into the Contacts and Companies CRM (clients, reviewers, collaborators, vendors).
• Recipients of asset shares, portal invitations, and OTP magic links sent through the Service.
• Individuals whose Personal Data is contained within files uploaded to the Service by the Customer or its end users (e.g. subjects of photographs, addressees of documents, signatories of contracts).
• End-user viewers whose IP address and request metadata are processed by the CDN when accessing shared assets.

• (a) Documented instructions. Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by UK or EU law to which Cat and box LLP is subject; in such a case, Cat and box LLP shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Customer's instructions are set out in (i) the Terms and Conditions, (ii) this DPA, and (iii) the operational use of the Service by the Customer's authorised users.
• (b) Confidentiality. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• (c) Security. Implement the technical and organisational measures described in Section 7 and otherwise required by Article 32 of the UK GDPR and EU GDPR.
• (d) Sub-processors. Engage Sub-processors only in accordance with Article 28(2) and (4) and Section 8 of this DPA. Cat and box LLP shall impose on each Sub-processor data-protection obligations that are no less protective than those set out in this DPA, by way of a written contract, and remains fully liable to the Customer for the performance of the Sub-processor's obligations.
• (e) Data-subject rights. Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests by Data Subjects exercising their rights under Chapter III of the UK/EU GDPR (Articles 15–22). The Service's in-product tools for accessing, exporting, correcting, and deleting Personal Data are the primary means by which the Customer can satisfy these requests; Cat and box LLP will provide additional assistance on reasonable request and on the basis described in Section 5.
• (f) Security incidents, DPIAs, prior consultation. Assist the Customer in ensuring compliance with the obligations under Articles 32 to 36 of the UK/EU GDPR (security of processing, notification of Personal Data Breaches, communication of breaches to Data Subjects, data-protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Cat and box LLP.
• (g) Deletion or return. At the Customer's choice, delete or return all Personal Data to the Customer after the end of the provision of services relating to processing, and delete existing copies, unless UK or EU law requires storage of the Personal Data. Section 9 sets out the operational mechanism.
• (h) Audit and compliance evidence. Make available to the Customer all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, on the terms set out in Section 4.1 below.
• Instructions that breach the law. Immediately inform the Customer if, in Cat and box LLP's opinion, an instruction from the Customer infringes the UK GDPR, the EU GDPR, or other Data Protection Laws.

4.1 Audit Rights

On no less than 30 days' written notice, and no more than once per calendar year (or more often if required by a supervisory authority or following a material data breach affecting Customer's data), Customer may audit Cat and box LLP's compliance with its Art. 28 obligations under this DPA. Customer bears its own audit costs; Cat and box LLP shall reimburse Customer's reasonable audit costs if the audit reveals a material breach by Cat and box LLP.

Any audit conducted under this Section 4.1 shall be performed by the Customer or by a qualified independent auditor mandated by the Customer and bound by confidentiality, during normal business hours, and in a manner that does not unreasonably disrupt the operation of the Service or compromise the confidentiality of other customers' data. Where Cat and box LLP holds current third-party audit reports (e.g. SOC 2 Type II reports of its Sub-processors, or its own ISO 27001 certification if obtained), Cat and box LLP may satisfy its obligations under this Section 4.1, in whole or in part, by providing those reports under appropriate confidentiality undertakings.

The Customer warrants and undertakes to Cat and box LLP that, in its capacity as Data Controller:

• It has, and will at all relevant times maintain, a lawful basis under Article 6 of the UK/EU GDPR (and, where applicable, a condition under Article 9) for the Personal Data it provides to, or causes to be processed through, the Service.
• It has provided all notices, and obtained all consents and authorisations, required under applicable Data Protection Laws from each Data Subject whose Personal Data is processed through the Service — including, in particular, contacts entered into the Contacts and Companies CRM who will receive outbound emails (sharing invitations, OTP magic links, portal notifications) on the Customer's behalf.
• Its instructions to Cat and box LLP, including the operational use of the Service by its authorised users, comply with all applicable Data Protection Laws, and it will not instruct Cat and box LLP to process Personal Data in any manner that would cause Cat and box LLP to breach those laws.
• It is responsible for the accuracy, quality, and legality of the Personal Data it submits to the Service and for the means by which it acquired that Personal Data.
• It will respond to Data Subject rights requests using the in-product tools made available by the Service, and will request additional assistance from Cat and box LLP only where the in-product tools are not sufficient to fulfil the request.
• Where the Customer uses the Service to send communications to its contacts (including marketing or non-marketing communications), it will comply with the UK Privacy and Electronic Communications Regulations ("PECR"), the EU ePrivacy Directive, and equivalent laws in other jurisdictions where its recipients are located.

Transfer Mechanisms

Cat and box LLP is established in the United Kingdom. Primary Personal Data storage is located in Germany (Hetzner Cloud, Falkenstein and Nuremberg data centres) within the European Economic Area ("EEA"); transfers of Personal Data from the United Kingdom to that EEA infrastructure are covered by the UK Government's adequacy regulations in respect of the EEA. Certain Sub-processors process Personal Data outside the UK and the EEA — specifically Amazon Web Services for the Amazon SES and Amazon Rekognition services described in Section 8 — for the purposes set out in this DPA.

For each transfer of Personal Data from the UK or the EEA to a country in respect of which the UK Government or the European Commission has not issued an adequacy decision, the parties rely on one or more of the following transfer mechanisms, as applicable:

• EU SCCs. For transfers subject to the EU GDPR, the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 (Module Two: Controller-to-Processor between the Customer and Cat and box LLP; Module Three: Processor-to-Processor for onward transfers to Sub-processors), the operative clauses of which are deemed incorporated into this DPA by reference. Optional clauses are not selected unless the parties agree otherwise in writing.
• UK transfer tool. For transfers subject to the UK GDPR, the International Data Transfer Agreement ("IDTA") issued by the UK Information Commissioner, or, at Cat and box LLP's option, the UK Addendum to the EU SCCs (version B1.0 or any successor version), in each case deemed incorporated by reference.
• Adequacy. Where a transfer is to a country covered by a UK adequacy regulation or an EU adequacy decision, the parties may rely on that adequacy decision. Transfers from the UK to the EEA are covered by the UK Government's adequacy regulations for the EEA, and no additional transfer mechanism is required for that route.
• Supplementary measures. Where required following a transfer risk assessment, Cat and box LLP applies supplementary technical, contractual, and organisational measures consistent with European Data Protection Board Recommendations 01/2020 and ICO guidance on international transfers.

Where personal data is transferred to a Sub-processor in the United States, Cat and box LLP relies on the EU–US Data Privacy Framework ("DPF") and the UK Extension to the DPF (UK–US Data Bridge) where the receiving Sub-processor maintains an active DPF certification. For any US Sub-processor whose DPF certification is not active at the time of transfer, Cat and box LLP shall rely on the EU Standard Contractual Clauses (Commission Decision 2021/914) and the UK Information Commissioner's International Data Transfer Addendum ("UK IDTA") as the alternative transfer mechanism.

The transfer mechanism applicable to each Sub-processor is described in Section 8 (Subprocessor List).

Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, Cat and box LLP implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK/EU GDPR. These measures include, without limitation:

• Encryption. Encryption of Personal Data in transit (TLS) and, where supported by the underlying storage layer, encryption at rest.
• Access control. Role-based access controls within the Service, least-privilege administrative access, multi-factor authentication for production access, and audit logging of administrative actions.
• Authentication. Secure session-cookie implementation (HTTP-only, Secure, SameSite), password hashing using industry-standard algorithms, optional two-factor authentication and Single Sign-On (SAML 2.0 and OpenID Connect) for customers who enable it.
• Network security. Signed, time-limited URLs for asset delivery via the CDN; rate limiting and IP-based abuse mitigation on authentication endpoints.
• Malware protection. Antivirus scanning of all uploaded files.
• Resilience and integrity. Regular backups, infrastructure monitoring, and incident-response procedures designed to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
• Sub-processor assurance. Use of Sub-processors operating on SOC 2 Type II certified infrastructure where reasonably available; written data-protection terms imposed on every Sub-processor.
• Personnel. Confidentiality undertakings from personnel with access to Personal Data; security awareness training; documented joiner/leaver access management.
• Testing. Regular review and testing of the effectiveness of these measures.

Further detail on Cat and box LLP's security posture is set out in Section 8 of the Privacy Policy.

Breach Notification

Cat and box LLP shall notify the Customer of any Personal Data Breach affecting the Customer's Personal Data without undue delay and in any event within 72 hours of becoming aware of the Personal Data Breach. This timing reflects the controller-level standard set out in Article 33(1) of the UK/EU GDPR and is adopted as the processor's notification window under this DPA.

The notification will, to the extent the information is available at the time of notification (and supplemented thereafter without undue delay):

• Describe the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned.
• Communicate the name and contact details of the point of contact at Cat and box LLP from whom more information can be obtained.
• Describe the likely consequences of the Personal Data Breach.
• Describe the measures taken or proposed to be taken by Cat and box LLP to address the Personal Data Breach and, where appropriate, measures to mitigate its possible adverse effects.

Cat and box LLP's notification of, or response to, a Personal Data Breach under this Section 7 is not an acknowledgement by Cat and box LLP of any fault or liability with respect to the Personal Data Breach. The Customer remains responsible for any notifications to supervisory authorities under Article 33 and to affected Data Subjects under Article 34 of the UK/EU GDPR; Cat and box LLP will provide reasonable assistance with such notifications.

SeaweedFS (self-operated storage layer)

BunnyCDN (BunnyWay d.o.o.)

Amazon SES (Amazon Web Services EMEA SARL / Amazon Web Services, Inc.)

Amazon Rekognition (Amazon Web Services EMEA SARL / Amazon Web Services, Inc.)

Hetzner Cloud (Hetzner Online GmbH)

Stripe, Inc. (and Stripe Payments Europe, Ltd.)

[ATTORNEY_REVIEW: Re-classify Stripe as Sub-processor once Merchant of Record integration is live]

Google LLC — Google Analytics

On termination or expiry of the Customer's subscription, or on earlier written request by the Customer, Cat and box LLP will, at the Customer's election:

• Return the Customer's Personal Data in a structured, commonly used, machine-readable format using the in-product export tools, or, where the volume of Personal Data exceeds the limits of those tools, by another reasonable method agreed between the parties; or
• Delete the Customer's Personal Data from production systems.

Unless the Customer instructs otherwise in writing before the end of the subscription, Cat and box LLP will delete the Customer's Personal Data from production systems within 30 days of termination, in line with the retention periods set out in Section 7 of the Privacy Policy. Personal Data held in encrypted backups will be deleted in accordance with the standard backup-rotation schedule and will not be restored to production except as required to meet a continuing legal obligation. Cat and box LLP will, on written request, provide written confirmation of deletion to the Customer.

Cat and box LLP may retain Personal Data after termination only to the extent required by applicable law (including tax, accounting, and financial-record-keeping obligations, which typically require retention of billing records for 7 years), and only for as long as that legal obligation requires. Any Personal Data so retained shall remain subject to the obligations of this DPA, in particular the security obligations set out in Section 7.