DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") is entered into between the customer ("Customer," "you," or "your") and InWren, Inc. ("InWren," "Processor," "we," "us," or "our"), a Delaware corporation with its principal place of business at 8 The Green, Ste A, Dover, DE 19901. This DPA is incorporated into and forms part of the InWren Terms of Service ("Agreement") and governs the processing of Personal Data by InWren on behalf of Customer in connection with the Services.

1. DEFINITIONS

• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR, UK GDPR, Swiss Federal Act on Data Protection, California Consumer Privacy Act (CCPA), and other applicable privacy laws.
• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• For purposes of this DPA, Customer is the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• "EEA" means the European Economic Area.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by InWren on behalf of Customer in connection with the Services.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Processor" means an entity that processes Personal Data on behalf of the Controller.
• For purposes of this DPA, InWren is the Processor.
• "Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Services" means the products, services, platforms, and applications provided by InWren to Customer as described in the Agreement.
• "Standard Contractual Clauses" or "SCCs" means the standard data protection clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• "Sub-processor" means any third party engaged by InWren to process Personal Data on behalf of Customer.

2. SCOPE AND ROLES

• Roles: Customer is the Controller and InWren is the Processor with respect to Personal Data processed under this DPA.
• Purpose: InWren will process Personal Data only for the purpose of providing the Services to Customer and as documented in this DPA and the Agreement.
• Nature of Processing: Storage, retrieval, analysis, organization, and transmission of Personal Data as necessary to provide the Services.
• Categories of Data Subjects: Customer's end-users, employees, customers, prospects, and other individuals whose Personal Data is submitted to the Services by or on behalf of Customer.
• Types of Personal Data: Contact information (name, email, phone), account information, transaction data, usage data, device information, location data, and any other Personal Data submitted by Customer to the Services.

3. CUSTOMER OBLIGATIONS

Lawfulness of Processing: Customer represents and warrants that:
(a) it has obtained all necessary consents and has a lawful basis to collect and process Personal Data;

(b) its instructions to InWren comply with Applicable Data Protection Law;

and (c) the processing of Personal Data in accordance with Customer's instructions will not cause InWren to violate Applicable Data Protection Law.

Instructions: Customer will provide documented instructions regarding the processing of Personal Data. InWren will process Personal Data only in accordance with Customer's documented instructions, except where required to do so by applicable law.

Data Subject Rights: Customer is responsible for responding to Data Subject requests concerning their Personal Data. InWren will provide reasonable assistance as set forth in Section 7.

4. INWREN OBLIGATIONS

Processing Instructions: InWren will process Personal Data only in accordance with Customer's documented instructions unless required to do so by applicable law, in which case InWren will inform Customer of such legal requirement before processing (unless prohibited by law).

Confidentiality: InWren will ensure that persons authorized to process Personal Data are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

Illegal Instructions: If InWren believes that any instruction from Customer violates Applicable Data Protection Law, InWren will promptly inform Customer and may suspend processing until Customer confirms or modifies the instruction.

Return or Deletion: Upon termination of the Agreement, InWren will, at Customer's choice, delete or return all Personal Data to Customer and delete existing copies, unless applicable law requires continued storage.

AI and machine learning instructions: Processor shall not use Personal Data, Customer Data, or any data derived from the Services, including aggregated or anonymized data that can reasonably be linked to a Customer or Data Subject, to train, improve, or develop generalized artificial intelligence or machine learning models without the Controller’s prior explicit written consent.

Processor shall not combine Personal Data across customers for purposes of training or improving generalized models.

Processor may process limited system telemetry solely for security, reliability, and service improvement purposes, provided such processing does not involve training generalized AI models on Customer Personal Data.

5. SECURITY MEASURES

Security Obligations: InWren will implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents and to preserve the security and confidentiality of Personal Data, including the measures set forth in Annex A (Security Measures).

Security Standards: InWren maintains SOC 2 Type II certification and implements industry-standard security practices including encryption (AES-256 at rest, TLS 1.2+ in transit), multi-factor authentication, role-based access controls, continuous monitoring, and regular security assessments.

6. SECURITY INCIDENTS

Notification: InWren will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer's Personal Data.

Such notification will be sent to the email address associated with Customer's account.

Information Provided: The notification will include, to the extent known: (a) a description of the nature of the Security Incident;(b) the categories and approximate number of Data Subjects and Personal Data records concerned; (c) the likely consequences;and (d) measures taken or proposed to address the Security Incident.

Cooperation: InWren will cooperate with Customer and take reasonable steps to remediate the Security Incident.

7. DATA SUBJECT RIGHTS

Assistance: Taking into account the nature of the processing, InWren will provide reasonable assistance to Customer in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, data portability, and objection.

Redirection: If InWren receives a Data Subject request directly, InWren will promptly redirect the Data Subject to Customer and will not respond to such request without Customer's prior written consent, except as required by applicable law.

Automated decision making assistance: Where Services enable automated workflows configured by Controller, Processor shall provide reasonable assistance to support Data Subjects in exercising their rights, including human intervention and contesting automated decisions producing significant effects.

8. SUB-PROCESSORS

Authorization: Customer provides general authorization for InWren to engage Sub-processors to process Personal Data, provided that InWren: (a) maintains an up-to-date list of Sub-processors available at www.inwren.com/subprocessors or upon request at privacy@inwren.com;

(b) imposes data protection obligations on Sub-processors that provide at least the same level of protection as this DPA;

and (c) remains liable for Sub-processor's compliance.

Notification and Objection: InWren will provide Customer with at least 30 days' notice before adding or replacing any Sub-processor.

Customer may object to a new Sub-processor on reasonable grounds relating to data protection by notifying InWren in writing within 30 days of receiving notice.

If Customer objects, InWren will either: (a) not use the Sub-processor; or (b) provide Customer with a commercially reasonable alternative.

If no alternative is available, either party may terminate the affected Services upon written notice.

Current Sub-processors: A current list of Sub-processors is set forth in Annex B and available at www.inwren.com/subprocessors.

9. AUDITS AND COMPLIANCE

Audit Rights: InWren will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer.

Audit Procedure: Customer may audit InWren's compliance with this DPA no more than once per year, upon 30 days' prior written notice, during normal business hours, and in a manner that does not unreasonably interfere with InWren's operations.Customer will be responsible for the costs of such audit.

Alternative Verification: In lieu of conducting an audit, Customer may request and InWren will provide a copy of InWren's most recent SOC 2 Type II report or other third-party audit reports, subject to confidentiality obligations.

10. INTERNATIONAL TRANSFERS

Data Transfers: Personal Data may be transferred to and processed in the United States and other countries where InWren or its Sub-processors maintain facilities.

Standard Contractual Clauses: For transfers of Personal Data from the EEA, UK, or Switzerland to countries not recognized as providing adequate protection, the parties agree to be bound by the Standard Contractual Clauses (Controller-to-Processor) as set forth in Annex C. The SCCs are hereby incorporated by reference and form an integral part of this DPA.

Supplementary Measures: InWren implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and other safeguards described in Annex A.

11. ASSISTANCE WITH IMPACT ASSESSMENTS

InWren will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities as required by Applicable Data Protection Law, taking into account the nature of processing and information available to InWren.

12. LIMITATION OF LIABILITY

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement.

Nothing in this DPA limits either party's liability for damages that cannot be excluded or limited under Applicable Data Protection Law.

13. TERM AND TERMINATION

Term: This DPA will commence on the date Customer first uses the Services and will remain in effect until the termination of the Agreement.

Survival: Sections relating to confidentiality, data return/deletion, and limitation of liability will survive termination of this DPA.

14. CONFLICTS

In the event of any conflict between this DPA and the Agreement, this DPA will prevail to the extent of the conflict.

In the event of any conflict between this DPA and the Standard Contractual Clauses, the SCCs will prevail.

15. GOVERNING LAW AND JURISDICTION

This DPA will be governed by the laws specified in the Agreement, except where the Standard Contractual Clauses require otherwise, in which case the governing law and jurisdiction provisions of the SCCs will apply.