Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller", "you") and Dregs LLC ("Processor", "we", "us") for the use of the Dregs platform ("Service"). This DPA applies to the extent that we process Personal Data on your behalf in the course of providing the Service.

If there is a conflict between this DPA and the Terms of Service with respect to the processing of Personal Data on your behalf, this DPA controls to that extent.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that you submit to the Service through the tracking script, API, dashboard, or related functionality. "Processing" means any operation performed on Personal Data, including collection, storage, organization, analysis, retrieval, disclosure, and deletion. "Sub-Processor" means a third party engaged by us to process Personal Data on your behalf. Terms not defined here have the meanings given in applicable data protection law, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") where applicable.

2. Details of Processing

The details of the Processing covered by this DPA are as follows:

• Subject matter: Processing necessary to provide the Service and related support, security, fraud detection, and account administration functionality requested by you
• Duration: For as long as we provide the Service to you and for any limited retention period thereafter permitted under this DPA, our agreement with you, or applicable law
• Nature and purpose: Receiving, storing, organizing, retrieving, analyzing, displaying, transmitting, and deleting Personal Data in order to deliver fraud detection scoring, identity analysis, event processing, alerting, optional AI-assisted reviews, customer support, security, and related Service functions
• Categories of data subjects: Your personnel, end users, prospects, visitors, customers, or other individuals whose data you choose to submit to the Service
• Types of Personal Data: Account and contact information, event and usage data, device, browser, and network information (including IP addresses), identifiers, names, emails, profile fields, fraud-analysis outputs, notes, and other data you choose to submit

3. Your Obligations

You are responsible for ensuring that you have a lawful basis for collecting and submitting Personal Data to the Service, including providing appropriate notices and obtaining any required consents or authorizations from data subjects. You are also responsible for the accuracy, quality, and legality of the Personal Data you submit and for configuring the Service in a manner that complies with applicable data protection laws.

Unless we expressly agree otherwise in writing, you will not use the Service to process passwords, full payment card numbers, protected health information, government-issued identification numbers, or special-category or similarly sensitive Personal Data.

4. Our Processing Commitments

We will:

• Process Personal Data only on your documented instructions, as reflected in your use and configuration of the Service, this DPA, and any written instructions you provide that we agree to follow, unless otherwise required by law
• Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
• Notify you if, in our opinion, an instruction infringes applicable data protection law, unless prohibited from doing so by law
• Not sell Personal Data submitted to the Service or use it for third-party advertising
• Maintain technical and organizational measures designed to protect Personal Data as described in our Security Policy

5. Sub-Processors

You provide general written authorization for us to engage Sub-Processors to assist in providing the Service. We maintain a list of current Sub-Processors at dregs.com/legal/sub-processors.

We will impose data protection obligations on Sub-Processors that are appropriate to the nature of the services they provide and will remain responsible for their processing to the extent required by applicable law. If you reasonably object to a new Sub-Processor on data protection grounds, you may notify us promptly after the update and, if we cannot reasonably address your objection, either party may terminate the affected Service.

6. International Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area, the United Kingdom, or other jurisdictions from which the data originated. Where required, we will implement an appropriate transfer mechanism, which may include Standard Contractual Clauses or another legally recognized safeguard.

If additional transfer terms are reasonably required for your use of the Service, the parties will cooperate in good faith to execute them.

7. Security

We maintain technical and organizational measures intended to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, taking into account the nature of the Personal Data and the risks presented by the Processing. While no system can guarantee absolute security, we will maintain and improve these protections in the ordinary course of business.

8. Assistance

Taking into account the nature of the Processing and the information available to us, we will provide reasonable assistance to help you respond to data subject requests and to help you comply with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with regulators, to the extent required by applicable law.

We may satisfy these obligations through existing Service functionality, documentation, or support processes. If your requested assistance requires material additional effort beyond what is included in the Service, we may charge reasonable fees for that assistance.

9. Personal Data Breach Notification

If we become aware of a confirmed Personal Data breach affecting Personal Data processed under this DPA, we will notify you without undue delay after becoming aware of it. Our notification may be provided in phases as information becomes available and will include the information reasonably available to us about the nature of the incident and the measures taken or proposed to address it.

10. Deletion and Return of Personal Data

During the term, you may access and export certain Personal Data using the Service functionality made available to you. Upon termination or expiration of the Service, and except to the extent applicable law requires retention, we will delete or render inaccessible Personal Data within a reasonable period in accordance with our standard retention processes.

If you make a written request on or before termination and return is technically feasible, we will make Personal Data available for return using then-current functionality or another commercially reasonable method. We may retain archived or backup copies until they are deleted in the ordinary course of business.

11. Demonstrating Compliance

Upon reasonable written request, and no more than once annually unless required by applicable law or following a confirmed security incident, we will make available information reasonably necessary to demonstrate our compliance with this DPA.

We may satisfy audit or information requests through documentation, summaries of our security controls, questionnaires, certifications, or third-party audit reports where available, rather than permitting direct on-site inspections. Any review must be subject to reasonable confidentiality, security, and non-disruption requirements, and you will bear your own costs and any reasonable costs we incur in supporting the request.

12. Liability

The liability of each party arising out of or related to this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service, to the maximum extent permitted by applicable law.

13. Term and Survival

This DPA remains in effect for as long as we process Personal Data on your behalf. Any provisions that by their nature should survive termination, including provisions relating to confidentiality, deletion, liability, and restrictions on further use of Personal Data, will survive termination for so long as applicable.

14. Contact

For questions about this DPA, contact us at privacy@dregs.com.