Data Processing Addendum

Last updated: October 13, 2025

This Snovio Data Processing Addendum (hereinafter ‘DPA’) supplements the Snovio Terms and Conditions (hereinafter ‘Terms’), the agreement between you (hereinafter ‘User’ ‘Customer’, ‘you’, ‘your’) and Snovio Inc. (hereinafter ‘Company’, ‘Snov.io’, ‘Snovio’, ‘we’, ‘us’ or ‘our’) which is governing the processing of personal data that you upload or otherwise provide Snovio in connection with the Services or of any personal data that Snovio obtains in connection with the performance of the Services, hereinafter referred to individually as a ‘Party’ or together as the ‘Parties’.

Unless otherwise defined in this DPA, all capitalized terms used in this DPA will have the meanings set forth in Snovio’s Terms and Conditions (hereinafter ‘Terms’). This DPA shall remain in force until the termination of the Terms between you and us governing your use of the Services.

“Data Exporter” means a legal entity or a natural person that acts as a Data Controller or Processor in the meaning of the Applicable Laws and Regulations and transfers Personal Data to a Data Importer under this DPA.

“Data Importer” means a legal entity or a natural person that acts as a Data Processor that receives Personal Data from the Data Exporter under this DPA.

“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, the United States and its states, Brazil, applicable to the processing of personal data under the Terms as amended from time to time, such as GDPR, UK Data Protection Laws, Brazil’s Data Protection Laws or other applicable laws and regulations.

“General Data Protection Regulation (GDPR)” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“Brazil’s Data Protection Laws” means Law No. 13,709, of August 14, 2018, as amended by Law No. 13,853 of July 8, 2019 (Lei Geral de Proteção de Dados (LGPD)) and Resolution 19/2024, approving the Regulation on international data transfers and the content of standard contractual clauses.

“International Data Transfer” means the transfer of personal data to a foreign country or to an international organization of which the country is a member.

“UK Data Protection Laws” means the Data Protection Act 2018 and the UK GDPR (retained version of the EU GDPR).

“EU Standard Contractual Clauses (EU SCCs)” means Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

“UK Addendum” means International Data Transfer Addendum to the EU Standard Contractual Clauses that has been issued by the Information Commissioner for Parties making Restricted Transfers in the meaning of the UK Data Protection Laws, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

“Standard Contractual Clauses published by the Brazilian Data Protection Authority” means standard contractual clauses, prepared and approved by the Brazilian Data Protection Authority (ANPD), that establish minimum guarantees and valid conditions for carrying out an international data transfer based on item II(b) of Article 33 of Law No. 13,709, of August 14, 2018, as currently set out at https://www.gov.br/anpd/pt-br/documentos-e-publicacoes/documentos-de-publicacoes/regulation-on-international-transfer-of-personal-data.pdf/.

“controller”, “processor”, “data subject”, “personal data” and “processing” have the meanings given in Data Protection Laws and Regulations.

“Customer Data” means personal data that you upload or otherwise provide to Snovio in connection with the Services or any personal data that Snovio obtains in connection with the performance of the Services.

“Sub-processor” means any entity that provides processing services to Snovio in furtherance of Snovio’s processing on behalf of the Customer.

“Public Authority” means a government agency or law enforcement authority, including judicial authorities.

“Supervisory Authority” means an independent public authority to be responsible for monitoring the application of the data protection legislation.

“Services” means sourcing, lead generation, and sales automation services provided by the Company via the online platform and web application to Customers.

Where Snovio processes Customer Data on your behalf in connection with Services, you acknowledge and agree that with regard to the processing of Customer Data, you are a Controller or Processor, and we are a Processor or Sub-processor (as defined by the Data Protection Laws and Regulations) acting on your behalf. A description of such processing is set out in Schedule 1 of this DPA. This DPA shall apply accordingly to established roles and not apply to situations where we act as a Controller in accordance with Snovio’s Privacy Policy.

The Parties agree that this DPA and the Terms (including the provision of instructions via browser extensions) constitute your complete and final documented instructions regarding our processing of Customer Data on your behalf (hereinafter ‘Instructions’). Any additional or alternate instructions must be consistent with the terms and conditions of this DPA and the Terms.

The processing of Customer Data on your behalf in connection with Services is described in Schedule 1of this DPA. We reserve the right to update the description of processing from time to time to reflect new functionality that is part of the Services.

Within the scope of the DPA and Terms and your use of the Services, including our integration with HubSpot and/or Pipedrive, you will be solely responsible for complying with all requirements that apply to you under the Data Protection Laws and Regulations. You represent and warrant that you will be solely responsible for:

(i) the accuracy, quality, integrity, confidentiality, and security of collected Customer Data;

(ii) complying with all necessary transparency, lawfulness, fairness, and other requirements under Data Protection Laws and Regulations for the collection and use of personal data by: establishing and maintaining the procedure for the exercise of the rights of the data subjects whose personal data are processed on behalf of Customer; providing us only with data that has been lawfully and validly obtained and ensuring that such data will be relevant and proportionate to the respective uses; ensuring compliance with the provisions of this DPA and Terms by your personnel or by any third-party accessing or using Customer Data on your behalf; and

(iii) ensuring that your Instructions to us regarding the processing of Customer Data comply with the Data Protection Laws and Regulations, including complying with principles of data minimization, purpose and storage limitation.

6.1. General Obligations

With regard to the processing of Customer Data, we shall:

(i) process Customer Data using appropriate technical and organizational security measures, and in compliance with the Instructions received from the Customer subject to Section 3 of this DPA;

(ii) inform Customer if, in our opinion, a Customer’s Instructions may be in violation of the provisions of the Data Protection Laws and Regulations;

(iii) follow Customer’s instructions regarding the collection of Customer Data, in case we are obtaining Customer Data from data subjects on behalf of Customer under Terms;

(iv) take reasonable steps to ensure that any employee/contractor to whom we authorize access to Customer Data on our behalf comply with respective provisions of the Terms and this DPA.

6.2. Notices to Customer

Upon becoming aware, we shall inform you of any legally binding request for disclosure of Customer Data by a Public Authority, unless we are otherwise forbidden by law to inform the Customer, for instance, to preserve the confidentiality of investigation by a Public Authority. We will inform the Customer if it becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of Customer Data under this DPA conducted between you and us.

6.3. Security measures

We shall implement and maintain appropriate technical and organizational measures to protect Customer Data from personal data breaches (hereinafter ‘Security Incidents’), in accordance with our security standards set out in Schedule 2 of this DPA. You acknowledge that security measures are subject to technical progress so that we may modify or update Schedule 2 of this DPA at our sole discretion, provided that such modification or update does not result in a material degradation in the security measures offered by Schedule 2 of this DPA.

6.4. Security Incident

Upon becoming aware of a Security Incident, we shall:

(i) notify you without undue delay after we become aware of the Security Incident;

(ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by you; and

(iii) promptly take reasonable steps to contain and investigate any Security Incident so that you can notify competent authorities and/or affected Data Subjects of the Security Incident. Our notification of or response to a Security Incident shall not be construed as an acknowledgment by us of any fault or liability regarding the Security Incident.

6.5. Confidentiality

We will not access or use, or disclose to any third party any Customer Data, except, in each case, as necessary to maintain or provide the Services or as necessary to comply with contractual and legal obligations or binding order of a public body (such as a subpoena or court order). We shall ensure that any employee/contractor whom we authorize to access Customer Data on our behalf is subject to appropriate confidentiality contractual or statutory duty obligations with respect to Customer Data.

6.6. Return or deletion of Customer Data

Upon termination or expiration of the Terms concluded between you and us, we shall delete all Customer Data in our possession or control; except that this requirement shall not apply to the extent we are required by applicable law or respective contractual obligations to retain some or all of the Customer Data.

6.7. Reasonable Assistance

We agree to provide reasonable assistance to the Customer regarding:

(i) any request from a data subject in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Customer Data that we process on behalf of Customer. In the event that a data subject sends such a request directly to us, Section 7 of this DPA shall apply;

(ii) the investigation of the Security Incident and communication of necessary notifications regarding such Security Incidents subject to Section 6.4 of this DPA;

(iii) preparation of data protection impact assessments and, where necessary, consultation of Customer with the Supervisory Authority under Articles 35 and 36 of the GDPR.

6.8. Audit and Certification

If a Supervisory Authority requires an audit of the data processing facilities from which we process Customer Data to ascertain or monitor Customer's compliance with Data Protection Laws and Regulations, we will cooperate with such audit. The Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time we expend for any such audit, in addition to the rates for services performed by us.

The Customer may, prior to the commencement of processing and at regular intervals, thereafter, audit the technical and organizational measures taken by us. If the Customer is the controller with respect to the personal data processed by us on its behalf, upon reasonable and timely advance agreement, during regular business hours and without interruption to our business operations, we may provide the Customer with all information necessary to demonstrate compliance with its obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer with respect to such processing.

We shall, upon the Customer’s written request and within a reasonable period, provide the Customer with all information necessary for such audit, to the extent that such information is within our control and we are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

In the event that a data subject contacts us with regard to the exercise of their rights under Data Protection Laws and Regulations (in particular, requests for access to, rectification, or deletion of Customer Data), we will use all reasonable efforts to forward such requests to you. If we are legally required to respond to such a request, we shall immediately notify you and provide you with a copy of the request unless we are legally prohibited from doing so.

You agree that we may engage Sub-processors to assist in fulfilling our obligations with respect to the provision of the Services under the Terms. The agreed list of Sub-processors is set out in Schedule 3 of this DPA.

9.1. General

Parties agree that when the processing of Customer Data on behalf of Customer in connection with Services constitutes a transfer under Data Protection Laws and Regulations and appropriate safeguards are required, such processing will be subject to the Standard Contractual Clauses and/or UK Addendum which are deemed to incorporated into and form part of this DPA as further described in subsections 9.2, 9.3 and 9.4 of this DPA. If and to the extent the EU SCCs and/or UK Addendum and/or Brazil’s SCCs, as applicable, conflict with any provision of the DPA, the EU SCCs, UK Addendum, Brazil’s SCCs shall prevail to the extent of such conflict.

9.2. Transfers under the GDPR

When the processing of Customer Data on behalf of a Customer in connection with Services constitutes a “transfer” under the GDPR, Standard Contractual Clauses shall apply. When you are a Controller, and we are a Processor, Module Two of the EU SCCs shall apply, and when you are a Processor, and we are a Sub-processor, Module Three of the EU SCCs shall apply.

For the purpose of the EU SCCs, we are a “Data Importer”, and you are a “Data Exporter”. The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs are deemed to be completed as follows:

(i) in Clause 7, the optional docking clause shall not apply;

(ii) in Clause 9, Option 2 (General written authorization) shall apply. For the purpose of Clause 9(a), the time period for informing of the Data Exporter shall be 10 days;

(iii) in Clause 11, the optional provision shall not apply;

(iv) in Clause 13, a particular option shall apply depending on the specific case;

(v) in Clause 17, Option 1 shall apply. The EU SCCs shall be governed by the law of the Federal Republic of Germany;

(vi) in Clause 18(b), disputes shall be resolved by the courts of the Federal Republic of Germany;

(vii) Annex I of the EU SCCs is deemed completed with the information set out in Schedule 1 of this DPA;

(viii) Annex II of the EU SCCs is deemed completed with the information set out in Schedule 2 of this DPA.

9.3. Transfers under UK Data Protection Laws

When the processing of Customer Data on behalf of Customer in connection with Services constitutes a “restricted transfer” under UK Data Protection Laws, the UK Addendum shall apply. When you are a Controller, and we are a Processor, Module Two of the EU SCCs shall apply, and when you are a Processor, and we are a Sub-processor, Module Three of the EU SCCs shall apply, as completed in subsection 9.2 of this DPA.

For the purpose of the UK Addendum, we are an “Importer”, and you are an “Exporter”. The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. Tables in the UK Addendum are deemed to be completed as follows:

(i) Table 1 in Part 1 is deemed completed with the information set out in Schedule 1 of this DPA, and the official registration number of the Importer is 6896854, and the official registration number of the Exporter is contained in the Customer’s account, if any;

(ii) Table 2 in Part 1 is deemed completed accordingly with the information set out in subsection 9.2 of this DPA;

(iii) Table 3 in Part 1 is deemed completed with the information set out in Schedules 1, 2, and 3 of this DPA;

(iv) in Table 4 in Part 1, neither party may end this Addendum as set out in Section 19 of the UK Addendum.

9.4. Transfers under Brazil’s Data Protection Laws

When the processing of Customer Data on behalf of a Customer in connection with Services constitutes an “International Data Transfer” under Brazil’s Data Protection Laws, the Standard Contractual Clauses published by the Brazilian Data Protection Authority shall apply.

For the purpose of the SCCs, published by the Brazilian Data Protection Authority, we are an “Importer”, and you are an “Exporter”. The relevant provisions contained in Brazil’s Data Protection Laws are incorporated by reference and are an integral part of this DPA. Sections and Clauses of the SCCs, published by the Brazilian Data Protection Authority, are deemed to be completed as follows:

(i) in Clause 1, the tables with the information about the Exporter and Importer are deemed to be completed with the information as defined in this DPA. The Company is the ‘Importer’ and ‘Processor’, and the Customer is the ‘Exporter’ and ‘Controller’ or ‘Processor’ depending on the specific case;

(ii) in Clause 2 is deemed completed with the information set out in Schedule 1 of this DPA;

(iii) in Clause 3, Option B shall apply, which is deemed to be completed with the information set out in Schedule 1 of this DPA.

The main purposes of the onward transfer is the performance of the services.

Categories of personal data transferred are personal data of Prospects (including email address, first name, last name, corporate email, location (not precise), industry, current and previous position, place of work, links to social media, сlient’s notes about a particular prospect), personal data provided within the Snovio CRM service, including information used in the ‘Deals’ and ‘Tasks’ features of CRM, business information such as company name, location, website, HQ phone, year of foundation, industry, company size, and company social media that may include personal data, synchronized data provided by the Customer during the integration of their HubSpot and/or Pipedrive account with the Data Importer’s platform. any other personal data, which is uploaded to the Data Importer’s platform by the Data Exporter.

The period of data storage corresponds to the duration of this DPA concluded between the Data Importer and the Data Exporter, unless otherwise agreed in writing or the Data Importer is required by applicable law to retain some or all of the transferred personal data;

(iv) in Clause 4, Option A shall apply when the Company acts as the Processor and Importer, and the Customer acts as the Controller and Exporter. In this case, the Controller is responsible for the actions as defined in subsection 4.1. (a, b, and c).

Option B shall apply when the Parties act as Processors. In this case, the table provided in subsection 4.1. is deemed to be completed with the relevant information contained in the Customer’s account (if any);

(v) SECTION III is deemed to be completed with the information set out in Schedule 2 of this DPA;

(vi) SECTION IV is deemed to be completed with the information set out in this DPA that is not reflected in the Clauses in this subsection. The date of signing SCCs is the date of registering on the Platform and execution of Terms. The place of the signed SCCs is the place of the Company’s registration.

SCHEDULE 1 - DESCRIPTION OF PROCESSING

A. LIST OF PARTIES

Name: You, «Customer», «User»

Address: the relevant information is contained in the Customer’s account.

Contact person’s name, position, and contact details: the relevant information is contained in the Customer’s account.

• Activities relevant to the data transferred under these Clauses: provision of Snovio Inc.’s services (e.g., CRM, verification, integration of information with other services).

Signature and date: the Parties agree that execution of Terms by the Data Exporter shall constitute execution of this DPA by both the Data Importer and Data Exporter. The date of the registration of the account on the Platform shall be considered the date of execution of this DPA.

Role: controller or processor

Name: Snovio Inc.

Address: 220 East 23rd Street, №401, New York, NY, USA 10010

Contact person’s name, position, and contact details: Director Oleksii Kratko, admin@snov.io

Activities relevant to the data transferred under these Clauses: provision of Snovio Inc.’s services (e.g., CRM, verification, integration of information with other services).

Signature and date: the Parties agree that execution of Terms by the Data Exporter shall constitute execution of this DPA by both the Data Importer and Data Exporter. The date of the registration of the account on the Platform shall be considered the date of execution of this DPA.

Role: processor

B. DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data is transferred:

• Users’ customers;
• Users’ prospects;
• Other third parties.

2. Categories of personal data transferred:

• personal data of prospects that may include the following information:
• email address;
• first name;
• last name;
• corporate email;
• location (not precise);
• industry;
• current and previous position;
• place of work;
• links to social media;
• other information added via custom fields.
• personal data contained in the prospect’s timeline that may include the following information:
  • the source of the prospects;
  • emails and messages sent to the prospects by the client;
  • emails, messages, other activity of the prospects and prospect's interest level indicated by the client;
  • client’s notes about a particular prospect;
  • other information about the client’s interaction with a particular prospect and related activities.
• personal data provided to us within the Snovio CRM service, including information used in the ‘Deals’ and ‘Tasks’ features of CRM;
• business information such as company name, location, website, HQ phone, year of foundation, industry, company size, and company social media that may include personal data;
• synchronized data provided by the Customer during the integration of their HubSpot and/or Pipedrive account with the Data Importer’s platform.
• personal data of third parties (full name, username, domain) provided to us within the services for setting up pre-configured domains and mailboxes.
• any other personal data, which is uploaded to the Data Importer’s platform by the Data Exporter.

3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

The Data Importer does not obtain access to the special categories of data (sensitive data).

4. The frequency of the transfer:

The personal data is transferred on a continuous basis.

5. Nature of the processing:

Personal data processing consists of the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

6. Purpose(s) of the data transfer and further processing:

The purpose of the data processing under these Clauses is the performance of the services for the Data Exporter by the Data Importer under the Terms concluded between the Data Importer and the Data Exporter.

7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

The personal data shall be stored for the duration of this DPA concluded between the Data Importer and the Data Exporter unless otherwise agreed in writing or the Data Importer is required by applicable law to retain some or all of the transferred personal data.

Certain personal data (e.g., personal data contained in the prospect’s timeline) may be subject to a different retention period as set forth in the Terms.

8. For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing:

subject matter: the performance of services

nature: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

duration: the performance of the services for the Data Importer by the (sub-) processor under the service agreement concluded between the Data Importer and (sub-) processor.

C. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, competent supervisory authority under these Clauses is determined depending on what version of Clause 13(a) applies to the Data Exporter.

SCHEDULE 2 - TECHNICAL AND ORGANISATIONAL MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the Data Importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing and the risks for the rights and freedoms of natural persons:

• The Data Importer is committed to preserving the confidentiality, integrity, availability, and resilience of all the personal data in question throughout the Data Importer processing activities and ensuring that personal data are protected against loss and destruction by implementing appropriate internal information security policies and procedures.
• The Data Importer has adopted data encryption, anonymization, and pseudonymization policies that are designed to protect the privacy of data subjects by ensuring the security of personal data processing.
• The Data Importer has implemented measures designed to ensure that personal data, in the event of a physical or technical incident, may be restored in a timely manner.
• The Data Importer maintains a regular schedule of operating system and software updates to its equipment and other devices. Also, all servers of the Data Importer are protected by firewalls that are maintained and supplied with updates and patches.
• The Data Importer has implemented measures designed to deny unauthorized person access to processing equipment used for processing personal data and prevent the use of automated processing systems by unauthorized persons. All Data Importer’s staff members have a randomly generated password in accordance with the Data Importer’s password policy. The personal data is subject to a strictly need-to-know principle of access and can be displayed to authorized users only.
• The Data Importer has implemented measures designed to ensure that the confidentiality and integrity of personal data are protected during transfers of personal data.
• The Data Importer has implemented measures designed to prevent the unauthorized input of personal data and the unauthorized inspection, modification, or deletion of stored personal data.
• The Data Importer has implemented the following measures for ensuring the physical security of locations at which personal data are processed:
• all staff members must work only using the Data Importer’s equipment;
• equipment is accounted for and has an identified owner;
• anytime when staff member stops performing their work, they must block access to their equipment;
• the Data Importer has a security alarm system;
• access to the Data Importer’s facilities is strictly regulated;
• the Data Importer has adopted the clear desk and clear screen and brought your own device policies.
• The Data Importer has implemented measures designed to ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input.
• The Data Importer’s staff shall comply with the Data Importer’s internal information security policies, procedures, and other applicable documents. It is required to read the current version of such documents to any staff member before undertaking any of their responsibilities regarding personal data processing. All staff members shall receive appropriate security training or instructions concerning the processing of personal data.
• The Data Importer always checks whether its hosting providers are SOC 2 certified in order to ensure the hosting provider securely manages personal data. In addition, the Data Importer engages an independent security code auditor who conducts a source code review to discover if there are any potential security weaknesses, bugs, exploits, or violations of programming standards.
• The Data Importer has adopted information security policies, procedures, and other documents for ensuring the fulfillment of data minimization, data quality, limited data retention and accountability principles, and ensuring system configuration.
• The Data Importer has implemented a user data detection policy that ensures that data subjects can enjoy their rights under the Data Protection Laws and Regulations, including the right to erasure for deletion of their accounts and related personal data.

SCHEDULE 3 - SUB-PROCESSORS

The Controller has authorized the use of the following Sub-processors:

Name: Amazon.com, Inc.

Address: 410 Terry Avenue North, Seattle, WA 98109-5210, ATTN: AWS Legal

Contact person’s name, position and contact details: https://console.aws.amazon.com/support/home

Description of processing: storage of personal data on the servers of Amazon.com, Inc.

Name: Salesforge OÜ

Address: Estonia, Harju maakond, Tallinn, Lasnamäe linnaosa, Sepapaja tn 6, 15551

Contact person’s name, position, and contact details: hey@salesforge.ai

Description of processing: provision of services for setting up pre-configured domains and mailboxes on the Platform.