Effective as of November 25, 2025
Superframe, Inc. (“Provider”) and the entity or other person who is a counterparty to the Agreement (as defined below) (“Customer”) enter into this Data Processing Addendum (including the annexes attached hereto, this “DPA”) into which this DPA is incorporated and forms the Terms and Conditions, which may be amended from time to time (the “Agreement”).
Definitions
For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Agreement.
(a) Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
(b) End-User means an individual end-user who is authorized by Customer to access, use, experience or benefit from the Service or to whom the Customer makes the Service available.
(c) Applicable Data Protection Laws means, as and to the extent applicable, the State Privacy Laws.
(d) Controller means the entity that, alone or jointly with others, determines the purposes or means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by the California Consumer Privacy Act.
(e) Customer Data means information provided or made available by Customer to Provider for Processing on Customer’s behalf to perform the Services.
(f) Data Subject means the identified or identifiable natural person to whom Personal Data relates.
(g) Information Security Incident means an actual breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
(h) Personal Data means Customer Data that constitutes “personal data,” “personal information,” or “personally identifiable information” as defined in Applicable Data Protection Laws, except that Personal Data does not include such information received by Provider directly or from other sources (such as its other customers) independent of Provider’s relationship with Customer.
(i) Process or Processing means any operation or set of operations which is performed by Provider on behalf of Customer under this Agreement, on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(j) Processor means the entity that Processes Personal Data on behalf and at the direction of the Controller, including, as applicable, any “service provider” as that term is defined by the California Consumer Privacy Act.
(k) Security Measures has the meaning given in Section 4(a) (Provider Security Measures).
(l) Service Data means any data relating to the use, support and/or operation of the Services, which is collected by Provider from and/or about End Users of the Services and/or Customer’s use of the Service for use for Provider’s own purposes (certain of which may constitute Personal Data). Service Data includes Personal Data of Customer’s business representatives.
(m) Services means the services that Provider performs for Customer under the Agreement.
(n) State Privacy Laws means, collectively, the comprehensive state-specific data privacy laws and their regulations currently in effect and applicable to Provider’s Processing of Personal Data under the Agreement.
(o) Subprocessors means third parties that Provider engages to Process Personal Data in relation to the Services.
Duration and Scope of DPA
(a) This DPA will remain in effect so long as Provider Processes Personal Data, notwithstanding the expiration or termination of the Agreement.
(b) Processing of Personal Data subject to the State Privacy Laws with respect to which Customer is a Business, Controller, Processor, or Service Provider and Provider is Customer’s service provider or processor (as such terms are defined in State Privacy Laws) shall be subject to Annex 2 (State Privacy Laws Annex) to this DPA.
Customer Instructions
Provider will Process Personal Data as a Processor only in accordance with Customer’s instructions to Provider. By entering into this DPA, Customer instructs Provider to Process Personal Data to provide the Services and to perform its other obligations and exercise its rights under the Agreement. The Parties acknowledge and agree that the details of Provider’s Processing of Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
Security
(a) Provider Security Measures. Provider will implement and maintain technical, administrative, physical and organizational measures designed to protect Personal Data against Information Security Incidents(the “Security Measures”). Provider may provide a list of such measures to Customer upon request. Provider may update the Security Measures from time to time, so long as the updated measures do not materially decrease the overall protection of Personal Data.
(b) Security Compliance by Provider Staff . Provider shall require that its personnel who are authorized to access Personal Data are subject to appropriate confidentiality obligations.
(c) Information Security Incidents. Provider will notify Customer without undue delay of any Information Security Incident of which Provider becomes aware. Such notifications will describe available details of the Information Security Incident, including steps taken to mitigate the potential risks and steps Provider recommends Customer take to address the Information Security Incident. Provider’s notification of or response to an Information Security Incident will not be construed as Provider’s acknowledgement of any fault or liability with respect to the Information Security Incident. Provider shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Information Security Incident. Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Information Security Incident. If Customer determines that an Information Security Incident must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Provider, where permitted by applicable laws, Customer agrees to (i) notify Provider in advance, and (ii) in good faith, consult with Provider and consider any clarifications or corrections Provider may reasonably recommend or request to any such notification, which: (i) relate to Provider’s involvement in or relevance to such Information Security Incident; and (ii) are consistent with applicable laws.
(i) Customer’s Security Responsibilities. Customer agrees that Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Provider uses to provide the Services; and (d) backing up Personal Data.
(ii) Customer’s Security Assessment. Customer has determined that the Services, the Security Measures and Provider’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Personal Data.
Data Subject Rights
(a) Data Subject Request Assistance. Provider will (taking into account the nature of the Processing of Personal Data) provide Customer with assistance reasonably necessary and technically feasible for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Personal Data in Provider’s possession or control, including but not limited to, access, correction, deletion, and cessation of Processing of Personal Data. Customer shall compensate Provider for any such assistance at Provider’s then-current professional services rates, which shall be made available to Customer upon request.
(b) Customer’s Responsibility for Requests. If Provider receives a Data Subject Request, Provider will (i) notify Customer; and (ii) advise the Data Subject to submit the request to Customer. Customer will be solely responsible for responding to any such request.
Customer Responsibilities
(a) Customer shall ensure (and is solely responsible for ensuring) that it has given such notices to and obtained such consents and permissions from third parties (including, without limitation, Data Subjects), and has all rights, in each case, as may be required under applicable law or otherwise for Provider to Process Personal Data as contemplated by the Agreement.
(b) Customer represents and warrants to Provider that Customer Data does not and will not contain any Personal Data that contains racial, ethnic or national origin; religious or philosophical beliefs; political opinions; protected health information subject to the Health Insurance Portability and Accountability Act (“HIPAA”); other mental or physical health condition, diagnosis, history, treatment or other health data; health insurance information; pregnancy; sex life, sexuality or sexual orientation; status as transgender or non-binary; citizenship; citizenship or immigration status; union membership; status as a victim of crime; genetic, biometric, neural or biological data; personal information of children or teens; precise location information; Social Security number; driver’s license number; state identification card number; passport number; other government-issued identification numbers; account login information; financial information or account number; tax return data; contents of a communication to which you were not a party; or any bulk U.S. sensitive personal data or U.S. government-related data, in each case as defined in the U.S. Department of Justice’s Final Rule on Prohibition on Bulk Data Transfers to Foreign Adversaries (28 C.F.R. Part 202), as amended, or any successor or similar rule, law, or regulation (collectively, “Restricted Data”). If Customer intends to provide protected health information to Provider, Customer and Provider shall negotiate and enter into a separate Business Associate Agreement.
Sub-processors
(a) Consent to Sub-processor Engagement. Customer generally authorizes Provider to engage third parties as Sub-processors in accordance with this Section 7.
(b) Information about Sub-processors. Information about Sub-processors, including their functions and locations, is available at superframe.com/sub-processors (the “Sub-processor Site”). Provider may continue to use those Subprocessors already engaged by Provider as at the date of this DPA.
(c) Requirements for Sub-processor Engagement. When engaging any Sub-processor, Provider will enter into a written contract with such Sub-processor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Sub-processor. Provider shall be liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor in connection with the services they provide to Provider to the same extent as Provider would have been had it performed the Processing itself.
(d) Opportunity to Object to Sub-processor Changes. When Provider engages any new Sub-processor after the effective date of the DPA, Provider will notify Customer of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) by updating the Sub-processor Site. If Customer objects to such engagement in a written notice to Provider within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Provider will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Provider and pay Provider for all amounts due and owing under the Agreement as of the date of such termination.
Audits
Deletion
(a) Subject to Sections 9(b) and 9(c), upon Customer’s notification to Provider that Customer is terminating its account with Provider (the “Termination Date”), Provider shall promptly cease all Processing of Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA.
(b) Subject to Section 9(d), To the extent technically possible in the circumstances (as determined in Provider’s sole discretion), on Customer’s written request to Provider, Provider shall within sixty (60) days of such request, at Customer’s election either: (i) return a complete copy of all structured Personal Data within Provider’s possession to Customer by secure file transfer, promptly following which Provider shall delete or anonymize all other copies of such Personal Data, or (ii) either (at Provider’s option) delete or anonymize all structured Personal Data within Provider’s possession.
(c) Nothwithstanding the above, Provider may retain Personal Data, where permitted or required by applicable law, for such period as may be permitted or required by such applicable law, provided that Provider shall (i) maintain measures designed to protect all such Personal Data, and (ii) Process the Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention.
Service Data
(a) Customer acknowledges that Provider may collect, use and disclose Service Data for its own business purposes: (i) for accounting, tax, billing, audit, and compliance purposes; (ii) to provide, improve, develop, optimise, market and maintain the Services; (iii) to investigate fraud, spam, wrongful or unlawful use of the Services; (iv) to combine Service Data with other data; (v) to de-identify Personal Data so the de-identified data can be used and disclosed by Provider for lawful business purposes; and/or (vi) as otherwise permitted or required by applicable law.
(b) In respect of any such Processing described in Section 10(b), Provider: (i) independently determines the purposes and means of such Processing; (ii) shall comply with Applicable Data Protection Laws (if and as applicable in the context); (iii) shall process consumer sale/share opt-out requests that are forwarded to Provider by Customer to the extent required by Applicable Data Protection Laws and upon request provide documentation to Customer that it has done so; (iv) shall Process such Service Data as described in Provider’s relevant privacy notices/policies, as updated from time to time; and (iv) where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures.
Use of AI
(a) Provider may use aggregated data, de-identified data, usage data, metadata, and derived data generated through Customer’s use of the Services, for the purposes of: (i) developing, training, improving, and optimizing Provider’s AI Models, algorithms, and Services, and (ii) enhancing the performance, functionality, and security of Provider’s offerings. AI Models means machine learning models, algorithms, or artificial intelligence systems developed, maintained, improved or used by Provider. AI Models may be Provider-developed AI Models.
(b) Provider shall not use Customer Data in a manner that identifies Customer or any individual, or that would reasonably be expected to re-identify such data, when used for AI Model training or product improvement.
(c) Provider will not re-identify de-identified Personal Data.
Miscellaneous
(a) Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. Notwithstanding anything in the Agreement or any order form entered in connection therewith to the contrary, the parties acknowledge and agree that Provider’s access to Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Provider to Customer under this DPA may be given (i) in accordance with any notice clause of the Agreement; (ii) to Provider’s primary points of contact with Customer; or (iii) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
(b) Provider agrees to cooperate in good faith with Customer concerning any amendments as may be reasonably necessary to address compliance with the Applicable Data Protection Laws.
Limitation of Liability
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with THE AGREEMENT, this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement.
Annex 1: Data Processing Details
PROVIDER DETAILS
Name: Superframe, Inc. is a U.S. corporation
Contact Details for Data Protection: Derek Steer, derek@superframe.com
Provider Activities: The Superframe Service is the Customer Intelligence Engine. It is designed to integrate with Sales, Marketing, and other Go-To-Market sofware. It aggregates their activity, cleans the data, and makes it easily available for analysis using AI tools.
Role: Processor (and Controller of Service Data)
CUSTOMER DETAILS
Name: The entity or other person who is a counterparty to the Agreement
Customer’s address is: Customer’s principal place of business, or otherwise noted in writing to Provider
Customer’s Contact Details for Data Protection: As provided to Provider or otherwise used in the provision of the Services.
Customer Activities: Customer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
Role: Controller
Categories of Data Subjects: Relevant Data Subjects include any Data Subjects of Personal Data that Customer causes Provider to process as part of the provisions of the Service, including End-Users, employees, customers, and prospective customers of Customer’s products and services.
Categories of Personal Data: Relevant Personal Data includes any Categories of Personal Data Customer causes Provider to process as part of the provisions of the Service, including:
Personal details – for example any information that identifies the Data Subject and their personal characteristics, name, age, date of birth, sex, and physical description.
Contact details – for example home and/or business address, email address, telephone details and other contact information such as social media or Gmail identifiers/handles.
Authentication details – for example username, password or PIN code, security questions and other access protocols.
Integration data – for example Personal Data relating to the Data Subjects’ calendar, email inbox, call transcripts, contacts, and data from any other integrations Customer may direct Superframe to integrate with.
Technological details – for example internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.
Sensitive Categories of Data, and associated additional restrictions/safeguards:
Categories of sensitive data: None – as noted in Section 6(b) of the DPA, Customer agrees that Restricted Data must not be submitted to the Services unless agreed to in writing with Provider.
Additional safeguards for sensitive data: N/A
Frequency of transfer: Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.
Nature of the Processing: Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the Processing: as necessary to provide the Services as initiated by Customer in its use thereof, and to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing / Retention Period: For the period determined in accordance with the Agreement and DPA, including Section 9 of the DPA.
Transfers to (sub)processors: Transfers to Subprocessors are as, and for the purposes, described from time to time at superframe.com/sub-processors.
Annex 1: State Privacy Laws
1. For purposes of this Annex 2, the terms “business,” “commercial purpose,” “sell,” “share,” “targeted advertising” and “service provider” shall have the respective meanings given thereto in the State Privacy Laws, and “personal information” shall mean Personal Data that constitutes personal information governed by the State Privacy Laws.
2. It is the parties’ intent that with respect to any personal information, Provider is a service provider. Provider (a) acknowledges that personal information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the State Privacy Laws; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that Provider’s use of personal information is consistent with Customer’s obligations under the State Privacy Laws; (d) shall notify Customer in writing of any determination made by Provider that it can no longer meet its obligations under the State Privacy Laws; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
3. Provider shall not (a) sell or share any personal information or use it for targeted advertising; (b) retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; (c) retain, use or disclose the personal information outside of the direct business relationship between Provider and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) or collected from Provider’s own interaction with any Consumer to whom such personal information pertains, except in each case (a) through (d) as and to the extent necessary as a part of Provider’s provision of the Services or as otherwise permitted by a service provider or processor under the State Privacy Laws. Provider hereby certifies that it understands its obligations under this Section 2 and will comply with them.
4. Giving Customer notice of Subprocessor engagements in accordance with Section 7 of the DPA shall satisfy Provider’s obligation under the State Privacy Laws to give notice of and an opportunity to object to such engagements.
5. Provider agrees that Customer may conduct audits, in accordance with Section 8 of the DPA, to help ensure that Provider’s use of personal information is consistent with Provider’s obligations under the State Privacy Laws.
6. The parties acknowledge that Provider’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Provider’s provision of the Services and the business relationship between the parties.