Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated by reference into the Terms of Service ("Agreement") between Hubflo Corp. ("Hubflo," "Processor") — the U.S. subsidiary of Hubflo, operating the WinPal app — and the Pro accepting the Agreement ("Customer," "Controller"). It applies whenever Customer enters, uploads, or otherwise provides Personal Data of its Clients or other third parties to the Services. In the event of any conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data.

Capitalized terms not defined here have the meaning given in the Agreement.

1. Definitions

• "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other US state comprehensive privacy laws.
• "Personal Data" means any information relating to an identified or identifiable natural person, including "personal information" as defined under the CCPA/CPRA, that Customer submits to or processes through the Services.
• "Client Personal Data" means Personal Data about Customer's Clients (or other third parties) that Customer submits to the Services.
• "Processing," "Controller," "Processor," "Data Subject," "Personal Data Breach," "Service Provider," "Sub-processor," and "Sale" / "Sharing" have the meanings given in Applicable Data Protection Law.
• "Standard Contractual Clauses" or "SCCs" means the EU Commission's Implementing Decision (EU) 2021/914.
• "UK Addendum" means the UK International Data Transfer Addendum to the EU SCCs, version B1.0, issued by the UK Information Commissioner.

2. Roles and scope

2.1 Roles. With respect to Client Personal Data, Customer is the Controller and Hubflo is the Processor. Hubflo will Process Client Personal Data only on documented instructions from Customer, as set out in the Agreement, this DPA, and Customer's reasonable use of the Services.

2.2 Hubflo's own use of data. With respect to Customer's account information and information about Customer's use of the Services (such as Pro account, billing, and usage data), Hubflo is an independent Controller. That processing is governed by the Privacy Policy, not this DPA.

2.3 Subject matter, nature, purpose, duration, types of data, categories of subjects. See Annex I below.

3. Customer instructions and obligations

3.1 Lawful basis. Customer represents and warrants that it has, and will maintain throughout the term, all rights, consents, notices, and lawful bases required to share Client Personal Data with Hubflo and to authorize Hubflo's Processing of that data. Customer is solely responsible for the accuracy, quality, and legality of Client Personal Data and the means by which it acquired Client Personal Data.

3.2 Privacy notices to Clients. Customer is responsible for providing any required privacy notices to its Clients and for obtaining any required consents from them.

3.3 No special-category data. Customer will not submit Client Personal Data that includes special categories of personal data under GDPR Article 9 (e.g., health data, biometric data, data about ethnic origin) or sensitive personal information under CPRA, except to the minimum extent necessary to send an estimate or invoice.

4. Hubflo's obligations as Processor

4.1 Processing only on instructions. Hubflo will Process Client Personal Data only (a) on Customer's documented instructions, (b) as necessary to provide the Services, and (c) as required by Applicable Data Protection Law (in which case Hubflo will inform Customer of the legal requirement before Processing, unless prohibited by law).

4.2 Confidentiality. Hubflo will ensure that personnel authorized to Process Client Personal Data are bound by appropriate confidentiality obligations.

4.3 Security. Hubflo will implement and maintain appropriate technical and organizational measures designed to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The current measures are set out in Annex II below.

4.4 Sub-processors.

• (a) Customer authorizes Hubflo to engage Sub-processors to Process Client Personal Data. The current list of Sub-processors is in Annex III below.
• (b) Hubflo will impose data-protection terms on each Sub-processor that are at least as protective as those in this DPA.
• (c) Hubflo will give Customer at least 30 days' notice (by email or by updating the published Sub-processor list) before engaging a new Sub-processor. Customer may object on reasonable data-protection grounds within 30 days.
• (d) Hubflo remains liable to Customer for the acts and omissions of its Sub-processors as if they were its own.

4.5 Data Subject requests. If Hubflo receives a request from a Data Subject to exercise rights under Applicable Data Protection Law, Hubflo will redirect the request to Customer and provide reasonable assistance to enable Customer to respond.

4.6 Assistance. Hubflo will provide Customer with reasonable assistance to support Customer's compliance with its obligations under Applicable Data Protection Law, including with respect to security, breach notification, data protection impact assessments, and consultation with supervisory authorities.

4.7 Personal Data Breach. Hubflo will notify Customer without undue delay (and in any event within 72 hours of confirming the breach) after becoming aware of a Personal Data Breach affecting Client Personal Data.

4.8 Records. Hubflo will maintain records of Processing activities required under GDPR Article 30(2).

4.9 Audit. Hubflo will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, primarily through (a) Hubflo's then-current third-party security audit reports and certifications (e.g., SOC 2) where available; and (b) responses to reasonable written information-security questionnaires no more than once per 12 months.

4.10 Return or deletion. On termination of the Agreement, Hubflo will, at Customer's option, return or delete Client Personal Data within the timeframes described in the Privacy Policy, except to the extent retention is required by law or the Agreement.

5. International transfers

5.1 Cross-border transfers. Hubflo may transfer Client Personal Data to the United States and to other countries where Hubflo or its Sub-processors operate.

5.2 EU / EEA / Swiss transfers. Where Customer is established in the EEA or Switzerland and transfers Client Personal Data to Hubflo in a country that has not been the subject of an adequacy decision, the EU SCCs (Module Two: Controller to Processor) are incorporated by reference and will apply, with the following choices:

• Clause 7 (Docking clause): included.
• Clause 9 (Sub-processors): Option 2, general written authorization, with 30 days' notice as in Section 4.4(c).
• Clause 11 (Redress): independent dispute resolution body option not selected.
• Clause 17 (Governing law): Irish law.
• Clause 18 (Forum and jurisdiction): Irish courts.

5.3 UK transfers. Where Customer is established in the UK, the UK Addendum applies and is incorporated by reference.

5.4 DPF. Where Hubflo is certified under the EU-U.S. Data Privacy Framework (or successor framework), Hubflo will Process Client Personal Data transferred to the U.S. in accordance with the DPF principles.

6. CCPA/CPRA and US State Laws

6.1 Service-Provider status. With respect to "personal information" of California residents, Hubflo is a "Service Provider."

6.2 Hubflo will not:

• (a) Sell or Share Client Personal Data;
• (b) Retain, use, or disclose Client Personal Data for any purpose other than the specific business purpose of providing the Services;
• (c) Retain, use, or disclose Client Personal Data outside the direct business relationship with Customer; or
• (d) Combine Client Personal Data received from Customer with personal information received from other sources, except as permitted under CCPA/CPRA Regulations.

6.3 Hubflo will:

• (a) Comply with applicable obligations under CCPA/CPRA and provide the same level of privacy protection as required of Customer;
• (b) Notify Customer if Hubflo determines it can no longer meet its CCPA/CPRA obligations; and
• (c) Allow Customer reasonable steps to remediate unauthorized use of Client Personal Data.

7. Liability

The liability of each party under this DPA is subject to the limitations of liability in the Agreement.

8. General

8.1 Term. This DPA takes effect on the same date as the Agreement and continues until the Agreement terminates and all Client Personal Data is returned or deleted.

8.2 Order of precedence. In any conflict between this DPA, the Agreement, and the SCCs / UK Addendum: the SCCs / UK Addendum prevail; then this DPA; then the Agreement.

8.3 Changes. Hubflo may update this DPA on at least 30 days' notice to reflect changes in Applicable Data Protection Law or Hubflo's processing operations, provided that updates do not materially reduce protections.

8.4 Severability. If any provision is unenforceable, the rest remains in effect.

8.5 Notices. Notices under this DPA may be sent to privacy@winpal.app (for Hubflo) and to the Customer's account contact email (for Customer).

Annex I — Description of processing

Subject matter. Processing of Personal Data by Hubflo as part of providing the Services.

Duration. The term of the Agreement, plus any retention period required by law.

Nature and purpose. Hosting, storing, transmitting, displaying, and processing Personal Data for the purpose of providing the Services (creating estimates, invoices, sending them to Clients, processing payments through Stripe, sending notifications and reminders, generating PDFs).

Types of Personal Data. Identifiers (name, email, phone, address); commercial information (estimates, invoices, line items, transaction history); device and usage data; photos uploaded by Customer.

Categories of Data Subjects. Customer's Clients, Customer's employees / team members, recipients of Customer's communications.

Frequency of transfer. Continuous.

Competent supervisory authority (for SCCs): the Irish Data Protection Commission, unless Customer is established in another EEA member state, in which case that member state's authority.

Annex II — Technical and organizational measures

Hubflo implements the following technical and organizational measures:

• Encryption. TLS 1.2+ for data in transit; AES-256 for data at rest.
• Access control. Role-based access; least-privilege permissions; multi-factor authentication for employee access to production; row-level security on the database.
• Audit logging. Production access is logged and reviewed.
• Change management. Code reviews; protected branches; CI/CD with automated tests.
• Vulnerability management. Automated dependency scanning; periodic penetration testing.
• Backups. Daily encrypted backups with defined retention.
• Incident response. Documented procedures and 72-hour breach-notification commitment to Customer.
• Personnel. Confidentiality obligations; background checks where permitted by law; security training.
• Vendor management. Sub-processor diligence and contractual data-protection terms.
• Physical security. Production infrastructure hosted in SOC 2 / ISO 27001 certified facilities (Supabase / AWS).
• Pseudonymization and de-identification. Used where appropriate for analytics and AI features.

Annex III — Sub-processors

Contact

Hubflo Corp.
1411 Broadway
New York, NY 10018
privacy@winpal.app

WinPal is operated by Hubflo Corp., the U.S. subsidiary of Hubflo.