Data Processing Agreement (DPA)

Effective Date: January 1, 2026

Last Updated: February 2, 2026

This Data Processing Agreement ("DPA") forms part of the General Terms of Service or other written or electronic agreement between ZINFI Technologies, Inc. ("ZINFI") and the User or Member organization ("Customer") regarding the processing of Personal Data.

1. Definitions

• "Data Protection Laws" means all applicable privacy and data protection laws including the GDPR, UK GDPR, and the CCPA/CPRA.
• "Personal Data" means any information relating to an identified or identifiable natural person processed by ZINFI on behalf of the Customer.

2. Scope and Role of Parties

This DPA applies when ZINFI processes Personal Data that is subject to Data Protection Laws as a "Processor" or "Service Provider" on behalf of the Customer (the "Controller" or "Business").

3. Processing Obligations

ZINFI shall:

• Process Personal Data only on the documented instructions of the Customer as set forth in the General Terms of Service and this DPA.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in our Information Security Overview.

4. Sub-Processing

Customer grants a general authorization to ZINFI to engage sub-processors. ZINFI shall maintain an up-to-date Sub-Processor List and notify Customer of any intended changes concerning the addition or replacement of sub-processors.

5. Data Subject Rights

ZINFI shall, insofar as is possible, assist the Customer in fulfilling its obligations to respond to requests from individuals exercising their rights under Data Protection Laws (e.g., requests for access or deletion).

6. Personal Data Breach

ZINFI shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data. ZINFI will provide reasonable assistance to the Customer regarding its notification obligations.

7. Audit Rights

ZINFI shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits conducted by the Customer or an independent auditor.

8. International Transfers

If the processing involves a transfer of Personal Data outside the EEA or UK to a country not providing an adequate level of protection, the parties agree that the Standard Contractual Clauses (SCCs) shall apply.

9. Termination

Upon termination of the Services, ZINFI shall, at the choice of the Customer, delete or return all Personal Data to the Customer, unless applicable law requires storage of the Personal Data.

10. Governing Law

This DPA is governed by the laws of the State of California. Any disputes shall be resolved in Pleasanton, California, in accordance with the dispute resolution provisions in the General Terms of Service.