Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Spoolio Terms of Serviceand governs Spoolio's processing of personal data on behalf of business customers ("Customer") under their Spoolio subscription. It applies automatically to Agency-tier customers and is available on request to other B2B customers via dpo@spoolio.ai.

To execute this DPA, send a signed copy referencing your Spoolio account email to dpo@spoolio.ai. We will counter-sign and return.

• Customeris the controller of personal data processed via the Service in the course of Customer's use (e.g. Customer's end users' data, Customer-uploaded biometric data, viewer engagement data Customer ingests).
• Spoolio is the processor for that data.
• For Customer's own account, billing, and platform-relationship data, Spoolio is the controller — see Privacy Policy.

• Subject matter:processing personal data on Customer's instructions to provide the Service.
• Nature: hosting, transformation by AI generation pipelines, transmission to social platforms Customer connects, backup, security operations.
• Purpose: providing the Service per the Terms.
• Duration: for the term of the subscription, plus the post-termination retention period in the Privacy Policy.

Spoolio processes personal data on Customer's documented instructions. The Terms of Service, this DPA, and the Customer's configuration of the Service collectively constitute those instructions. Spoolio will inform Customer if it believes an instruction infringes applicable data-protection law.

Spoolio personnel authorised to process Customer data are subject to confidentiality obligations.

Spoolio implements appropriate technical and organisational measures, including those described at /security: encryption in transit and at rest, OAuth-token encryption with AES-256-GCM, RLS on every customer table, signed webhooks, rate limiting, security monitoring, incident response.

Customer grants Spoolio general authorisation to engage sub-processors. Current list:

Spoolio will give Customer at least 30 days' notice of new or replacement sub-processors via in-product notice and posting to this page, except where shorter notice is required to address a security or legal issue. Customer may object within that window; if Customer reasonably objects and Spoolio cannot offer a mitigation, Customer may terminate the affected portion of the Service.

For transfers of EU/EEA, UK, or Swiss personal data to countries without an adequacy decision, the parties incorporate the 2021 EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor), and where applicable Module 3 (processor-to-sub-processor). The UK International Data Transfer Addendum (Version B1.0) is incorporated for UK transfers. The Swiss Federal Data Protection Act is satisfied via the same SCCs with Swiss-specific adjustments.

The SCCs prevail in the event of conflict with this DPA on transfer-specific provisions.

Spoolio will assist Customer with responding to data-subject requests (access, rectification, erasure, portability, restriction, objection) where Customer cannot fulfil the request via the Service's self-service tools. Requests should be routed via dpo@spoolio.ai.

Spoolio will notify Customer of a personal data breach affecting Customer's data without undue delay after becoming aware, providing reasonable detail to allow Customer to comply with its own notification obligations under GDPR Articles 33–34 or equivalent law. We aim to notify within 72 hours of awareness.

Spoolio will make available information necessary to demonstrate compliance with GDPR Art. 28. On request, no more than once per 12-month period, Customer may audit Spoolio's data processing by reviewing the most recent third-party audit reports (post-SOC 2 Type II) or, where appropriate, by on-site audit on reasonable notice and at Customer's expense, with mutually agreed scope.

On termination of the subscription, Spoolio will, at Customer's choice, return or delete personal data per the retention schedule in the Privacy Policy, subject to legal retention obligations.

Each party's aggregate liability under this DPA is subject to the limitation of liability in the Terms of Service.

Data Protection Officer: dpo@spoolio.ai. To execute this DPA, email dpo@spoolio.ai with the subject line "DPA Execution."