Data Processing Addendum

For personal data Clipus processes on Customer's behalf in providing the Service, Customer is the data controller and Clipus is the data processor. Clipus processes such data only to provide and support the Service and on Customer's documented instructions, including those set out in the Agreement and this DPA.

"Personal data," "processing," "controller," "processor," "data subject," and "supervisory authority" have the meanings given in the GDPR. "Subprocessor" means a third party engaged by Clipus to process personal data. "Standard Contractual Clauses" ("SCCs") means the clauses approved by the European Commission for transfers of personal data to third countries.

• Subject matter: provision of the Clipus marketing video generation and distribution platform.
• Duration: the term of the Agreement, plus the retention periods described below.
• Nature and purpose: capture of product data, generation of videos and reports, publishing, analytics, billing, and support.
• Types of personal data: account identifiers (name, email), authentication identifiers, billing contact data, and any personal data contained in product pages Customer chooses to capture.
• Categories of data subjects: Customer's authorized users and any individuals whose personal data appears in captured product content.

Clipus will: (a) process personal data only on Customer's documented instructions, including for international transfers, unless required by law; (b) ensure personnel authorized to process personal data are bound by confidentiality; (c) implement the technical and organizational security measures described in our Security & Trust overview; and (d) make available information reasonably necessary to demonstrate compliance with Article 28 GDPR.

Customer provides general authorization for Clipus to engage subprocessors to process personal data. The current subprocessors are listed on our Subprocessors page. Clipus imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA and remains responsible for its subprocessors' performance. Clipus will update the Subprocessors page before engaging a new subprocessor; Customer may object on reasonable data-protection grounds by contacting Clipus.

Taking into account the nature of the processing, Clipus will assist Customer by appropriate technical and organizational measures, insofar as possible, in responding to data subject requests to exercise their rights (access, rectification, erasure, restriction, portability, and objection). Customer can use the in-product data export and deletion controls, and may contact Clipus for assistance.

Clipus will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer's personal data, and will provide information reasonably available to Clipus to help Customer meet its breach-notification obligations.

Clipus will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To the extent available, Clipus may satisfy audit requests by providing third-party attestations or reports for itself or its infrastructure subprocessors, subject to confidentiality.

The Service is operated from the United States. Where Customer's use of the Service involves transferring personal data subject to the EU or UK GDPR outside the EEA or UK, the parties agree that the applicable Standard Contractual Clauses are incorporated into this DPA by reference and apply to that transfer, with Clipus acting as data importer.

Data captured for video generation is deleted automatically 30 days after generation unless Customer retains it. On termination of the Agreement, Clipus will, at Customer's choice, delete or return personal data processed on Customer's behalf, except where retention is required by law. Customer can export data at any time before termination.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

This DPA applies to Customer's use of the Service. Enterprise customers who require a signed copy or have specific procurement requirements can request one at dpa@clipus.io.

Clipus, Inc.
1111B S Governors Avenue #44561
Dover, DE 19904, United States