Customer Data Protection Addendum

Last updated: June 22, 2026

Data Processing. This DPA supplements the Terms of Service and any applicable order form or other written agreement between Vectorly, Inc. (“Inkbox” or “Company”) and Customer (“Customer”) (the “Agreement”) pursuant to which Company provides functions for or on behalf of Customer (“Services”) involving the processing of Personal Information (defined below). Customer and Company are each a “Party” and collectively referred to herein as the “Parties.”
Definitions. The following definitions shall apply for purposes of interpreting this DPA. Capitalized terms used but not defined in this DPA have the meaning given to them in the Agreement or Data Protection Laws.
1. “Collects,” “collection,” “consent,” “deidentified,” “controller,” “process(ing)(ed),” “processor”, “sell,” “selling,” “share,” and “service provider” shall have the meanings given to such terms in applicable Data Protection Laws.
2. “Data Protection Laws” means any law that governs the Party’s processing of Personal Information, including the California Consumer Privacy Act (CCPA).
3. “Personal Information” or “Personal Data” means information that relates to an identified or identifiable natural person (“Data Subject”) provided to Company by or on behalf of Customer for the purpose of enabling Company to provide the Services. Personal Information does not include business-to-business contact information exchanged by the Parties for the purposes of negotiating and executing the Agreement.
Customer Obligations. Customer will provide only Personal Information that is adequate, relevant, and reasonably necessary for Company to perform the Services. Customer represents and warrants that its collection of Personal Information and disclosure to Company complies with all applicable Data Protection Laws.
Instructions. Company will process the Personal Information only (i) in accordance with Customer’s instructions as documented in the Agreement; and (ii) as needed to comply with applicable law, provided that Company shall not be required to act on any Customer instruction that could (in Company’s reasonable opinion) cause Company to breach applicable law. Company will comply with Data Protection Laws in performing the Services and will inform Customer if it believes that any Customer instructions regarding Personal Information processing would violate applicable Data Protection Law. Notwithstanding anything herein to the contrary, Customer acknowledges that Company may retain, use, disclose, or otherwise process Personal Information in manners permitted of a service provider/processor under Data Protection Laws and may create deidentified data from Personal Information subject to Section 4(a).
1. Deidentified data. To the extent Company receives or creates deidentified data in connection with this DPA, Company will: (i) maintain such information as deidentified and take reasonable measures to ensure that it cannot be associated with an individual or household (including implementing technical safeguards and business processes to prevent reidentification or inadvertent release of the deidentified data); (ii) publicly commit to maintain and use the information in deidentified form and not to attempt to reidentify the information; (iii) not attribute Customer as a source of such data; and (iv) contractually obligate any third parties receiving such information from Company to also commit to the same.
Security. Company will take reasonable steps to implement appropriate technical and organizational measures designed to protect Personal Information against anticipated threats or hazards to its security, confidentiality, or integrity as described in Schedule 1 (Technical and Organizational Security Measures). Company will ensure that persons authorized to process Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security Breach. Company will notify Customer without undue delay whenever Company learns that there has been a breach of Company security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information processed that requires notification to Data Subjects, government authorities, and/or other third parties under Data Protection Laws, unless such notification is prohibited by applicable law or otherwise instructed by law enforcement or a supervisory authority. Taking into account the nature of processing and the information available to Company, Company will take reasonable steps to assist Customer at Customer’s reasonable request in complying with Customer’s notification obligations as required by applicable Data Protection Law. Company reserves the right to charge a reasonable fee to Customer for any requested assistance.
Return or Disposal. Within 30 days of termination of the Agreement, Customer may request that Company destroy or return to Customer all Personal Information, unless retained as part of Company’s backup process or where applicable law requires Company to store the Personal Information.
Assessments. Upon Customer’s reasonable request (to be exercised no more than once a year, unless required more frequently by a supervisory authority), Company will make available to Customer information in its possession necessary to demonstrate Company’s compliance with this DPA and will allow for and contribute to reasonable assessments by Customer or its designated assessor (or if mutually agreed and at Company’s expense, Company’s qualified assessor) using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and subject to reasonable access and confidentiality restrictions. If Company engages its own assessor, it shall provide a report of such assessment to Customer upon request. Any assessments shall be subject to Company’s reasonable access and confidentiality requirements.
Subcontracting. Customer authorizes Company to transfer Personal Information to sub-processors for purposes of providing the Services to Customer. Company will maintain a list of the sub-processors and will provide this list to Customer upon request. Company will provide Customer 10 days’ prior notice when adding a sub-processor to this list and the opportunity to object to such addition. If Company does not receive an objection within 10 days of the notice, the sub-processor is deemed to be accepted by Customer. Company will enter into an agreement with such sub-processor that includes data protection terms similar to this DPA.
Company Assistance. At Customer’s reasonable request and taking into account the nature of the processing, Company will take reasonable steps to assist Customer with Customer’s obligation to respond to Data Subjects’ requests to exercise their rights under applicable Data Protection Law by taking appropriate technical and organizational measures. Taking into account the nature of the processing and the information available to Company, Company also will assist Customer at Customer’s reasonable request in meeting Customer’s compliance obligations to conduct data protection impact assessments and engage in related consultations of supervisory authorities. Company reserves the right to charge a reasonable fee to Customer for any requested assistance.
Processing Location. Customer agrees that Company may process Personal Information in countries where it or its sub-processors have operations, including the United States, Canada, Mexico, Honduras, Switzerland, and Singapore.
CCPA Compliance. Company will provide the same level of privacy protection for Personal Information of California residents as required of Customer under the CCPA. Company will notify Customer in writing if Company determines that it can no longer meet its obligations under the CCPA. Customer has the right, upon providing notice to Company, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information, including where Company has notified Customer that it can no longer meet its CCPA obligations.
In no event may Company: (a) disclose Personal Information of California residents to a third party for monetary or other valuable consideration or disclose Personal Information to a third party for cross-context behavioral advertising; (b) disclose Personal Information of California residents to any third party for the commercial benefit of Company or any third party; (c) retain, use, or disclose Personal Information of California residents outside of Company’s direct business relationship with Customer or for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by applicable laws; or (d) combine Personal Information of California residents with personal information that Company receives from, or on behalf of, other persons, or collects from its own interaction with the Data Subject, except as permitted under applicable laws. Company certifies that it understands and will comply with the foregoing restrictions.
Federal DOJ Bulk Data Security Requirements. To the extent that Company is not located in a Country of Concern: Company shall prohibit and prevent any access to Customer Personal Data – or any anonymized or deidentified data derived from Customer Personal Data – by any individual or entity (including such entity’s employees or contractors) that: (a) is organized or chartered under the laws of China, Hong Kong, Macau, Russia, Iran, North Korea, Venezuela, Cuba or any other country that the U.S. Department of Justice may identify as a “country of concern” (collectively, “Countries of Concern”); (b) has its principal place of business in any Country of Concern; (c) is located in, or primarily a resident of, any Country of Concern; (d) has been designated by the U.S. Attorney General as a “covered person”; (e) is 50% or more owned, directly or indirectly, individually or in the aggregate, by any Country of Concern or an individual or entity described in (a)-(d) above; or (f) is a Country of Concern ((a)-(f) collectively “Covered Persons”). Company represents that it is not a Covered Person. Company shall immediately notify Customer if it cannot comply with the requirements of this Section, and provide all information requested by Customer regarding such anticipated or actual noncompliance.
To the extent that Company is located in a Country of Concern: Company shall support Customer’s compliance with the DOJ Bulk Data Security Regulations, codified at 28 C.F.R. Part 202. Company shall immediately notify Customer if Company: (a) inadvertently received Customer Personal Data that might be subject to the DOJ Bulk Data Security Regulations, or (b) cannot comply with the requirements of this Section. In the event of (a) or (b), Company shall provide all information requested by Customer regarding such anticipated or actual noncompliance.
Conflicts; Enforceability. If any provision of this DPA is held to be invalid or unenforceable by any court of competent jurisdiction, such holding will not invalidate or render unenforceable any other provision of this DPA or any other contract between Customer and Company. This DPA supplements the Agreement. This DPA will control in the event of any inconsistency between the Agreement and this DPA. Any other provisions of or obligations under the Agreement that are otherwise unaffected by this DPA will remain in full force and effect. If this DPA, or any actions to be taken or contemplated to be taken in performance of this DPA, do not or would not satisfy either Party’s obligations under the laws applicable to each Party, the Parties will negotiate in good faith upon an appropriate amendment to this DPA.

Schedule 1 – Technical and Organizational security Measures

This Schedule describes the security measures that will be taken by Company with respect to any Personal Information processed under the DPA.

Information Security Policies and Standards. Company will implement security requirements for personnel with access to Personal Information that are designed to ensure a level of security appropriate to the risk and address the requirements detailed in this Schedule. Company will conduct periodic risk assessments and, as appropriate, revise its information security practices whenever there is a material change in Company’s business practices that may reasonably affect the security, confidentiality, or integrity of Personal Information, provided that Company will not modify its information security practices in a manner that will materially weaken Personal Information protection.
Physical Security. Company will maintain commercially reasonable security systems at all Company sites where an information system that uses or houses Personal Information is located. Company reasonably and appropriately restricts access to such Personal Information and implements practices to prevent unauthorized individuals from gaining access to Personal Information.
Organizational Security.
1. Upon Customer’s request, Company will provide contact information for its designated primary security manager.
2. Company will implement procedures to prevent any subsequent retrieval of any Personal Information stored on media before the media is disposed of or reused.
3. Company will implement security policies and procedures to classify information assets, clarify security responsibilities and promote awareness for employees.
4. Company will manage all Personal Information breaches in accordance with appropriate procedures.
5. Company will encrypt, using industry-standard encryption tools, Personal Information that Company: (i) transmits or sends wirelessly or across public networks; and (ii) stores on portable devices or at rest, where technically feasible.
Network Security. Company maintains network security using commercially available equipment and industry-standard techniques, including firewalls, intrusion detection and prevention systems, access control lists and routing protocols.
Access Control. Company will maintain appropriate access controls, including, but not limited to, restricting access to Personal Information to the minimum number of Company personnel who require such access. Company will maintain a list of the persons who have accessed Personal Information and a list of those who are permitted to access the Personal Information.
Virus and Malware Controls. Company will install and maintain anti-virus and malware protection software on the system and has in place scheduled malware monitoring and system scanning to protect Personal Information from anticipated threats or hazards and protect against unauthorized access to or use of Personal Information.
Personnel. Company will require personnel to comply with its Information Security Program. Company will train personnel on their security obligations.
Business Continuity. Company will implement appropriate backup and disaster recovery and business resumption plans. Company will regularly review, test, and update its business continuity plan.