Data Processing Agreement

Subject matter: ExecCortex processes personal data to deliver the eCommerce intelligence platform services described in the Terms of Service.

Duration: The duration of processing is coterminous with the Customer's active subscription. On termination, ExecCortex will cease processing and delete or return Customer Data within 30 days.

Nature of processing: Collection, storage, analysis, enrichment, AI inference, display, export, and deletion of personal data as directed by the Customer through the platform.

Categories of data subjects:

• The Customer's eCommerce store customers
• The Customer's team members and account users

Categories of personal data:

• Contact data: names, email addresses, phone numbers
• Location data: shipping and billing addresses
• Transaction data: orders, purchase history, refunds, returns
• Behavioral data: cart events, session data, email engagement
• Communication data: WhatsApp, SMS, and email message history generated through the platform
• Financial data: payment method type (no raw card data)

ExecCortex shall process Personal Data only on documented instructions from the Controller. The Customer's configuration of the platform — including which data sources to sync, which automation workflows to run, and which features to enable — constitutes documented instructions.

ExecCortex shall immediately inform the Controller if, in its opinion, an instruction infringes GDPR or applicable data protection law. In such cases, ExecCortex may refuse to execute the instruction until the Controller provides a compliant alternative.

ExecCortex personnel who process Personal Data are bound by confidentiality obligations and receive appropriate data protection training.

ExecCortex implements and maintains the following technical and organizational measures to protect Personal Data:

Encryption:

• AES-256 encryption for all Personal Data at rest
• TLS 1.3 for all Personal Data in transit
• Envelope encryption with AWS KMS for sensitive fields (API tokens, OAuth credentials)

Access controls:

• Role-based access control (RBAC) limiting access to Personal Data to authorized personnel
• Multi-factor authentication required for all ExecCortex engineering and operations staff
• Privileged access management (PAM) for production system access with full audit logging
• Principle of least privilege applied to all internal service accounts

Network security:

• Web Application Firewall (WAF) on all public endpoints
• DDoS protection via Cloudflare
• Network segmentation between production and development environments
• VPC isolation for database and internal services

Organizational measures:

• Annual third-party penetration testing
• Vulnerability disclosure program with defined response SLAs
• Security awareness training for all employees
• Incident response plan with defined escalation paths

The Controller provides general authorization for ExecCortex to engage sub-processors to deliver the Services, subject to the conditions in this Section.

ExecCortex will: (a) maintain a current list of sub-processors, available at execcortex.com/legal/data-processing; (b) provide at least 30 days' written notice before engaging a new sub-processor; (c) impose data protection obligations equivalent to this DPA on each sub-processor; and (d) remain fully liable to the Controller for the acts or omissions of its sub-processors.

Current sub-processors (as of May 2026):

• Amazon Web Services, Inc. (US) — cloud infrastructure | DPA: aws.amazon.com/agreement
• Cloudflare, Inc. (US) — edge delivery and security | DPA: cloudflare.com/gdpr/introduction
• Stripe, Inc. (US) — payment processing | DPA: stripe.com/privacy
• OpenAI, LLC (US) — AI inference (where enabled by Customer) | DPA: openai.com/policies
• Anthropic, PBC (US) — AI inference (where enabled by Customer) | DPA: anthropic.com/legal
• Sentry (Functional Software, Inc.) (US) — error monitoring | DPA: sentry.io/privacy

The Controller may object to a new sub-processor within the 30-day notice period by notifying dpo@execcortex.com. If ExecCortex cannot accommodate the objection, the Controller may terminate without penalty, receiving a prorated refund of prepaid fees.

ExecCortex shall notify the Controller of a Data Breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include, to the extent available:

• A description of the nature of the Data Breach
• The categories and approximate number of data subjects concerned
• The categories and approximate number of Personal Data records concerned
• The likely consequences of the Data Breach
• Measures taken or proposed to address the breach and mitigate its effects

Notification will be sent to the primary email address on the Controller's account and to the designated security contact if one is configured. ExecCortex will cooperate with the Controller and provide all reasonably requested information to assist with Controller's notification obligations to data subjects and supervisory authorities.

ExecCortex shall provide reasonable assistance to the Controller to fulfill data subject rights requests, including:

• Data export: Customer Data is exportable from Settings → Data Export or via API
• Targeted deletion: Individual customer records can be deleted from the Customer profile section
• Suppression: Opted-out customers can be added to suppression lists to prevent future messaging
• Data portability: Exports are provided in JSON or CSV format

ExecCortex shall forward any data subject rights requests received directly from your customers to you within 5 business days, as ExecCortex cannot fulfill such requests without Controller instruction.

ExecCortex shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) where required by GDPR Article 35. This includes providing documentation of processing activities, security measures, and sub-processor information upon request.

ExecCortex shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct an audit (or appoint an independent auditor) of ExecCortex's data processing activities, subject to:

• Reasonable prior written notice of at least 30 days
• Agreement on scope, timing, and confidentiality before the audit
• Audit costs are borne by the Controller
• No more than once per 12-month period except where a Data Breach has occurred

ExecCortex may satisfy the audit obligation by providing its most recent SOC 2 Type II report, where available, or an equivalent independent third-party security assessment.

Where Customer Data is transferred from the EEA, UK, or Switzerland to the United States or other third countries, the transfer is governed by the Standard Contractual Clauses (Module 2: Controller-to-Processor) as annexed to Commission Implementing Decision (EU) 2021/914.

The SCCs are incorporated into this DPA by reference. The Supplementary Measures described in Section 4 (Technical and Organizational Security Measures) apply as supplementary safeguards. Enterprise customers may opt into EU data residency to avoid cross-border transfers.

On termination of the subscription, at the Controller's choice, ExecCortex will either:

• Return all Customer Data in JSON or CSV format within 30 days of request; or
• Delete all Customer Data securely (overwritten to prevent recovery) within 30 days

ExecCortex will provide written confirmation of deletion upon request. Data required to be retained by applicable law will be identified and the Controller notified before deletion.

This DPA is governed by the same law as the main Terms of Service (State of Delaware, United States). Where the SCCs apply, they take precedence over this DPA to the extent of any conflict, in accordance with Clause 5 of the SCCs.