Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between your organization ("Customer," "Controller") and Pinnacle MAV Media LLC, a Wyoming limited liability company ("Processor," "we"), for Pinnora(the "Service") when Customer is a business processing personal data of end users, clients, or employees in the Service. This DPA reflects the obligations imposed on processors by Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and analogous obligations on "service providers" under the California Consumer Privacy Act (as amended by the CPRA) and other US state privacy laws (collectively, "Data Protection Laws").

This DPA is incorporated into and forms part of the Terms of Serviceupon Customer's acceptance. No signature is required; Customer is deemed to accept this DPA upon use of the Service. Customers requiring a counter-signed copy may request one at privacy@thepinnacle.media.

1. Definitions

Capitalized terms have the meanings given in the Terms of Service or in Data Protection Laws, including: controller, processor, sub-processor, personal data, processing, data subject, personal data breach, and special categories of personal data (Article 4 GDPR). "SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. "UK Addendum" means the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office and in force from 21 March 2022.

2. Processor identity & notices

Processor is the entity identified below. Written notices relating to this DPA may be sent to the Customer admin email on file and copied to:

3. Roles & scope

Customer is the controller (or, where Customer acts as a processor for its own controller, an upstream processor) of personal data it submits. Processor processes such personal data only as a processor on documented instructions from Customer (the documented instructions being: this DPA, the Terms of Service, the configurations Customer makes through the Service, and any subsequent written instructions compatible with the Service's functionality). Processor will inform Customer if, in its opinion, an instruction infringes Data Protection Laws (Art. 28(3)(h) GDPR).

4. United States privacy law (CCPA/CPRA service-provider terms)

With respect to personal information that constitutes "personal information" of California residents, Processor:

• Will not sell or share personal information (as those terms are defined in the CPRA);
• Will not retain, use, or disclose personal information except to provide the Service to Customer or as otherwise permitted for service providers under the CCPA/CPRA;
• Will not retain, use, or disclose personal information outside the direct business relationship between Processor and Customer, including by combining personal information with information received from other sources except as necessary to provide the Service;
• Will notify Customer if it determines it can no longer meet its obligations under the CPRA, in which event Customer may take reasonable steps to stop and remediate the unauthorized use;
• Acknowledges that Customer has the right to take such reasonable steps and to monitor Processor's compliance through measures including manual reviews and automated scans (subject to confidentiality and reasonable security restrictions);
• Provides the equivalent commitments and assistance under VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, and other US state privacy laws to the extent applicable.

5. Confidentiality & personnel

Processor ensures that persons authorized to process personal data are bound by appropriate confidentiality obligations (contractual or statutory), have received privacy and security training, and access personal data only on a need-to-know basis.

6. Sub-processors

Customer provides general written authorization for the sub-processors listed at Subprocessors(the "Sub-processor List"). Processor will impose written data-protection obligations on each sub-processor materially consistent with this DPA and remains liable for the performance of its sub-processors. Processor will provide at least thirty (30) days' advance noticeof the addition or replacement of any sub-processor that processes Customer personal data; Customer may object on reasonable data-protection grounds during the notice window, in which case Customer's exclusive remedy is to terminate the affected Service components without penalty for the remainder of the then-current term.

7. Security measures (Annex II)

Processor implements the technical and organizational measures described in Annex II below and in our Security overview, designed to ensure a level of security appropriate to the risk pursuant to Art. 32 GDPR. Customer is responsible for configuring the Service securely (roles, credentials, integration permissions, encryption keys where Customer-managed).

8. Personal data breach notification

Processor will notify Customer without undue delay and, where feasible, within seventy-two (72) hoursof becoming aware of a personal data breach affecting Customer personal data. The notification will include, to the extent then known: the nature of the breach; categories and approximate number of data subjects and records concerned; likely consequences; and measures taken or proposed to address the breach and mitigate its effects. Processor will provide reasonable assistance to Customer in fulfilling Customer's notification obligations under Art. 33 and 34 GDPR or analogous US state law. Customer is responsible for notifying its own data subjects and regulators except as Processor is directly obligated.

9. Data subject requests, DPIAs, prior consultations

Taking into account the nature of processing, Processor will assist Customer through appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to: (i) respond to data subject requests under Articles 12-22 GDPR (we will forward such requests received directly from data subjects to Customer rather than acting on them, except to the extent we have legally distinct obligations); (ii) carry out data protection impact assessments under Art. 35 GDPR; and (iii) consult with supervisory authorities under Art. 36 GDPR. Where assistance materially exceeds what is reasonably included in standard support, the parties will agree on reasonable cost recovery in good faith. Standard data subject request response targets:

• Acknowledgement of request: within five (5) business days.
• Substantive response: within thirty (30) days, extendable as permitted by law.

10. Deletion or return of personal data

Upon termination of the Service or written request, Processor will, at Customer's choice, delete or return all Customer personal data, and delete existing copies, unless retention is required by law. Default deletion timing: thirty (30) days after termination, with backups overwritten per the rolling backup cycle described in our Security overview.

11. International transfers

To the extent Processor processes personal data subject to GDPR / UK GDPR / Swiss FADP and that data is transferred to a third country without an adequacy decision:

• The parties incorporate by reference the EU Standard Contractual Clauses, Module 2 (controller to processor) when Customer is a controller, and Module 3 (processor to processor) when Customer acts as a processor for an upstream controller. Annex I, II, and III of the SCCs are populated by reference to the Annexes of this DPA. Optional Clause 7 (docking) and Clause 11 redress option are not selected; governing law (Clause 17) is the law of Ireland; supervisory authority and forum (Clause 18) is the Irish Data Protection Commission.
• For UK transfers, the parties incorporate the UK International Data Transfer Addendum (IDTA)with the SCCs as the "Approved Addendum" and the corresponding Tables completed using the same Annexes.
• For Swiss transfers, the SCCs apply with references to GDPR construed as references to the FADP and references to the EU Member State construed as references to Switzerland; the supervisory authority is the FDPIC.
• Where a sub-processor is certified under the EU-US Data Privacy Framework (DPF), the parties may also rely on that certification.
• Processor maintains a transfer-impact assessment available on request to dpo@thepinnacle.media.

12. Audits

Processor will make available to Customer all information reasonably necessary to demonstrate compliance with Art. 28 GDPR and allow for audits, including inspections, conducted by Customer or an independent auditor mandated by Customer. Audits will be at Customer's cost; conducted no more than once per calendar year (more often if a personal data breach has occurred or where regulators direct); coordinated to minimize disruption; conducted under reasonable confidentiality; and may be satisfied by third-party certifications, SOC 2 reports, or comparable summaries that fairly cover the audit scope when those are available.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except where Data Protection Laws prohibit the contractual limitation of such liability (e.g., for liability owed directly to a data subject under Art. 82 GDPR).

14. Order of precedence

If this DPA conflicts with a separately executed enterprise agreement or order form that expressly amends processor obligations, the signed document controls for that subject matter. Otherwise, in case of conflict between this DPA and the Terms of Service, this DPA controls for matters concerning the processing of personal data; for all other matters the Terms of Service control.

15. Changes

Processor may update this DPA where required to comply with Data Protection Laws or to reflect material changes in subprocessors, security measures, or supervisory-authority guidance. Material updates will be notified to Customer at least thirty (30) days in advance.

Annex I — Description of processing

A. List of parties

Data exporter (controller): the Customer organization identified in the account registration. Contact: the admin email on file. Activities relevant to the data transferred: use of the Service for advertising research, creative generation, performance analytics, and related workflows. Role: controller (or processor where acting on behalf of an upstream controller).

Data importer (processor): Pinnacle MAV Media LLC, address as above. Contact: dpo@thepinnacle.media. Activities relevant to the data transferred: hosting and operation of the Service, including authentication, storage, AI inference routing, async job execution, ad-platform API integrations, transactional email, and security monitoring. Role: processor (or sub-processor where Customer is itself a processor).

B. Description of transfer

• Categories of data subjects:Customer's authorized users (employees, contractors, agents); Customer's clients and prospects whose data Customer uploads or causes to be processed; end users of advertising campaigns operated using the Service.
• Categories of personal data: identifiers (name, email, user ID, organization, role, OAuth subject, IP address); profile data (job title, profile photo); content data (prompts, uploaded files, generated outputs, comments, configurations, encrypted ad-platform tokens); commercial data (subscription, invoice, credit balance); usage and security telemetry; communications.
• Sensitive data: none collected by design. Customer must not upload special-category data within the meaning of Art. 9 GDPR (health, biometrics, racial/ethnic origin, political opinions, religious beliefs, union membership, genetic data, sex life, sexual orientation) or criminal-conviction data (Art. 10) without first agreeing additional safeguards in writing with us.
• Frequency of transfer:on a continuous basis for the duration of Customer's subscription.
• Nature of processing: hosting, storage, transmission, retrieval, structuring, AI inference, security monitoring, deletion as instructed.
• Purpose: provision of the Service to Customer; security and abuse detection; billing.
• Retention: as set out in our Privacy Policy retention table; default 30 days post-termination plus rolling backup cycle.
• Sub-processors: as listed at Subprocessors (incorporated as Annex III).

C. Competent supervisory authority

The Irish Data Protection Commission (DPC) for SCC purposes; the UK Information Commissioner's Office (ICO) for the UK Addendum; the Swiss Federal Data Protection and Information Commissioner (FDPIC) for Swiss transfers.

Annex II — Technical & organizational measures (summary)

Processor implements technical and organizational measures designed to ensure a level of security appropriate to the risk pursuant to Art. 32 GDPR, addressed across the following control areas:

• Pseudonymization & encryption of personal data in transit and at rest, with additional application-layer encryption for high-sensitivity credentials.
• Confidentiality, integrity, availability, and resilience of processing systems and services, including environment separation, least-privilege access, and managed-database point-in-time recovery.
• Restoration of availability and access following an incident, supported by documented incident-response and business-continuity procedures.
• Regular testing, assessment, and evaluation of the effectiveness of the measures, including dependency scanning, static analysis, code review, and independent security testing on a risk-prioritized cadence.
• User identification and authorization through managed identity, MFA for production access, SSO for Enterprise tiers, and tenant-scoped database access policies.
• Protection during transmission via modern TLS with strong cipher suites and HSTS.
• Protection during storage via at-rest encryption at the storage and database layers.
• Physical security delegated to certified hosting subprocessors.
• Centralized logging of security-relevant events with restricted access.
• Hardened default configurations, configuration as code, and least-privilege production credentials.
• Information-security governance, written confidentiality obligations for personnel, and role-appropriate security training.
• Sub-processor governance through due diligence and contractual flow-down; current list at Subprocessors.

Enterprise customers may request a more detailed Security Addendum and security questionnaire response under NDA, which sets out specific control implementations, encryption configurations, retention windows, recovery objectives, and certification status. Sub-processors' corresponding measures are documented in their own DPA and security documentation, linked from our Subprocessor list.

Annex III — Sub-processor list

The list of authorized sub-processors is published and kept current at /legal/subprocessors and incorporated by reference into this DPA.

Contact

DPA questions, signature requests, transfer-impact assessment requests, or audit requests: privacy@thepinnacle.media (cc: dpo@thepinnacle.media).