Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the Client identified in the Principal Agreement ("Controller") and More.is.More s.r.o., IČO 05210275, with registered office at Pernerova 635/57, Karlín, 186 00 Praha 8, Czech Republic ("Processor"), and forms part of the Terms of Service or other agreement governing the Client's use of the Service ("Principal Agreement").

This DPA is incorporated into the Principal Agreement by reference. In case of conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data processing matters.

1. Definitions

For the purposes of this DPA, the following terms have the meanings ascribed to them in Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"):

• "Personal Data" — any information relating to an identified or identifiable natural person.
• "Controller" — the party that determines the purposes and means of processing Personal Data (the Client).
• "Processor" — the party that processes Personal Data on behalf of the Controller (More.is.More s.r.o.).
• "Sub-processor" — any processor engaged by the Processor who agrees to receive Personal Data from the Processor.
• "Data Subject" — the natural person to whom Personal Data relates.
• "Processing" — any operation or set of operations performed on Personal Data.
• "Supervisory Authority" — the competent data protection authority in the relevant jurisdiction.

2. Subject Matter and Duration

2.1 Subject Matter

The Processor shall process Personal Data on behalf of the Controller solely to provide the Service as described in the Principal Agreement.

2.2 Duration

This DPA remains in force for the duration of the Principal Agreement and until all Personal Data has been deleted or returned in accordance with Section 9 of this DPA.

3. Nature and Purpose of Processing

| Attribute | Details | |---|---| | Nature of processing | Storage, retrieval, authentication, analytics, AI feature processing | | Purpose of processing | Provision of the Service as described in the Principal Agreement | | Types of Personal Data | Account data (name, email), usage data, session data, audit logs, AI inputs/outputs | | Categories of Data Subjects | Authorized Users of the Controller | | Duration of processing | For the term of the Principal Agreement |

4. Obligations of the Processor

The Processor shall:

4.1 Instructions

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law.

4.2 Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Encryption of Personal Data in transit (TLS) and at rest.
• Ongoing confidentiality, integrity, availability, and resilience of processing systems.
• Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
• Regular testing and evaluation of technical and organizational security measures.

4.4 Sub-processors

Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller. The Processor currently uses the Sub-processors listed in Section 7 of this DPA.

4.5 Data Subject Rights

Assist the Controller in fulfilling its obligation to respond to requests for exercising Data Subjects' rights under Chapter III of the GDPR, taking into account the nature of the processing.

4.6 Assistance

Assist the Controller in ensuring compliance with its obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, and prior consultation).

4.7 Deletion or Return

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage.

4.8 Audit Rights

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Obligations of the Controller

The Controller shall:

• Ensure that the processing of Personal Data by the Processor is lawful under applicable law.
• Ensure that appropriate consent has been obtained from Data Subjects where required.
• Not instruct the Processor to process Personal Data in a manner that would violate applicable law.
• Provide the Processor with all information necessary to perform the processing services.

6. Data Subject Rights

The Processor shall notify the Controller within 5 business days of receiving any request from a Data Subject to exercise their rights under Chapter III GDPR (access, rectification, erasure, portability, restriction, objection). The Processor shall not respond to such requests on behalf of the Controller unless expressly authorized to do so.

7. Sub-processors

The Controller provides general written authorization for the Processor to engage the following Sub-processors:

| Sub-processor | Location | Purpose | Transfer Mechanism | |---|---|---|---| | Hetzner Online GmbH | Germany (EU) | Infrastructure hosting (compute, database, object storage) | EU-based; no transfer | | ActiveCampaign, LLC (Postmark) | USA | Transactional email delivery | EU-US Data Privacy Framework; SCCs (Decision 2021/914, Module Two) as alternative | | Cloudflare, Inc. | USA | Media delivery (object storage edge, authenticated media gateway) | EU-US Data Privacy Framework; SCCs as alternative | | Google LLC | USA | AI storyboard/image generation (Gemini API) | EU-US Data Privacy Framework; Google Cloud DPA SCCs as alternative |

The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-processors. The Controller may object to such changes by written notice within 15 days of receiving notification. If the Controller objects and the parties cannot reach agreement, the Controller may terminate the Principal Agreement without penalty.

8. International Data Transfers

The Processor shall not transfer Personal Data to a third country or international organization unless:

• An adequacy decision pursuant to Art. 45 GDPR applies; or
• Appropriate safeguards pursuant to Art. 46 GDPR are in place (e.g., Standard Contractual Clauses); or
• The transfer falls within a derogation under Art. 49 GDPR.

See Section 7 for the transfer mechanisms applicable to each Sub-processor.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours after becoming aware of a personal data breach. The notification shall include:

• A description of the nature of the personal data breach, including categories and approximate number of Data Subjects and records concerned.
• The name and contact details of the Data Protection Officer or other contact point.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The Controller remains responsible for notifying the relevant Supervisory Authority within 72 hours under Art. 33 GDPR.

10. Deletion and Return of Data

Upon termination of the Principal Agreement, or upon the Controller's written request, the Processor shall:

1. Stop processing Personal Data immediately (except for data required by applicable law).
2. At the Controller's choice: (a) return all Personal Data in a machine-readable format (JSON), or (b) securely delete all Personal Data.
3. Provide written confirmation of deletion within 30 days of the termination date.

The Processor may retain anonymized data for statistical and compliance purposes, provided that such data cannot be used to re-identify any individual.

11. Security Measures

The Processor has implemented the following technical and organizational measures (Art. 32 GDPR):

• Pseudonymization and encryption: Personal Data encrypted in transit (TLS) and at rest. Passwords hashed with a modern adaptive password-hashing algorithm.
• Confidentiality: Role-based access controls, principle of least privilege. All administrative access logged.
• Integrity and availability: Automated database backups stored in geographically separate EU locations. Redundant infrastructure with documented recovery procedures.
• Resilience: Regular testing of backup recovery procedures and incident response plan.
• Access management: Two-factor authentication required for administrative access. Audit logging of all data access and modifications.

12. Liability

Each party shall be liable to the other for any damage suffered as a result of that party's breach of its obligations under this DPA or applicable data protection law, subject to the limitations set out in the Principal Agreement.

13. Governing Law

This DPA is governed by and construed in accordance with the laws of the Czech Republic, consistent with the governing law provision of the Principal Agreement.

14. Contact

For data processing matters, contact the Processor. We have not appointed a Data Protection Officer, as our processing does not meet the thresholds in Art. 37(1) GDPR; data-protection matters are handled by the Processor's management.

• Email: marek@moreismore.cz
• Address: Pernerova 635/57, Karlín, 186 00 Praha 8, Czech Republic

More.is.More s.r.o. Signed: ______________________ Name: ______________________ Title: ______________________ Date: ______________________

Client (Controller) — as identified in the Principal Agreement Signed: ______________________ Name: ______________________ Title: ______________________ Date: ______________________