Data Processing Agreement

1. Parties

Processor : Konatamo LLC, a limited liability company organised under the laws of the State of New Mexico, USA, with its registered office at 1209 Mountain Road Pl NE, Ste R, Albuquerque, NM 87110, USA. EIN 35-2955786. Privacy contact : privacy@satoob.com. Legal contact : legal@konatamo.com.

Controller : the Customer, identified by the Customer account on the satooB platform. Each Customer accepting these Master Terms of Service and Partner Terms is the Controller for the personal data of its End-Users that is processed through the platform.

2. Definitions

Capitalised terms not defined here have the meaning given to them in the Master Terms of Service. Data-protection-specific terms — including "personal data", "data subject", "processing", "controller", "processor", "supervisory authority", and "personal data breach" — have the meaning given to them in the EU General Data Protection Regulation 2016/679 ("GDPR") and in the equivalent legislation of the United Kingdom.

3. Scope

This DPA applies whenever the Processor processes personal data on behalf of the Controller through the satooB platform. It is subordinate to the Master Terms of Service and the Partner Terms ; in case of conflict on data-protection matters, this DPA prevails.

4. Subject matter and duration

The subject matter of the processing is the provision of the satooB loyalty-administration platform. The duration of the processing is the period during which the Master Terms of Service are in effect between the parties.

5. Nature and purpose of processing

Account management, transaction processing, Voucher issuance and validation, analytics, customer support, fraud prevention, and regulatory compliance, as further detailed in the Privacy Policy and in Annex 1 below.

6. Categories of data subjects and personal data

Data subjects : the Controller's End-Users (consumers participating in the Controller's loyalty program) ; the Controller's authorised representatives and cashier-portal employees.

Categories of personal data : Identity (name, email, optional phone), authentication credentials, locale and currency preferences, behavioural events, transactional records, audit logs of cashier-portal activity. The full list is set out in Section 2 of the Privacy Policy.

7. Obligations of the Processor

The Processor agrees to :

1. Process only on documented instructions from the Controller, including with regard to international transfers, except where required to do otherwise by EU or Member State law.
2. Confidentiality — ensure that personnel authorised to process personal data are bound by confidentiality obligations of equivalent standard to those of this DPA.
3. Security — implement appropriate technical and organisational measures, as set out in Annex 2 below.
4. Subprocessors — engage subprocessors only with the prior general or specific authorisation of the Controller. The current list of authorised subprocessors is published at /legal/subprocessors. At least thirty (30) days' advance notice will be given before adding or replacing a subprocessor ; the Controller may object on reasonable data-protection grounds.
5. Breach notification — notify the Controller without undue delay, and in any case within forty-eight (48) hours, after becoming aware of a personal data breach affecting the Controller's data.
6. Data-subject rights — assist the Controller in fulfilling its obligation to respond to requests for the exercise of data subject rights under Articles 15–22 GDPR.
7. DPIA & prior consultation — assist the Controller, taking into account the nature of processing and the information available, with data-protection impact assessments and prior consultations with supervisory authorities.
8. Return or deletion — at the end of the processing, delete or return all personal data, save where retention is required by applicable law.
9. Audit — make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, in line with Section 11 below.

8. Obligations of the Controller

The Controller agrees to :

1. Provide instructions in writing to the Processor with respect to the processing of personal data.
2. Lawful basis — ensure that an appropriate lawful basis under Article 6 (and, where applicable, Article 9) GDPR exists for the processing.
3. Privacy notice — inform data subjects through a privacy notice that meets the requirements of Articles 13 and 14 GDPR, including the role of the Processor and any onward transfers.
4. Consent — obtain consent from data subjects where the lawful basis relied upon is consent.
5. Records — maintain records of processing activities under Article 30 GDPR.

9. International transfers

Where personal data of EU or UK residents is transferred to a country that does not benefit from an adequacy decision, the parties rely on the Standard Contractual Clauses ("SCC") issued by the European Commission (Decision 2021/914), Module 2 (controller-to-processor), which are deemed incorporated into this DPA by reference (see Annex 4). Equivalent safeguards apply for UK transfers via the UK International Data Transfer Addendum to the EU SCC.

The Processor performs a transfer impact assessment for each onward transfer and applies supplementary measures (e.g. additional encryption, contractual restrictions on government access) where the assessment indicates they are necessary.

10. Subprocessors

The current list of authorised subprocessors is published at /legal/subprocessors and reproduced in Annex 3. The Processor will provide at least thirty (30) days' advance notice before adding or replacing a subprocessor.

The Controller may object on reasonable data-protection grounds within the notice period. If the parties cannot resolve the objection by re-routing processing or by other reasonable means, the Controller may terminate the affected portion of the Service for cause.

11. Audit rights

The Controller may verify the Processor's compliance with this DPA :

1. Annual remote audit — through a questionnaire-based remote assessment, which the Processor will complete within thirty (30) days of receipt.
2. In-person audit — on reasonable advance notice, the Controller (or an independent auditor mandated by the Controller and bound by confidentiality) may conduct an in-person audit at the Processor's premises, at the Controller's expense.
3. Third-party audit reports — the Processor will share, under non-disclosure, any current third-party audit reports it may publish in the future (for example, SOC 2 Type II or ISO 27001).

12. Liability and limitations

Liability under this DPA is governed by the limitation-of-liability framework of the Master Terms of Service and the Partner Terms, including the carve-outs for gross negligence, wilful misconduct, fraud, indemnification obligations, and mandatory law.

13. Termination

This DPA terminates automatically with the underlying Master Terms of Service. Surviving obligations include those that by their nature should survive — confidentiality, audit, return or deletion of personal data, and any retention required by mandatory law.

Annex 1 — Description of processing

Categories of data subjects : as set out in Section 6.

Categories of personal data : as set out in Section 6 and detailed in the Privacy Policy Section 2.

Nature and purpose of processing : as set out in Section 5 and detailed in the Privacy Policy Section 4, with reference to the lawful bases under Article 6 GDPR set out in the Privacy Policy Section 5.

Duration of processing : the term of the Master Terms of Service plus any retention period imposed by law, as detailed in the Privacy Policy Section 7.

Annex 2 — Technical and organisational security measures

The Processor implements the security measures described in Section 12 of the Privacy Policy, including :

• Encryption in transit (TLS 1.3) on all client-facing endpoints and inter-service communications.
• Encryption at rest (AES-256) on database storage and on object storage.
• Credential hygiene : bcrypt cost factor 12 minimum for passwords ; PIN hashes for the cashier portal with anti-timing-attack verification and exponential lockouts.
• Identity & access management : least-privilege access controls, multi-factor authentication for production environments, audit logging of administrative actions.
• Audit-grade ledger : financial activity recorded in an immutable double-entry ledger.
• Anti-abuse : rate limiting, anomaly detection, and automated lockouts.
• Vulnerability management : periodic dependency review, security patching, and a coordinated vulnerability disclosure programme.
• Incident response : 72-hour breach notification procedure aligned with GDPR Article 33.

Annex 3 — Subprocessors

The current authorised subprocessors are listed at /legal/subprocessors, where the table is updated continuously. The list as of the effective date of this DPA is reproduced below for completeness.

Annex 4 — Standard Contractual Clauses

The Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module 2 — controller-to-processor), are incorporated into this DPA by reference and apply by default to any transfer of personal data of EU/EEA residents to a country that does not benefit from an adequacy decision.

The official text is published by the European Commission at eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

The UK International Data Transfer Addendum (issued by the UK Information Commissioner's Office) applies by default to UK transfers.

14. Contact

For questions about this DPA :

• Data Protection Officer — privacy@satoob.com
• Legal & contractual matters — legal@konatamo.com

Postal address (for legal service of process) : Konatamo LLC, 1209 Mountain Road Pl NE, Ste R, Albuquerque, NM 87110, USA.