Data Processing Agreement

This Data Processing Agreement ('DPA') supplements the Terms of Service and governs the processing of personal data by Comphedia Ltd ('Processor') on behalf of the customer ('Controller') when using the Hubryox platform. The Processor processes personal data solely on documented instructions from the Controller and for the purpose of providing the Hubryox service.

The Processor shall: (a) process personal data only on documented instructions from the Controller; (b) ensure that persons authorised to process personal data have committed to confidentiality; (c) implement appropriate technical and organisational security measures; (d) assist the Controller in responding to data subject requests; (e) delete or return all personal data upon termination of the service, at the Controller's choice; (f) make available all information necessary to demonstrate compliance with this DPA.

The Controller grants general authorisation for the Processor to engage sub-processors. Current sub-processors: • Amazon Web Services (AWS) — Infrastructure & hosting (Frankfurt, Germany) • Stripe — Payment processing (Dublin, Ireland) • Amazon SES — Transactional email delivery (Frankfurt, Germany) The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

The Processor implements the following technical and organisational measures: encryption in transit (TLS 1.3) and at rest (AES-256); bcrypt password hashing with cost factor 12; optional two-factor authentication; role-based access control; infrastructure hosted exclusively in EU data centres (AWS Frankfurt); regular security reviews; automated backups with point-in-time recovery.

The Processor shall assist the Controller in fulfilling obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection). The Processor provides data export functionality within the platform to facilitate these rights.

The Controller has the right to conduct audits, including inspections, to verify compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and shall contribute to audits conducted by the Controller or an auditor mandated by the Controller.

Upon termination of the service, the Processor shall, at the Controller's choice, delete or return all personal data within 30 days. The Processor shall delete existing copies unless applicable law requires retention. Anonymised data may be retained for analytics purposes.

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. The Processor shall be liable for damage caused by processing only where it has not complied with its obligations under this DPA or applicable data protection law.

For questions regarding this Data Processing Agreement: Comphedia Ltd Email: privacy@hubryox.com 71-75 Shelton Street, Covent Garden London WC2H 9JQ, United Kingdom