Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between your organization ("Customer") and Pinnacle MAV Media LLC, a Wyoming limited liability company("Processor"), for Pinnacle AdForge when Customer is a business processing personal data of end users, clients, or employees in the Service. Consumer-only individual use may not require a DPA; contact us if unsure. This DPA reflects concepts aligned with Article 28 of the GDPR and similar processor obligations; it is not a substitute for a signed order form or enterprise agreement where you require bespoke terms.

1. Processor identity & notices

Processor is the entity identified below. Written notices relating to this DPA (other than routine support) may be sent to the email on file for your organization and copied to:

2. Roles

Customer is the controller (or processor acting on behalf of its controller) of personal data it submits. Processor processes such data only as a processor on documented instructions from Customer (including via the Service configuration, account settings, support tickets that document processing, and this DPA), unless applicable law requires Processor to act otherwise — in which case Processor will inform Customer of that requirement before processing, unless prohibited by law.

3. United States privacy law (CCPA/CPRA and similar)

Where Processor processes personal information on behalf of Customer and qualifies as a "service provider" or "processor" (or equivalent) under U.S. state privacy laws, Processor will not sell or share personal information, will not retain, use, or disclose personal information except as necessary to perform the Service or as otherwise permitted for service providers/processors under those laws, and will cooperate with Customer's required terms and assessments where applicable.

4. Processing details

• Subject matter & duration: processing necessary to provide the Service for the subscription or agreement term and as described in the Privacy Policy.
• Nature & purpose: hosting, authentication, database and object storage, collaboration, AI-assisted features where enabled (processing inputs and outputs as Customer Content), logging and security monitoring, support, analytics appropriate to operating the Service, and billing as applicable.
• Categories of data subjects:Customer's employees, contractors, clients, and other individuals whose data Customer uploads or causes to be processed.
• Categories of personal data: identifiers, professional information, account data, content Customer uploads (including prompts and generated outputs), payment-related metadata handled by our payment processor, and technical metadata (e.g., IP address, device, logs).

5. Confidentiality & personnel

Processor ensures that persons authorized to process personal data are bound by appropriate confidentiality obligations (contractual or statutory).

6. Subprocessors

Customer authorizes use of subprocessors listed at Subprocessors. Processor will impose written data protection terms on subprocessors materially consistent with this DPA. Customer may object to a new subprocessor on reasonable data-protection grounds by notifying Processor promptly; where objection cannot be resolved, either party may terminate the affected Service components as described in the Terms.

7. Security measures

Processor implements technical and organizational measures described in our Security overview, appropriate to the risk, including access controls, encryption in transit, and vendor diligence. Customer is responsible for configuring the Service securely (e.g., roles, credentials, and integration settings).

8. Personal data breaches

Processor will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, where notification is required by applicable law, together with information reasonably available to assist Customer in meeting its obligations. Customer is responsible for its own regulatory and data-subject communications except as Processor is directly obligated.

9. Data subject requests, DPIAs, and deletion

Processor will assist Customer — taking into account the nature of processing — with responding to data subject requests, data protection impact assessments, and supervisory authority consultations, where applicable and within scope of Processor's role. Upon termination, Processor will delete or return personal data per the Terms and product functionality, unless retention is required by law. Deletion may take time in backup systems according to documented lifecycle rules.

10. International transfers

Where personal data originating from the EEA, UK, or Switzerland is transferred to countries without an adequacy decision, Processor relies on appropriate safeguards such as the EU Standard Contractual Clauses (with UK International Data Transfer Addendum or UK IDTA where applicable), supplemented by technical and organizational measures. Customer may request further transfer details by contacting technical@thepinnacle.media.

11. Audits & demonstrations

On reasonable request, Processor will make available information necessary to demonstrate compliance with this DPA and allow for audits mandated by applicable law or a supervisory authority, subject to confidentiality, security, and frequency constraints. Processor may satisfy audit rights through third-party certifications or summaries where appropriate.

12. Order of precedence

If this DPA conflicts with a separately executed enterprise agreement or order form that expressly amends processor obligations, the signed document controls for that subject matter. Otherwise, the Terms and this DPA apply.

13. Contact

DPA questions: technical@thepinnacle.media