DATA PROCESSING AGREEMENT

SimpliAutomatic Platform | Ciigma USA, Inc.

Version 1.0 — Effective January 1, 2026

Electronic Acceptance — Self-Service / Stripe Checkout

Electronic Acceptance

By checking the box labeled "I accept the Data Processing Agreement" during account creation or checkout on the SimpliAutomatic platform (simpliautomatic.com), or by otherwise accepting the SimpliAutomatic Terms of Service and Privacy Policy, the Client electronically executes this Data Processing Agreement ("DPA"). This electronic acceptance constitutes a legally binding signature under applicable law, including the Electronic Signatures in Global and National Commerce Act (E-SIGN Act, 15 U.S.C. § 7001 et seq.) and the Uniform Electronic Transactions Act (UETA), as enacted in the State of Texas (Tex. Bus. & Com. Code § 322.001 et seq.).

The date of acceptance is the date on which the Client completes the account registration or checkout process on the SimpliAutomatic platform. Ciigma maintains electronic records of all acceptances, including the date, time, IP address, and account identifier associated with each acceptance.

Recitals

WHEREAS, Ciigma provides the SimpliAutomatic SaaS platform, a white-label solution built on HighLevel technology, offering CRM, marketing automation, AI-powered communications, and related services ("Services");

WHEREAS, in the course of providing the Services, Ciigma may Process Personal Data on behalf of the Client as a Processor (or Service Provider under CCPA);

WHEREAS, the Parties wish to set forth the terms and conditions governing such Processing to comply with Applicable Data Protection Laws;

NOW, THEREFORE, in consideration of the mutual promises herein and for other good and valuable consideration, the Parties agree as follows:

Section 1. Definitions

As used in this Data Processing Agreement, the following terms shall have the meanings set forth below:

Section 2. Scope and Roles

2.1 Nature of Engagement

This DPA applies to the Processing of Personal Data by Ciigma in the course of providing the Services to the Client under the Main Agreement. Ciigma acts as a Processor (and Service Provider under CCPA) and the Client acts as the Controller (and Business under CCPA) with respect to Personal Data of the Client's customers, contacts, and other Data Subjects.

2.2 Categories of Data Processed

Ciigma may Process the following categories of Personal Data in connection with the Services:

• Contact information: first and last name, email address, telephone number, mailing address, and other identifiers
• Usage and behavioral data: platform usage logs, interaction history, feature usage, timestamps, and device identifiers
• Communication content: SMS messages, email content, voice recordings or transcripts, AI chatbot conversation logs
• CRM data: deal stages, notes, task records, pipeline data, tags, and custom fields configured by the Client
• Account data: usernames, account settings, subscription information, and billing contact information
• Third-party integration data: data submitted via webhooks, Zapier integrations, or API connections configured by the Client

2.3 Categories of Data Subjects

Personal Data relates to the following categories of Data Subjects:

• The Client's customers, clients, and end users
• The Client's leads, prospects, and contacts
• The Client's employees and authorized platform users
• Any other natural persons whose Personal Data the Client submits to the Services

2.4 Processing on Instructions

Ciigma shall Process Personal Data only on documented instructions from the Client, including as set forth in this DPA and the Main Agreement, unless required to do so by applicable law, in which case Ciigma shall, to the extent permitted by applicable law, inform the Client of such legal requirement prior to Processing.

Section 3. Client Obligations

3.1 Lawful Basis

The Client represents and warrants that it has a valid and lawful basis for Processing Personal Data under all Applicable Data Protection Laws, including but not limited to: (a) obtaining informed consent from Data Subjects where required; (b) establishing another lawful basis for Processing (such as legitimate interests, contractual necessity, or legal obligation under GDPR Article 6); and (c) complying with all notice requirements imposed by Applicable Data Protection Laws.

3.2 Notice to Data Subjects

The Client is solely responsible for providing adequate notice to Data Subjects regarding the collection, use, and Processing of their Personal Data, including providing a privacy notice or privacy policy that accurately describes the Processing activities, the categories of Personal Data collected, and the purposes of Processing, to the extent required by Applicable Data Protection Laws.

3.3 Consent

Where Processing is based on consent, the Client is solely responsible for obtaining, recording, and managing valid consent from Data Subjects, and for honoring withdrawals of consent in a timely manner. The Client shall maintain records of all consents obtained and shall make such records available to Ciigma upon written request in connection with compliance obligations.

3.4 Compliance with Applicable Laws

The Client shall at all times comply with all Applicable Data Protection Laws with respect to its role as Controller or Business, and shall not instruct Ciigma to Process Personal Data in a manner that would violate Applicable Data Protection Laws. The Client acknowledges that it is responsible for determining the appropriateness of using the Services for processing any particular category of Personal Data.

Section 4. Processing Instructions

4.1 Documented Instructions

The Client's instructions for Processing are documented in this DPA and the Main Agreement. Any additional instructions must be provided in writing and agreed to by Ciigma. The scope of Processing permitted is limited to what is necessary to provide the Services or as otherwise expressly authorized in writing by the Client.

4.2 Unlawful Instructions

If Ciigma reasonably determines that an instruction from the Client infringes Applicable Data Protection Law, Ciigma shall promptly notify the Client in writing. Ciigma shall not be required to comply with any instruction that would cause Ciigma to violate any applicable law. Ciigma shall not be liable for any failure to perform under this DPA to the extent such failure results from Ciigma's compliance with this obligation.

4.3 Scope Limitation

Ciigma shall not Process Personal Data outside the scope of this DPA or the Main Agreement without prior written consent from the Client. Ciigma shall not sell, share, retain, use, or disclose Personal Data for any purpose other than providing the Services or as otherwise permitted under this DPA or Applicable Data Protection Law.

Section 5. Confidentiality

5.1 Personnel Obligations

Ciigma shall ensure that all personnel authorized to Process Personal Data are subject to binding obligations of confidentiality with respect to such Personal Data, whether by contract, professional duty, or statutory obligation, and that such obligations survive the termination of their employment or engagement. Access to Personal Data shall be strictly limited to those personnel who require such access to perform their functions in connection with the Services.

5.2 Access Limitations

Ciigma shall implement technical controls to enforce the principle of least privilege, ensuring that personnel access only the Personal Data necessary for their specific role and responsibilities. Ciigma shall maintain an access log and shall conduct periodic access reviews, at least annually, to revoke unnecessary access rights.

5.3 Disclosure to Authorities

Ciigma shall not disclose Personal Data to any law enforcement, government, or regulatory authority except as required by applicable law or valid legal process. To the extent permitted by applicable law, Ciigma shall promptly notify the Client of any request by an authority for disclosure of Personal Data and shall cooperate with the Client's reasonable requests regarding the scope and timing of such disclosure.

Section 6. Security Measures

6.1 Technical and Organizational Measures

Ciigma shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (collectively, "Security Measures"). The Security Measures shall be appropriate to the risks presented by the nature, scope, context, and purposes of the Processing. The Security Measures currently implemented by Ciigma are set forth in Annex II to this DPA.

6.2 Minimum Security Standards

Ciigma's Security Measures shall include, at minimum, the following:

• Encryption of Personal Data at rest using AES-256 encryption
• Encryption of Personal Data in transit using TLS 1.2 or higher
• Role-based access controls (RBAC) and enforcement of the principle of least privilege
• Multi-factor authentication (MFA) for all personnel accessing production systems containing Personal Data
• Comprehensive audit logging and monitoring of access to Personal Data
• Regular vulnerability assessments and penetration testing (at least annually)
• Formal incident response plan tested at least annually

6.3 Updates to Security Measures

Ciigma may update or modify the Security Measures from time to time, provided that any such updates shall not materially reduce the level of security protection afforded to Personal Data. Ciigma shall notify the Client of any material reductions in security measures at least thirty (30) days prior to implementation.

Section 7. Subprocessing

7.1 General Written Authorization

The Client hereby provides general written authorization to Ciigma to engage Subprocessors to assist in providing the Services. By entering into this DPA, the Client specifically authorizes the engagement of the Subprocessors listed in Annex III. Ciigma shall enter into written agreements with each Subprocessor imposing data protection obligations that are no less protective than those set forth in this DPA, to the extent applicable to the nature of the services provided by such Subprocessor.

7.2 Notification of New Subprocessors

Ciigma shall provide the Client with at least thirty (30) days' prior written notice before adding or replacing any Subprocessor. Such notice shall identify the new or replacement Subprocessor, the category of services to be provided, and the country where the Subprocessor is located. Ciigma will make the updated Subprocessor list available at simpliautomatic.com/legal or upon written request.

7.3 Right to Object

The Client may object to the addition of a new Subprocessor on reasonable grounds related to data protection by providing written notice to Ciigma within fifteen (15) days of receiving notification. If the Client objects, the Parties shall work in good faith to resolve the Client's concerns. If the Parties are unable to resolve the Client's concerns within thirty (30) days of the Client's objection, the Client may terminate the affected portion of the Services upon written notice, provided that such termination shall not relieve the Client of any payment obligations accrued prior to termination.

7.4 Subprocessor Liability

Ciigma remains responsible to the Client for the performance of each Subprocessor's obligations with respect to data protection. Where a Subprocessor fails to fulfill its data protection obligations, Ciigma shall remain fully liable to the Client for the performance of those obligations, to the extent Ciigma is liable under this DPA.

Section 8. Data Subject Rights

8.1 Assistance Obligations

Ciigma shall provide commercially reasonable assistance to the Client in fulfilling the Client's obligations to respond to Data Subject requests to exercise their rights under Applicable Data Protection Laws, including requests for: (a) access to Personal Data; (b) rectification or correction of inaccurate Personal Data; (c) erasure or deletion of Personal Data ("right to be forgotten"); (d) portability of Personal Data in a structured, commonly used, machine-readable format; (e) restriction of Processing; and (f) objection to Processing.

8.2 Response Timeline

Upon receipt of a written request from the Client regarding a Data Subject request, Ciigma shall respond within ten (10) business days and shall provide the requested assistance in a timeframe that allows the Client to meet any applicable legal deadline for responding to the Data Subject. Where technically feasible, Ciigma shall provide the Client with tools or platform functionality to enable the Client to fulfill Data Subject requests directly.

8.3 Direct Data Subject Requests

If Ciigma receives a Data Subject request directly that relates to Personal Data for which the Client is the Controller, Ciigma shall promptly forward such request to the Client and shall not respond to the Data Subject directly without the Client's prior written authorization, except as required by applicable law.

8.4 Fees for Excessive Requests

Ciigma may charge the Client reasonable fees for assistance with Data Subject rights requests that are excessive, repetitive, or manifestly unfounded. Ciigma shall notify the Client in writing before imposing any such fees and shall provide justification for the basis of the fee. The Client acknowledges that the primary responsibility for responding to Data Subject requests rests with the Client as Controller.

Section 9. Data Breach Notification

9.1 Notification Timeline

In the event that Ciigma becomes aware of a confirmed Security Incident, Ciigma shall notify the Client without undue delay and, where feasible, within forty-eight (48) hours of confirming the Security Incident. The Parties acknowledge that many US state laws impose their own notification timelines, including: California (Cal. Civ. Code § 1798.82): notification to affected individuals without unreasonable delay; notification to the California Attorney General if breach affects more than 500 California residents; Texas (Tex. Bus. & Com. Code § 521.053): notification to affected individuals within sixty (60) days; and other states with varying requirements ranging from 30–72 hours after discovery. Ciigma's notification to the Client within 48 hours of confirming a breach is intended to provide the Client sufficient time to comply with its own notification obligations under applicable law.

9.2 Content of Notification

Ciigma's notification of a Security Incident shall include, to the extent known at the time of notification:

• A description of the nature of the Security Incident
• The categories and approximate number of Data Subjects affected
• The categories and approximate number of Personal Data records affected
• The name and contact information of Ciigma's data protection contact
• A description of the likely consequences of the Security Incident
• A description of the measures taken or proposed to be taken to address the Security Incident, including measures to mitigate potential adverse effects

If all required information is not available at the time of initial notification, Ciigma may provide information in phases as it becomes available, without undue further delay.

9.3 Cooperation

Ciigma shall cooperate fully with the Client's investigation of any Security Incident and shall take all commercially reasonable measures to: (a) mitigate the effects of the Security Incident; (b) prevent future Security Incidents of the same type; and (c) assist the Client in complying with its obligations to notify Data Subjects, supervisory authorities, and other required parties. Ciigma shall not make any public disclosure regarding a Security Incident without prior written approval from the Client, unless required to do so by applicable law.

Section 10. Cross-Border Data Transfers

10.1 Transfers of EU/EEA Personal Data

To the extent Ciigma Processes Personal Data of Data Subjects located in the European Economic Area (EEA) and such Processing involves a transfer of Personal Data to a third country (including the United States), such transfer shall be governed by the Standard Contractual Clauses (Module 2: Transfer Controller to Processor) adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021, which are incorporated herein by reference as Annex IV, together with any supplementary measures required to ensure compliance with the GDPR following the judgment of the Court of Justice of the European Union in Case C-311/18 (Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, "Schrems II").

10.2 Transfers of UK Personal Data

To the extent Ciigma Processes Personal Data of Data Subjects located in the United Kingdom, transfers of such Personal Data to countries not covered by an adequacy decision of the UK Information Commissioner's Office shall be governed by the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner's Office under S119A(1) of the UK Data Protection Act 2018, the terms of which are incorporated into this DPA by reference.

10.3 Primary Storage Location

Personal Data processed through the SimpliAutomatic platform is primarily stored in the United States, on infrastructure operated by HighLevel, Inc. Ciigma shall ensure that any transfers of Personal Data from the EU/EEA or UK to the United States are subject to appropriate transfer mechanisms as specified in Sections 10.1 and 10.2, and that Subprocessors engaged for such transfers are bound by equivalent obligations. Ciigma shall maintain a Transfer Impact Assessment documenting supplementary measures implemented to ensure an essentially equivalent level of protection to that guaranteed within the EEA.

Section 11. CCPA/CPRA Specific Provisions

11.1 Service Provider Status

For purposes of the CCPA and CPRA, Ciigma is a "Service Provider" as defined in Cal. Civ. Code § 1798.140(ag). This DPA constitutes the written contract required by the CCPA between the Business (Client) and the Service Provider (Ciigma). Ciigma acknowledges and agrees that it shall Process Personal Information (as defined in the CCPA) only as necessary to perform the Services under this DPA and the Main Agreement, or as otherwise permitted under Cal. Civ. Code § 1798.140(ag)(1).

11.2 Prohibition on Sale or Sharing

Ciigma hereby certifies that it: (a) shall not sell or share Personal Information as those terms are defined in the CCPA; (b) shall not retain, use, or disclose Personal Information for any purpose other than performing the Services or as otherwise permitted by the CCPA; (c) shall not retain, use, or disclose Personal Information for a commercial purpose other than providing the Services; and (d) shall not retain, use, or disclose Personal Information outside of the direct business relationship between Ciigma and the Client, except as permitted under the CCPA.

11.3 Combining Personal Information

Ciigma shall not combine Personal Information received from the Client or collected from Consumers pursuant to this DPA with Personal Information received from or collected from other sources, except as permitted under Cal. Civ. Code § 1798.140(ag)(1)(A).

11.4 Consumer Rights Cooperation

Ciigma shall cooperate with the Client in responding to verifiable Consumer requests submitted under the CCPA, including requests to know, delete, correct, and opt-out of sale or sharing of Personal Information. Ciigma shall assist the Client in fulfilling such requests within the timeframes required by applicable law and shall maintain adequate processes to enable the Client to comply with its CCPA obligations.

11.5 Certification of Understanding

Ciigma certifies that it understands the restrictions set forth in this Section 11 and agrees to comply with them. Ciigma acknowledges that failure to comply with the CCPA requirements applicable to Service Providers may result in loss of its Service Provider status and increased regulatory exposure.

11.6 Audit Rights under CCPA

The Client shall have the right to audit Ciigma's compliance with this Section 11 in accordance with Section 14 of this DPA. Ciigma shall cooperate with any such audit and shall make available all records and information necessary to demonstrate compliance with its obligations as a Service Provider under the CCPA.

Section 12. Multi-State Privacy Law Compliance

12.1 Applicability

In addition to the CCPA/CPRA requirements set forth in Section 11, Ciigma shall assist the Client in complying with other applicable state privacy laws to the extent that the Client Processes Personal Data of residents of those states through the Services. Such laws include without limitation:

• Virginia Consumer Data Protection Act (VCDPA, Va. Code §§ 59.1-575 et seq.), effective January 1, 2023
• Colorado Privacy Act (CPA, Colo. Rev. Stat. §§ 6-1-1301 et seq.), effective July 1, 2023
• Connecticut Data Privacy Act (CTDPA, Pub. Act No. 22-15), effective July 1, 2023
• Texas Data Privacy and Security Act (TDPSA, Tex. Bus. & Com. Code § 541 et seq.), effective July 1, 2024
• Any other state privacy laws enacted or effective during the term of this DPA

12.2 Processor Obligations

Ciigma, as a Processor under the VCDPA, CPA, CTDPA, and similar multi-state laws, shall: (a) Process Personal Data only in accordance with the Client's documented instructions and this DPA; (b) ensure that personnel Processing Personal Data are subject to a duty of confidentiality; (c) delete or return Personal Data upon the termination of the Services, unless retention is required by applicable law; (d) make available all information reasonably necessary to demonstrate compliance with its obligations; (e) engage Subprocessors only pursuant to written contracts imposing equivalent obligations; and (f) notify the Client if Ciigma determines it can no longer meet its obligations under applicable state privacy law.

12.3 Data Protection Assessments

Where required by Applicable Data Protection Law (including the VCDPA, CPA, and CTDPA), Ciigma shall assist the Client, at the Client's written request, in conducting Data Protection Assessments for Processing activities that present heightened risk to Data Subjects. Ciigma shall provide reasonably available information and cooperate with the Client's assessment process. Ciigma may charge reasonable fees for assistance with Data Protection Assessments that require substantial time or resources.

Section 13. GDPR Specific Provisions

13.1 Applicability

This Section 13 applies where and to the extent that Ciigma Processes Personal Data of Data Subjects located in the European Economic Area or the United Kingdom on behalf of the Client, and such Processing is subject to the GDPR or UK GDPR (collectively referred to in this Section as the "GDPR Requirements").

13.2 Article 28 Requirements

This DPA is intended to satisfy the requirements for a Processor agreement under Article 28 of the GDPR. In performing its obligations under this DPA, Ciigma shall comply with all requirements applicable to Processors under the GDPR, including without limitation: (a) Processing Personal Data only on documented instructions; (b) ensuring confidentiality of Processing personnel; (c) implementing appropriate technical and organizational security measures; (d) engaging Subprocessors pursuant to written agreements; (e) assisting the Client with Data Subject rights; (f) deleting or returning Personal Data upon termination; and (g) making available all information necessary to demonstrate compliance and cooperating with audits.

13.3 Data Protection Officer

For data protection inquiries related to GDPR compliance, the Client may contact Ciigma's designated data protection representative at: legal@ciigma.com. For EU-related inquiries, the Client may also contact Ciigma Technologies SL, Ciigma's EU affiliate, which acts as a point of contact for EU supervisory authorities.

13.4 DPIA Assistance

Ciigma shall assist the Client in conducting Data Protection Impact Assessments (DPIAs) as required under GDPR Article 35, and in consulting with relevant supervisory authorities as required under GDPR Article 36, by providing reasonably available information regarding the Processing activities conducted on behalf of the Client.

13.5 Records of Processing

Ciigma shall maintain records of Processing activities carried out on behalf of the Client as required under GDPR Article 30(2), including the information specified in that provision. Ciigma shall make such records available to the Client and to supervisory authorities upon written request.

13.6 Supervisory Authority Cooperation

Ciigma shall cooperate, as required, with the supervisory authority responsible for the Client (or for the Data Subjects' jurisdiction) in the performance of its tasks related to the Processing of Personal Data under this DPA. Ciigma shall promptly notify the Client of any communications received from supervisory authorities that relate to Personal Data Processed on behalf of the Client.

Section 14. Audit Rights

14.1 Right to Audit

The Client shall have the right to audit Ciigma's compliance with this DPA no more than once per calendar year, upon at least thirty (30) days' prior written notice, during normal business hours and in a manner that does not unreasonably interfere with Ciigma's business operations. Any audit shall be conducted by the Client or by a mutually agreed-upon qualified, independent third-party auditor.

14.2 Audit in Lieu

In satisfaction of Ciigma's audit obligations, Ciigma may, at its discretion, provide the Client with a copy of a current SOC 2 Type II audit report, ISO 27001 certification, or equivalent independent security assessment conducted by a qualified third party within the preceding twelve (12) months. If such a report is provided, the Client agrees that this satisfies Ciigma's audit cooperation obligations under this Section for the applicable audit period, unless the Client has specific concerns not addressed by such report.

14.3 Confidentiality of Audit

All information obtained during any audit shall be treated as confidential information of Ciigma and shall be subject to confidentiality obligations no less restrictive than those in the Main Agreement. The Client shall ensure that any third-party auditor engaged by the Client is bound by equivalent confidentiality obligations prior to commencing any audit activities.

14.4 Audit Costs

The Client shall bear all costs and expenses associated with any audit, except that Ciigma shall bear the costs associated with making its personnel and records reasonably available for audit purposes. If an audit reveals material non-compliance by Ciigma with this DPA, Ciigma shall bear reasonable audit costs and shall promptly remediate any identified deficiencies.

Section 15. Data Retention and Deletion

15.1 Retention During Term

Ciigma shall retain Personal Data only for as long as necessary to provide the Services or as otherwise required by applicable law. Ciigma shall implement appropriate data minimization policies and shall not retain Personal Data beyond the period necessary for the documented purposes of Processing.

15.2 Return or Deletion Upon Termination

Upon the termination or expiration of the Main Agreement for any reason, or upon the written request of the Client at any time, Ciigma shall, within thirty (30) days: (a) return all Personal Data to the Client in a structured, commonly used, and machine-readable format; or (b) securely delete or destroy all Personal Data, at the Client's election. Ciigma shall provide the Client with written certification of deletion or return upon completion.

15.3 Legal Retention Requirements

Notwithstanding Section 15.2, Ciigma may retain Personal Data to the extent and for the duration required by applicable law, provided that: (a) Ciigma notifies the Client of such retention and the legal basis therefor; (b) the retained Personal Data is protected by appropriate security measures; and (c) Ciigma deletes the retained Personal Data as soon as the legal retention requirement ceases to apply.

15.4 Backup Systems

The Parties acknowledge that Personal Data contained in backup or archival systems may not be immediately deletable upon termination. Ciigma shall overwrite or delete all such backup copies containing Personal Data in accordance with its standard backup rotation schedules, and in any event within ninety (90) days of the termination or expiration of the Main Agreement, unless longer retention is required by applicable law.

Section 16. Liability

16.1 Liability Cap

Each Party's total liability to the other Party arising out of or related to this DPA shall be subject to the liability limitations set forth in the Main Agreement, including any applicable caps on damages. Where no Main Agreement limitation applies, each Party's liability shall not exceed the total fees paid or payable by the Client to Ciigma during the twelve (12) months immediately preceding the event giving rise to the claim.

16.2 Indemnification

Each Party shall indemnify, defend, and hold harmless the other Party and its officers, directors, employees, agents, and successors from and against any claims, damages, penalties, fines, costs, and expenses (including reasonable attorneys' fees) arising from: (a) that Party's breach of its obligations under this DPA; or (b) that Party's violation of Applicable Data Protection Law with respect to the Processing of Personal Data. A Party's obligation to indemnify shall be conditioned upon: (i) prompt written notice of the claim; (ii) the indemnifying Party's right to control the defense; and (iii) the indemnified Party's reasonable cooperation in the defense.

16.3 Exclusion of Consequential Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATED TO THIS DPA, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, EXCEPT TO THE EXTENT SUCH EXCLUSION IS PROHIBITED BY APPLICABLE DATA PROTECTION LAW OR ARISES FROM GROSS NEGLIGENCE, WILLFUL MISCONDUCT, OR INTENTIONAL BREACH OF THIS DPA.

Section 17. Term and Termination

17.1 Term

This DPA shall be effective as of the date of the Client's acceptance (as set forth in the Main Agreement or, for the Clickwrap Version, as of the date of electronic acceptance) and shall remain in effect for the duration of the Main Agreement, including any renewal terms. This DPA shall automatically terminate upon the termination or expiration of the Main Agreement for any reason.

17.2 Effect of Termination

Upon termination of this DPA: (a) Ciigma shall comply with the data return and deletion obligations set forth in Section 15; (b) each Party shall promptly return or destroy the other Party's confidential information; and (c) the provisions of this DPA that by their nature should survive termination (including Sections 5, 9, 15, 16, and 18) shall survive and remain in full force and effect.

Section 18. General Provisions

18.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of laws provisions. For Processing activities subject to the GDPR, nothing in this governing law clause shall limit the rights of Data Subjects or supervisory authorities under applicable EU data protection law.

18.2 Dispute Resolution

Any dispute arising from or related to this DPA shall first be subject to good-faith negotiation between the Parties. If the dispute cannot be resolved through negotiation within thirty (30) days, it shall be submitted to binding arbitration in San Antonio, Texas, in accordance with the rules of the American Arbitration Association, before a single arbitrator with expertise in data privacy law. The arbitrator's decision shall be final and binding. Each Party shall bear its own costs, and the Parties shall equally share the arbitrator's fees.

18.3 Entire Agreement for Data Processing

This DPA, together with the Main Agreement and any applicable Standard Contractual Clauses, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data and supersedes all prior agreements, representations, and understandings of the Parties with respect to such subject matter. In the event of any conflict between this DPA and the Main Agreement with respect to data processing matters, this DPA shall prevail.

18.4 Amendments

This DPA may not be amended except by a written instrument signed by authorized representatives of both Parties (or, in the case of the Clickwrap Version, by Ciigma providing notice of the amendment and the Client continuing to use the Services after the effective date of the amendment). Ciigma shall provide at least thirty (30) days' notice of any material amendment to this DPA. If the Client objects to a material amendment, it may terminate the Main Agreement in accordance with its terms.

18.5 Severability

If any provision of this DPA is held by a court or arbitrator of competent jurisdiction to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect, and the Parties shall negotiate in good faith to replace the invalid or unenforceable provision with a valid provision that achieves the same or similar commercial and legal effect.

18.6 No Waiver

No failure or delay by either Party in exercising any right, power, or remedy under this DPA shall operate as a waiver of that right, power, or remedy. No waiver of any breach of this DPA shall be deemed to be a waiver of any subsequent breach.

18.7 Counterparts

This DPA (or the Base Template version) may be executed in counterparts, each of which shall be deemed an original and all of which, taken together, shall constitute one and the same instrument. Electronic signatures shall be deemed valid under applicable law.

Acceptance Declaration

Ciigma USA, Inc. accepts these terms and agrees to be bound by this DPA on behalf of itself and its affiliates and Subprocessors:

Ciigma USA, Inc. | legal@ciigma.com | simpliautomatic.com | Version 1.0 — Effective May 15, 2026

---

ANNEX I — DETAILS OF PROCESSING

This Annex I sets forth the details of the Processing of Personal Data by Ciigma as Processor on behalf of the Client as Controller, as required by Article 28(3) of the GDPR and equivalent provisions of Applicable Data Protection Laws.

Processing Detail	Description
Categories of Data Subjects	Clients' customers, leads, prospects, contacts, end users, and employees whose data is submitted to the Services
Categories of Personal Data	Contact information (name, email, phone, address), usage data, communication content (SMS, email, voice), CRM records, custom fields, AI conversation transcripts, payment information references
Special Categories of Data	None anticipated; Client must notify Ciigma if any special category data will be processed
Processing Purposes	Providing the SimpliAutomatic SaaS platform, CRM functionality, marketing automation, AI-powered communications, analytics, and related support services
Duration of Processing	For the term of the applicable Service Agreement plus any legally required retention period; data deleted within 30 days of termination upon written request
Nature of Processing	Collection, storage, retrieval, consultation, use, disclosure by transmission, structuring, adaptation, combination, erasure, and destruction
Frequency of Transfer	Continuous during the term of the Agreement
Geographic Locations	United States (primary); EU/EEA (Elestio SAS, Ciigma Technologies SL); transfers subject to appropriate safeguards per Section 10

---

ANNEX II — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

This Annex II describes the technical and organizational measures implemented by Ciigma to ensure an appropriate level of security for Personal Data, as required by Article 32 of the GDPR and Section 6 of this DPA. These measures are subject to updates by Ciigma, provided that any updates shall maintain an equivalent or higher level of security protection.

Security Measure	Implementation Details
Encryption at Rest	AES-256 encryption for all stored personal data; database-level and disk-level encryption enforced across all environments
Encryption in Transit	TLS 1.2 or higher required for all data transmissions; HTTPS enforced across all endpoints; certificate management via automated tooling
Access Controls	Role-based access control (RBAC); principle of least privilege enforced; privileged access management (PAM) for administrative accounts
Multi-Factor Authentication	MFA mandatory for all personnel with access to production systems containing personal data; hardware tokens or authenticator apps required
Audit Logging	Comprehensive audit logs for all access to personal data; log retention minimum 12 months; tamper-evident logging systems
Vulnerability Management	Regular penetration testing (at least annually); automated vulnerability scanning; patch management policy with defined SLAs by severity
Incident Response	Documented incident response plan; trained incident response team; annual tabletop exercises; 48-hour breach notification SLA to clients
Physical Security	Data centers operated by SOC 2 Type II certified providers; physical access controls; 24/7 monitoring and CCTV
Personnel Training	Annual security awareness training; background checks for personnel with data access; confidentiality agreements for all staff
Business Continuity	Regular data backups; tested recovery procedures; defined RPO/RTO objectives; geographic redundancy for critical systems
Data Minimization	Collection limited to data necessary for service provision; periodic data audits; automatic purging per retention schedules
Vendor Security	Security assessments of subprocessors; contractual security requirements imposed on all subprocessors; annual review of subprocessor compliance

---

ANNEX III — LIST OF APPROVED SUBPROCESSORS

This Annex III sets forth the list of Subprocessors currently authorized to Process Personal Data in connection with the Services, as contemplated by Section 7 of this DPA. Ciigma shall update this list in accordance with the notification requirements in Section 7.2. The current, up-to-date Subprocessor list is also maintained at simpliautomatic.com/legal.

Subprocessor Name	Country / Region	Processing Activity
HighLevel, Inc.	USA	Core SaaS infrastructure, CRM, automation
CloseBot, Inc.	USA	AI chatbot processing and conversation flows
OpenAI, L.L.C.	USA	AI / Large Language Model processing
Anthropic, PBC	USA	AI / Large Language Model processing
Google LLC / Cloud AI	USA	AI / LLM processing, cloud infrastructure
Elestio SAS	France / EU	Managed hosting and infrastructure
Vercel Inc.	USA	Frontend hosting and content delivery
Ciigma Technologies SL	Spain / EU	EU affiliate, customer support

Each Subprocessor listed above is bound by written data processing agreements with Ciigma that impose data protection obligations equivalent to or more protective than those imposed by this DPA. Ciigma shall make available upon written request the data protection agreements with any Subprocessor, subject to appropriate confidentiality obligations.

---

ANNEX IV — STANDARD CONTRACTUAL CLAUSES REFERENCE

A. EU Standard Contractual Clauses

For transfers of Personal Data from the EU/EEA to third countries (including the United States), the Standard Contractual Clauses adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs") are incorporated into this DPA.

The EU SCCs apply in Module 2 (Transfer Controller to Processor), with the following stipulations:

B. UK International Data Transfer Addendum

For transfers of Personal Data subject to the UK GDPR, the UK Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner's Office (ICO) under S119A(1) of the UK Data Protection Act 2018, is incorporated into this DPA, with the following elections:

• Table 1 (Parties): The details of the Parties are as set out in this DPA.
• Table 2 (Selected SCCs): The EU SCCs, Module 2, as specified in Part A above.
• Table 3 (Appendix Information): Annex I, II, and III of this DPA.
• Table 4 (Ending the Addendum): Both the Importer and the Exporter may end the Addendum in accordance with the ICO's guidance.

C. Supplementary Measures (Schrems II)

In compliance with the judgment of the Court of Justice of the European Union in Case C-311/18 (Schrems II) and guidance from European Data Protection supervisory authorities, Ciigma implements the following supplementary measures for transfers of EU/EEA Personal Data to the United States:

• Encryption: All Personal Data transferred to the United States is encrypted in transit using TLS 1.2+ and at rest using AES-256, such that data is rendered unintelligible to any third parties (including US authorities) without the decryption key.
• Access Controls: Strict access controls limit access to plaintext Personal Data to Ciigma personnel with a documented business need, minimizing the number of potential access points for government authorities.
• Legal Review: Ciigma monitors and reviews US legal developments affecting government access to data and shall promptly notify affected Clients of any changes that affect the adequacy of protection.
• Transparency Reports: Ciigma shall publish, or make available upon written request, any government access requests received during the preceding twelve (12) months, to the extent permitted by applicable law.
• Contractual Commitments: Ciigma commits to challenging any government access requests that are unlawfully broad or disproportionate and to asserting available legal challenges before complying.
• Transfer Impact Assessment: Ciigma maintains a Transfer Impact Assessment evaluating the laws and practices of the United States affecting transfers of EU/EEA Personal Data, which is available upon written request.

---

— END OF DATA PROCESSING AGREEMENT —

Ciigma USA, Inc. | 18102 Talavera Ridge, San Antonio, TX 78257 | EIN: 30-0975665 | legal@ciigma.com | simpliautomatic.com