Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service available at app.customercity.com/terms (the “Agreement”) between:

• Customer (the entity that has executed or accepted the Agreement) — acting as the Controller; and
• Customer City, Inc., a Delaware corporation with its principal place of business at 11335 NE 122nd Way, Suite 105, Kirkland, WA 98034, United States — acting as the Processor.

This DPA applies where Customer City processes Personal Data on behalf of the Customer in connection with the Customer City Service. This DPA is intended to comply with the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation, and other applicable data protection legislation.

1. Definitions

Capitalized terms not defined in this DPA have the meaning given to them in the Agreement. The following definitions apply to this DPA:

• “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including (as applicable) the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and any other applicable US state privacy laws.
• “Controller” means the entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Controller is the Customer.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “Personal Data” means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Service.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• “Processing” (and “Process”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction.
• “Processor” means the entity that processes Personal Data on behalf of the Controller. For the purposes of this DPA, the Processor is Customer City, Inc.
• “Service” means the Customer City revenue observability platform, including the web application at app.customercity.com, the Customer City API, and the Customer City Chrome Extension.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• “Sub-Processor” means any third party appointed by Customer City to process Personal Data on behalf of the Customer in connection with the Service.

2. Scope and Roles

2.1 This DPA applies to the Processing of Personal Data by Customer City on behalf of the Customer as described in Annex I.

2.2 The parties acknowledge that:

• The Customer is the Controller and determines the purposes and means of Processing by deciding which integrations to connect, which data to sync, which users to authorize, and whether to enable Data Sync-Back for each connected integration.
• Customer City is the Processor and processes Personal Data solely on behalf of and under the documented instructions of the Customer.

2.3 Customer City does not determine the purposes or means of Processing. The Customer retains exclusive control over what data sources are connected, which personnel are granted access, and how generated insights are used.

2.4 Customer City processes Personal Data solely as a Processor and does not process Personal Data for its own purposes, except for the limited purposes described in Section 3.3 below.

3. Processing Instructions

3.1 Customer City shall Process Personal Data only on documented instructions from the Customer. The Customer's instructions are documented in:

• This DPA and its Annexes;
• The Agreement (Terms of Service);
• The Customer's configuration of the Service (e.g., connecting a Salesforce or HubSpot integration, authorizing user access, enabling specific features, and enabling or disabling Data Sync-Back for each integration); and
• Any additional written instructions provided by the Customer and acknowledged by Customer City.

3.2 If Customer City believes that an instruction from the Customer infringes Applicable Data Protection Law, Customer City shall promptly notify the Customer and may suspend Performance of the relevant Processing until the Customer issues a lawful instruction.

3.3 Limited Processing for Processor's own purposes. Customer City may process Personal Data to the extent reasonably necessary for the following limited purposes:

• To comply with Applicable Data Protection Law or a binding order of a governmental body;
• To detect, prevent, or investigate security incidents or fraud; and
• To maintain and improve the security and integrity of the Service (e.g., error monitoring, infrastructure logging).

3.4 Confidentiality. Customer City shall ensure that all persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Sub-Processors

4.1 General authorization. The Customer grants Customer City general written authorization to engage Sub-Processors to process Personal Data on behalf of the Customer. The current list of Sub-Processors is set out in Annex III.

4.2 Notice of changes. Customer City shall notify the Customer at least 30 days in advance of any intended addition or replacement of a Sub-Processor by email to the Customer's designated contact address. The notice shall include the Sub-Processor's name, location, and the nature of the Processing.

4.3 Objection right. The Customer may object to a new Sub-Processor by notifying Customer City in writing within 14 days of receiving notice. The objection must state reasonable grounds related to data protection. Customer City shall, at its option:

• Make commercially reasonable efforts to provide the Service without using the objected-to Sub-Processor; or
• Make commercially reasonable changes to the Service to avoid Processing the Customer's Personal Data with the objected-to Sub-Processor; or
• Where neither (a) nor (b) is reasonably possible, either party may terminate the Agreement (and this DPA) on 30 days' notice with respect to the portion of the Service that cannot be provided without the objected-to Sub-Processor, with a pro-rata refund of any prepaid fees for the terminated portion.

4.4 Sub-Processor obligations. Customer City shall:

• Enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those in this DPA;
• Remain fully liable to the Customer for the acts and omissions of its Sub-Processors; and
• Conduct reasonable due diligence on each Sub-Processor's data protection practices before engagement.

5. Data Security

5.1 Customer City shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing, as described in Annex II.

5.2 These measures shall include, as appropriate:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256);
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

5.3 Customer City shall not materially decrease the overall level of security of the Service during the term of this DPA.

6. Data Breach Notification

6.1 Customer City shall notify the Customer of a Personal Data Breach without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33.

6.2 The notification shall include, to the extent reasonably available:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
• The name and contact details of the point of contact (security@customercity.com);
• A description of the likely consequences of the breach;
• A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its effects.

6.3 Where it is not possible to provide all information at the same time, Customer City shall provide the information in phases without further undue delay.

6.4 Customer City shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach, and in the fulfilment of the Customer's obligation to notify the supervisory authority and affected Data Subjects.

7. Data Subject Requests

7.1 Customer City shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including access, rectification, erasure, restriction, portability, and objection).

7.2 If Customer City receives a request directly from a Data Subject, Customer City shall promptly redirect the Data Subject to the Customer and notify the Customer of the request, unless otherwise instructed by the Customer.

7.3 Customer City shall provide the Customer with the ability to access, export, and delete Personal Data through the Service's administrative features, or upon written request to privacy@customercity.com.

8. Audit Rights

8.1 Customer City shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or a third-party auditor mandated by the Customer, subject to the following conditions:

• The Customer shall give Customer City at least 30 days' prior written notice of any audit;
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt Customer City's operations;
• Audits shall be limited to no more than one per 12-month period, unless required by a supervisory authority or following a Personal Data Breach;
• Any third-party auditor must execute a confidentiality agreement acceptable to Customer City before commencing the audit; and
• The Customer shall bear the costs of the audit, except where the audit reveals material non-compliance by Customer City with its obligations under this DPA.

8.2 Customer City shall, upon request, provide copies of relevant third-party audit reports or certifications (such as SOC 2 Type II reports, when available) as an alternative to on-site audits. Customer City is currently pursuing SOC 2 Type II certification and will make audit reports available to Customers under NDA upon completion.

9. International Data Transfers

9.1 Customer City is based in the United States. If the Customer is located in the European Economic Area (EEA), the United Kingdom, or Switzerland, Personal Data will be transferred to the United States for Processing.

9.2 For transfers of Personal Data from the EEA to the United States, the parties rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission Implementing Decision (EU) 2021/914, Module 2 (Controller-to-Processor), as further described in Section 12 below.

9.3 For transfers from the United Kingdom, the parties rely on the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018).

9.4 Customer City shall implement supplementary measures where necessary to ensure that the level of protection of Personal Data is not undermined by the transfer, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, and data minimization.

10. Data Return and Deletion

10.1 Upon termination of the Agreement, or upon the Customer's written request, Customer City shall:

• Return all Personal Data to the Customer in a structured, commonly used, and machine-readable format (e.g., CSV or JSON export); or
• Delete all Personal Data and existing copies, unless retention is required by Applicable Data Protection Law.

10.2 The Customer shall make its choice between return and deletion within 30 days of termination. If the Customer does not provide written instructions within this period, Customer City shall delete the Personal Data.

10.3 Deletion shall be completed within 30 days of the Customer's instruction (or 30 days after the end of the 30-day election period in Section 10.2). Customer City shall certify in writing that deletion has been completed upon the Customer's request.

10.4 Notwithstanding the foregoing, Customer City may retain Personal Data to the extent required by applicable law (e.g., payment records retained for 7 years per US tax law) and shall continue to protect such data in accordance with this DPA.

11. Duration

11.1 This DPA shall become effective on the date the Customer accepts or executes the Agreement and shall remain in effect for the duration of the Agreement.

11.2 The obligations of Customer City under this DPA with respect to Personal Data shall survive termination of the Agreement for as long as Customer City retains any Personal Data processed on behalf of the Customer.

12. Standard Contractual Clauses

12.1 Where the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to the United States is subject to Applicable Data Protection Law requiring appropriate safeguards, the parties agree that the Standard Contractual Clauses shall apply as follows:

• Module 2 (Controller-to-Processor) shall apply where the Customer (Controller) transfers Personal Data to Customer City (Processor);
• Clause 7 (docking clause): Not applicable;
• Clause 9(a) (Sub-Processor authorization): Option 2 (general written authorization) applies, with the notice period set at 30 days per Section 4.2 of this DPA;
• Clause 11 (redress): The optional language regarding independent dispute resolution is not included;
• Clause 13(a) (supervisory authority): The competent supervisory authority shall be determined in accordance with GDPR Article 55 or 56 (i.e., the supervisory authority of the EEA Member State in which the Customer is established, or where Data Subjects are located);
• Clause 17 (governing law): The SCCs shall be governed by the law of the EU Member State in which the Customer (data exporter) is established;
• Clause 18 (forum): Disputes shall be resolved before the courts of the EU Member State in which the Customer (data exporter) is established.

For transfers originating from the United Kingdom, the UK International Data Transfer Addendum (as referenced in Section 9.3) governs the interpretation of Clauses 17 and 18, and the competent supervisory authority under Clause 13(a) shall be the UK Information Commissioner's Office (ICO).

12.2 The Annexes to the SCCs are completed as follows:

• Annex I (List of Parties, Description of Transfer): As set out in Annex I of this DPA;
• Annex II (Technical and Organizational Measures): As set out in Annex II of this DPA;
• Annex III (List of Sub-Processors): As set out in Annex III of this DPA.

12.3 In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail to the extent of the conflict.

12.4 The full text of the Standard Contractual Clauses (EU Commission Implementing Decision (EU) 2021/914) is incorporated by reference and available in the Official Journal of the European Union at EUR-Lex Decision 2021/914. A copy may also be requested from legal@customercity.com.

12.5 Governing law of DPA. Except as otherwise specified in the SCCs (which are governed by Clause 17), this DPA shall be governed by and construed in accordance with the law governing the Agreement.

Annex I — Processing Details

A. List of Parties

B. Description of Processing

Annex II — Technical and Organizational Measures

Customer City implements the following technical and organizational measures to protect Personal Data:

Encryption

• In transit: All data transmitted between clients and Customer City services is encrypted via TLS 1.2 or higher.
• At rest: Our database provider and object storage provider use AES-256 encryption at rest.

Access Controls

• Authentication: User authentication is managed by a dedicated identity provider with support for SSO (Google, Microsoft), multi-factor authentication (MFA), and session management with automatic expiry.
• Authorization: Role-based access control (RBAC) with tenant isolation ensures that users can only access data belonging to their organization.
• API security: API endpoints require authenticated JWT tokens validated on every request.
• Infrastructure access: Production infrastructure access is limited to authorized personnel and secured with SSH keys and platform-specific authentication.

Network Security

• Web application hosted on an edge-optimized platform with automatic DDoS protection and global CDN.
• API hosted on a container-based platform with isolated runtime environments and private networking.
• Database access restricted to authorized application connections via connection pooling with SSL enforcement.

Data Isolation

• Multi-tenant isolation: All database queries are scoped by tenant ID (organization ID). Data from one customer organization is never accessible to another.
• Chrome Extension: Extension injects UI via closed Shadow DOM, ensuring complete isolation from the host page. Extension data is stored in chrome.storage.local, separate from browser cookies and web page storage.

Monitoring and Logging

• Application error monitoring with automatic alerting for exceptions and performance degradation.
• Structured application logging with 90-day retention.
• Infrastructure monitoring provided by hosting platform providers.

Backup and Recovery

• Database backups managed by our database provider with point-in-time recovery.
• Backup data retained for 30 days and automatically rotated.

Personnel Security

• All personnel with access to Personal Data are subject to confidentiality obligations.
• Access to production systems follows the principle of least privilege.

AI Processing Safeguards

• AI analysis is performed by our AI provider under commercial terms that prohibit the use of customer data for model training.
• Data sent to AI services is limited to the minimum necessary for generating deal insights and health scores.

Certifications

Customer City is currently pursuing SOC 2 Type II certification. Key Sub-Processors maintain their own security certifications (including SOC 2 and PCI DSS as applicable). The current list of Sub-Processors and their certifications is available in Annex III.

Annex III — Sub-Processor List

The following Sub-Processors are authorized by the Customer as of the effective date of this DPA. Customer City will provide 30 days' notice before adding or replacing Sub-Processors per Section 4.2.

Note: Customer-authorized integrations (e.g., Salesforce, HubSpot, Gmail, Outlook, Gong, Gainsight, DocuSign) are not Sub-Processors — they are systems from which the Customer instructs Customer City to read data. These integrations are connected by the Customer via OAuth and can be disconnected at any time.

Contact

For questions about this DPA, to request a copy of the executed Standard Contractual Clauses, or to exercise any rights under this DPA, contact us: