← Recoup
Draft, under legal review. This document is a working draft and is not yet in effect or final. It will be updated when our attorney completes review. Effective date shown is provisional. Questions: kaden@elzingacreativestudio.com.

DATA PROCESSING AGREEMENT

(Service Provider Addendum — CCPA/CPRA Aligned)

Between: Elzinga Creative Studio, LLC (operating as Recoup) ("Recoup," "Service Provider," or "Processor"), and the Client ("Client," "Business," or "Controller").

This Data Processing Agreement ("DPA") supplements and is incorporated into the Client Service Agreement ("Agreement") between the parties. In the event of conflict between this DPA and the Agreement, this DPA controls with respect to data protection matters. Capitalized terms not defined here have the meanings given in the Agreement or applicable privacy law.

1. DEFINITIONS

1.1 "Personal Information" (or "PII") means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular consumer or household, as defined under the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (collectively "CCPA/CPRA") and analogous applicable privacy laws.

1.2 "Client Personal Information" means the Personal Information contained in the Customer List and any other personal data Client provides to Recoup in connection with the Services, including names, postal addresses, phone numbers, email addresses, and service history.

1.3 "Processing" means any operation performed on Personal Information, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, transmission, erasure, or destruction.

1.4 "Service Provider" has the meaning given in the CCPA/CPRA: an entity that processes Personal Information on behalf of a Business pursuant to a written contract that prohibits the Service Provider from retaining, using, or disclosing Personal Information for any purpose other than performing the services specified in the contract.

1.5 "Consumer Rights Request" means any request by an individual to exercise rights under applicable privacy law, including rights of access, deletion, correction, portability, or opt-out of sale or sharing.

1.6 "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Information.

2. ROLES AND SCOPE

2.1 Roles. Client is the Business (controller) and Recoup is the Service Provider (processor) with respect to Client Personal Information processed under the Agreement.

2.2 Scope of Processing. Recoup will process Client Personal Information only:

(a) As necessary to provide the Services described in the Agreement—specifically, transmitting outbound SMS and/or email messages to individuals on the Customer List on Client's behalf;

(b) As necessary to comply with Client's documented instructions;

(c) As necessary to comply with applicable law; and

(d) As otherwise expressly permitted by this DPA.

2.3 Instructions. Client's execution of the Agreement and its configuration of campaigns constitutes Client's documented instructions for Processing. If Recoup believes a Client instruction violates applicable law, Recoup will notify Client before proceeding.

3. PURPOSE LIMITATION AND PROHIBITED USES

Recoup hereby certifies that it understands and agrees to the restrictions in this Section, which are required under the CCPA/CPRA §7051 service-provider framework:

3.1 No Secondary Use. Recoup will not retain, use, or disclose Client Personal Information for any purpose other than providing the Services and fulfilling its obligations under the Agreement and this DPA.

3.2 No Sale. Recoup will not sell Client Personal Information or otherwise make it available to any third party for monetary or other valuable consideration.

3.3 No Sharing for Cross-Context Behavioral Advertising. Recoup will not share Client Personal Information for the purpose of cross-context behavioral advertising.

3.4 No Combining Across Clients. Recoup will not combine Client Personal Information with personal information obtained from any other source, client, or context, including Recoup's other business operations or other clients' data.

3.5 No Commercial Use. Recoup will not use Client Personal Information to build or augment any third-party profile about any consumer.

3.6 Internal Use Exception. Notwithstanding the foregoing, Recoup may retain de-identified or aggregated data (incapable of identifying individuals) for internal analytics, service improvement, and fraud prevention.

4. SUBPROCESSORS

4.1 Current Subprocessors. Client authorizes Recoup to engage the following categories of subprocessors to assist in delivering the Services: (a) SMS/MMS messaging platform providers; (b) email delivery infrastructure providers; (c) cloud hosting and infrastructure providers; (d) analytics and logging tools necessary to operate the platform.

4.2 Subprocessor Obligations. Recoup shall impose data protection obligations on each subprocessor that are no less protective than those in this DPA, and in particular shall prohibit subprocessors from using Client Personal Information for any purpose other than performing services for Recoup in connection with the Services.

4.3 Subprocessor List. Recoup will maintain and, upon Client's written request, provide a current list of material subprocessors that process Client Personal Information.

4.4 New Subprocessors. Recoup will provide Client with at least 14 days' advance written notice before engaging any new subprocessor that will process Client Personal Information. Client may object to a new subprocessor in writing within 10 days; if the parties cannot resolve the objection in good faith within 14 days, Client may terminate the Agreement without penalty.

4.5 Liability. Recoup remains liable for the acts and omissions of its subprocessors to the same extent Recoup would be liable if performing the subprocessor's services directly, subject to the limitations in the Agreement.

5. SECURITY MEASURES

5.1 Standard of Care. Recoup will implement and maintain appropriate technical and organizational security measures designed to protect Client Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

5.2 Minimum Measures. Recoup's security measures include, at a minimum:

(a) Encryption in transit: All transmission of Client Personal Information between Recoup's systems and its subprocessors uses industry-standard encryption (TLS 1.2 or higher);

(b) Encryption at rest: Client Personal Information stored in Recoup's systems is encrypted using AES-256 or equivalent;

(c) Access control: Access to Client Personal Information is restricted to Recoup personnel and subprocessors who need access to perform the Services, under a principle of least privilege;

(d) Authentication: Recoup enforces strong password policies and multi-factor authentication for access to systems containing Client Personal Information;

(e) Audit logging: Recoup maintains access and activity logs for systems containing Client Personal Information;

(f) Vulnerability management: Recoup performs periodic security assessments and promptly addresses identified vulnerabilities.

5.3 Updates. Recoup may update its security measures over time, provided no update materially reduces the overall level of protection provided.

6. SECURITY INCIDENTS

6.1 Notification. Recoup will notify Client without undue delay, and in any event within 72 hours of becoming aware, of any confirmed Security Incident affecting Client Personal Information.

6.2 Contents of Notice. Notification will include, to the extent then known: (a) the nature of the Security Incident; (b) the categories and approximate number of consumers and records affected; (c) the likely consequences of the incident; and (d) the measures Recoup has taken or proposes to take to address the incident.

6.3 Cooperation. Recoup will cooperate with Client and take such steps as Client reasonably requests to investigate, contain, and remediate the Security Incident and to fulfill any legal notification obligations, at Recoup's cost if the incident is caused by Recoup's failure to comply with this DPA.

6.4 No Admission. Recoup's notification of a Security Incident is not an admission of fault or liability.

7. CONSUMER RIGHTS REQUESTS

7.1 Requests to Recoup. If Recoup receives a Consumer Rights Request directly from an individual relating to Client Personal Information, Recoup will promptly (and in no event later than 5 business days) notify Client and forward the request to Client. Recoup will not respond directly to the individual unless instructed in writing by Client or required by applicable law.

7.2 Assistance by Recoup. Recoup will provide Client with reasonable technical assistance to enable Client to fulfill Consumer Rights Requests, including access, deletion, correction, and portability requests, taking into account the nature of the Processing and the information available to Recoup.

7.3 Client's Responsibility. Client is responsible for identifying individuals making Consumer Rights Requests, verifying their identity, and responding within the time limits required by applicable law.

8. RECORDS AND AUDIT

8.1 Records. Recoup will maintain records of its Processing activities relating to Client Personal Information in accordance with applicable law.

8.2 Audit Rights. Upon Client's written request (no more than once per year unless Client has reasonable grounds to suspect a violation of this DPA), Recoup will provide Client with information reasonably necessary to demonstrate Recoup's compliance with this DPA, which may include completion of a standardized security questionnaire, third-party audit reports (SOC 2, ISO 27001, or equivalent), or reasonable access to Recoup's relevant policies and procedures.

8.3 Cooperation with Regulatory Authorities. Recoup will cooperate with Client to respond to any inquiry, investigation, or enforcement action by a data protection authority relating to the Processing of Client Personal Information.

9. RETURN AND DELETION OF PERSONAL INFORMATION

9.1 Upon Termination. Within 30 days of the termination or expiration of the Agreement (or such longer period not to exceed 90 days as Recoup reasonably requires for operational transitions), Recoup will, at Client's written election:

(a) Return all Client Personal Information to Client in a reasonably portable format; or

(b) Securely delete and destroy all Client Personal Information from Recoup's systems and direct its subprocessors to do the same.

9.2 Certification. Upon completion of deletion, Recoup will provide Client with written certification that deletion has been completed, including from subprocessors.

9.3 Legal Holds. Notwithstanding Section 9.1, Recoup may retain Client Personal Information to the extent required by applicable law, provided such retained data is isolated from further Processing and deleted as soon as the legal obligation expires.

10. DATA TRANSFERS

10.1 Client Personal Information will be processed and stored in the United States. Recoup will not transfer Client Personal Information to any jurisdiction outside the United States without Client's prior written consent, except as required by law.

11. CPRA SERVICE PROVIDER CERTIFICATION

11.1 Recoup hereby certifies, pursuant to the CCPA/CPRA and its implementing regulations, that:

(a) It processes Client Personal Information only for the purposes specified in this DPA and the Agreement and for no other commercial purpose;

(b) It understands and will comply with the restrictions applicable to service providers under the CCPA/CPRA, including the prohibitions on selling, sharing, retaining, using, or disclosing Client Personal Information outside the service relationship;

(c) It will notify Client if it determines it can no longer meet its obligations under the CCPA/CPRA; and

(d) Client has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Information by Recoup.

12. TERM

This DPA is effective as of the Effective Date of the Agreement and remains in effect until the later of: (a) expiration or termination of the Agreement; or (b) completion of Recoup's deletion obligations under Section 9.

13. GENERAL

13.1 Order of Precedence. In the event of conflict between this DPA and the Agreement, this DPA controls with respect to privacy and data protection matters.

13.2 Updates. Recoup may update this DPA to reflect changes in applicable law or its processing practices, provided it provides Client with at least 30 days' advance written notice of any material change.

13.3 Governing Law. This DPA is governed by the same governing law and venue provisions as the Agreement.

*[Signature block to be added prior to execution.]*

*Each party's authorized representative executing this DPA confirms that they have the authority to bind their respective organization to the terms herein.*