Data Processing Addendum.

This Data Processing Addendum (the "DPA") supplements and forms an integral part of the Terms of Use and Sale (the "Terms") entered into between KOMMIA SAS, a simplified joint-stock company with share capital of €40,000, registered with the Nanterre Trade and Companies Register under number 941 719 742, with registered office at [address to be completed] ("KommIA"), and the professional Customer (the "Customer").

It defines how KommIA processes personal data on behalf of the Customer, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR). In the event of conflict regarding data protection, this DPA prevails over the Terms. The liability of the parties under this DPA is governed by the liability provisions of the Terms.

The terms "personal data", "processing", "controller", "processor", "data subject", "personal data breach" and "supervisory authority" have the meaning given to them by the GDPR. Capitalised terms not defined here have the meaning given in the Terms.

In connection with the Service, and with respect to the personal data the Customer collects via supported platforms (in particular Instagram) as well as data of the Customer's own contacts/followers:

• the Customer acts as controller: it determines the purposes and means, and warrants that it has a legal basis and the required consents;
• KommIA acts as processor: it processes such data solely on the Customer's documented instructions, for the sole purpose of providing the Service.

For data KommIA processes for its own purposes (customer relationship management, billing, security), KommIA acts as controller; those activities are described in the Privacy Policy.

The key features of the processing carried out by KommIA on behalf of the Customer are described in Annex A and summarised below:

• Nature: hosting, storage, AI content generation, scheduling and publishing of content, management of messages and comments, analytics.
• Purpose: provision of the Service features subscribed to by the Customer.
• Duration: for the term of the Agreement, then deletion/return per section 11.
• Categories of data: identification and account data, provided content (text, images), connected social account identifiers and statistics, data of the Customer's contacts/followers (DMs, comments).
• Data subjects: the Customer and its authorised users, and the Customer's audience/contacts on the connected platforms.

KommIA does not intentionally process any special categories of data (sensitive data) and asks the Customer not to submit any via the Service.

In accordance with Article 28(3) GDPR, KommIA undertakes to:

• process the data only on the Customer's documented instructions (the Terms and use of the Service constituting such instructions), unless legally required otherwise;
• ensure confidentiality: authorised personnel are bound by a confidentiality obligation;
• implement appropriate security measures (Art. 32 — see section 7 and Annex B);
• comply with the conditions for engaging sub-processors (section 6);
• assist the Customer in responding to data subject requests and in its security, breach-notification and impact-assessment obligations (section 9);
• at the Customer's choice, delete or return the data at the end of the services (section 11);
• make available to the Customer the information necessary to demonstrate compliance (section 12).

The Customer authorises KommIA to engage sub-processors to perform the Service (hosting, payment, AI infrastructure, emailing, automation). The up-to-date list of sub-processors is maintained in the Privacy Policy.

KommIA imposes on each sub-processor, by contract, data-protection obligations equivalent to those in this DPA. KommIA informs the Customer of any addition or replacement of a sub-processor at least thirty (30) days in advance, and the Customer may object on legitimate and reasonable grounds.

KommIA remains fully liable to the Customer for the performance by the sub-processor of its data-protection obligations (Art. 28(4) GDPR).

KommIA implements appropriate technical and organisational measures commensurate with the risk (Art. 32 GDPR), detailed in Annex B, including: hosting within the European Union, encryption of data in transit (TLS), access segregation, delegated authentication (official Meta OAuth — KommIA stores no Instagram password), outsourcing of payment to a PCI-DSS certified provider (no banking data stored by KommIA), logging and backups.

In the event of a personal data breach affecting data processed on behalf of the Customer, KommIA notifies the Customer without undue delay and at the latest within forty-eight (48) hours after becoming aware of it, and provides the information needed to enable the Customer, where applicable, to notify the supervisory authority within 72 hours and to inform data subjects (Art. 33-34 GDPR).

To the extent possible, KommIA assists the Customer, through appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection — Art. 12 to 23 GDPR). If a request is sent directly to KommIA, it forwards it to the Customer promptly.

KommIA also assists the Customer with security, breach notification and, where applicable, data protection impact assessments (DPIAs) and prior consultation with the authority (Art. 35-36).

Data is hosted within the European Union. Where a sub-processor involves a transfer of data outside the EU/EEA, KommIA ensures it is covered by a mechanism compliant with Chapter V GDPR (adequacy decision or the European Commission's Standard Contractual Clauses (June 2021 version), together with any necessary supplementary measures).

This DPA applies for the entire duration of the processing of data on behalf of the Customer. At the end of the services, and at the Customer's choice expressed within thirty (30) days, KommIA will return and then delete the data, or directly delete it, together with existing copies, unless legally required to retain it. Retention details are set out in the Privacy Policy.

KommIA makes available to the Customer the information necessary to demonstrate compliance and to allow for audits, including inspections, by the Customer or a mandated auditor bound by confidentiality. Audits are conducted on reasonable notice, during business hours, without disrupting KommIA's operations, and limited to one (1) audit per year except in the event of a proven security incident or a request from a supervisory authority.

Annex A — Description of the processing. Subject matter, nature, purpose, duration, categories of data and data subjects: see section 4 above.

Annex B — Security measures. EU hosting; encryption in transit (TLS); official Meta OAuth authentication (no Instagram password stored); outsourced payment to a PCI-DSS provider (no banking data stored); access and authorisation management; logging; backups; data minimisation and, where possible, anonymisation/pseudonymisation of data sent to AI providers.

Annex C — Sub-processors. The up-to-date list (host, payment provider, AI providers, emailing, automation) is published and maintained in the Privacy Policy.

For any question regarding data protection or to make a specific request (for example signing a negotiated DPA), you may contact KommIA at: contact@kommia.com.