DATA PROCESSING AGREEMENT

This document is part of the Hookd Group v1.2 legal pack, comprising: General Terms & Conditions, Privacy Policy, Cookie Policy, Refund Policy, Data Processing Agreement (DPA, Annex I to the Terms), and Subprocessor List. All documents in this set share the same effective date and must be read together. In the event of conflict between documents, the order of precedence is: (i) any individually-signed Order; (ii) the General Terms & Conditions; (iii) the Data Processing Agreement (for matters of personal-data protection, the DPA prevails over the Terms); (iv) the Refund Policy; (v) the Subprocessor List; (vi) the Privacy Policy; (vii) the Cookie Policy.

Hookd Group is the operating brand of OmnisMundi GmbH, a private limited company organised under the laws of the Federal Republic of Germany, with registered office at Kirchhainer Strasse 62, 60433 Frankfurt am Main, Germany, registered with the commercial register of the local court of Frankfurt am Main (Managing Director: Gerald Heydenreich). All references in this document to "Hookd Group", "the Company", "we", "us" or "our" mean OmnisMundi GmbH acting under the brand "Hookd Group". General contact: info@hookd.group. Data-protection enquiries: privacy@hookd.group. Web: https://www.hookd.group.

1. Object

1.1 The purpose of this DPA is to allow the Processor to process on behalf of the Controller the personal data necessary for the performance of the Services, as well as to define the conditions under which the Processor will process the personal data to which it has access during the provision of its Services and to establish the obligations and responsibilities arising from the processing of data carried out by Hookd Group.

2. Description of the Processing, Type of Personal Data and Categories of Data Subjects

2.1 The nature of the processing that the Processor performs on behalf of the Controller is as follows:

Collection, recording, access, consultation, use, storage, retention, transmission, generation (AI-based) for the purpose of producing outbound content, scoring, enrichment, erasure, destruction, and other activities that result required for the performance of the Services.

2.2 The type of personal data that the Processor will process under this DPA and the General Terms & Conditions are as follows:

• Identification data (name, business email, business phone, company name, role)
• Professional and profile data (LinkedIn URL, GitHub URL where applicable, public posts and engagement signals, role-relevant context)
• Communications metadata (open / click events of outbound messages)
• Inferred data (lead score, both-signal classification, content-engagement category)

2.3 The categories of data subjects involved in the processing are as follows:

• Authorised users of the Controller (e.g. employees, contractors granted seats in the Subscription)
• Business prospects whose contact and profile data is uploaded to or generated within the Service
• Recipients of communications sent via the Service

2.4 The Service is not designed for, and the Controller is not authorised to upload, special categories of personal data within the meaning of Article 9 GDPR (e.g. data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, sexual orientation). The Controller represents that it will not knowingly upload such data to the Service.

3. Data Disclosure

3.1 The Processor shall not disclose or communicate any personal data of the Controller unless for the performance of the Services or directed by the Controller and/or required by applicable law, court, or competent authority.

3.2 The processing carried out by the Processor for the performance of the Services may involve international transfers to third countries. Where personal data is transferred outside the European Economic Area to a country that does not benefit from a European Commission adequacy decision, the Parties will rely on the Standard Contractual Clauses ("SCCs") adopted by Commission Implementing Decision (EU) 2021/914, Module Two or Module Three as applicable, which are incorporated into this DPA by reference. The Processor will, taking into account the nature of the processing and the circumstances of the transfer, evaluate whether the legal regime of the third country provides essentially equivalent protection within the meaning of the Schrems II jurisprudence and implement supplementary measures as appropriate.

4. Confidentiality

4.1 Personal data shall only be available to those authorised persons who need an access in order to perform their functions regarding the Services. The Processor shall inform and require compliance with the obligations contained in this DPA to those subjects entitled to process personal data as well as inform them of the confidential nature of the information and their liability in the event of any breach. The Processor guarantees that those persons are expressly committed to confidentiality.

5. Obligations of the Processor

5.1 The Processor shall:

• Process personal data on behalf of the Controller only on the basis of documented instructions from the Controller, including with regard to transfers to a third country or an international organisation, unless required to do so by Union or Member State law. In such case, the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest. The Controller's instructions are constituted by (i) this DPA, (ii) the Service's configuration and feature usage by the Controller's authorised users, and (iii) any further instructions issued by the Controller in writing.
• Keep all records required by applicable Personal Data Regulation regarding the processing of personal data and shall make such records available to the Controller upon request.
• Assist the Controller in complying with the obligation to respond to requests from data subjects in the exercise of their rights of access, rectification, erasure, objection, portability, and restriction (Articles 15-22 GDPR). In the event that the Processor receives a request from a data subject in the exercise of data protection rights, the Processor shall forward it to the Controller without undue delay.
• Notify the Controller without undue delay, and in any event within 48 hours, of any personal data security breaches of which it becomes aware, together with all relevant information for the documentation and communication of the incident in accordance with Personal Data Regulation.
• Immediately inform the Controller if, in its opinion, an instruction violates the Personal Data Regulation.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, and shall permit and contribute to audits, including inspections, by the Controller or an auditor commissioned by the same, in connection with the processing carried out by the Processor. The audits shall be carried out upon at least 30 days' prior notification during normal working hours and without interruption of the Processor's business, and may, in lieu of an audit, be satisfied by a current third-party audit report (e.g. ISO 27001 certification, SOC 2 Type II report) where available. The cost of the audit is borne by the Controller, unless the audit reveals a material breach of this DPA by the Processor.
• Support the Controller, in a reasonable manner, in carrying out data protection impact assessments (Article 35 GDPR), as well as, where appropriate, in prior consultations with competent authorities (Article 36 GDPR).
• Upon termination of the Services, at the choice of the Controller, delete or return all personal data object of the processing, including any copies, media or documents related to such personal data, and not use such data for its own purposes. Notwithstanding the foregoing, the Processor may retain the personal data duly blocked during the period in which responsibilities may arise from its relationship with the Controller, in accordance with the Personal Data Regulation. The data-retention provisions in Clause 15.1 of the General Terms & Conditions supplement this paragraph in respect of the 30-day post-termination export window.

6. Representations and Obligations of the Controller

6.1 The Controller ensures the compliance with the obligations that correspond to its role as Controller according to the Personal Data Regulation. In particular, the Controller ensures the lawful origin of the personal data object of the processing carried out by the Processor on behalf of the Controller in compliance with the Personal Data Regulation.

6.2 The Controller represents and warrants that it has, where required by law, informed the data subjects whose personal data is processed via the Service, and that any required consents have been obtained.

6.3 The Controller is responsible for the correctness, accuracy and lawful collection of the personal data it processes through the Service.

6.4 The Controller is responsible for safeguarding the credentials of its authorised users and for the configuration choices it makes within the Service.

7. Security Measures

7.1 The Processor must assess the possible inherent risks of the processing at the beginning of the provision of the Services and shall apply the corresponding measures to mitigate them in order to guarantee security and compliance with applicable data protection regulations. These measures must guarantee an adequate level of security, including confidentiality, considering the state of the art and the costs of implementation regarding the risks and the nature of the personal data to be protected. To this end, the Processor shall carry out a continuous analysis of the risks inherent in the processing of personal data that it carries out and apply those technical and organisational measures that are necessary to mitigate them. The current set of technical and organisational measures is summarised in Annex A to this DPA.

8. Subcontracting (Subprocessors)

8.1 The Controller grants the Processor general authorisation to engage subprocessors for the purposes of providing the Service, subject to this Section 8.

8.2 A current list of authorised subprocessors is maintained by the Processor at all times in the Hookd Group Subprocessor List, which is made available to the Controller within the Service or upon written request to privacy@hookd.group.

8.3 Where the Processor engages a subprocessor, it will impose on that subprocessor, by way of contract, data-protection obligations equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

8.4 The Processor will inform the Controller of any intended additions or replacements to the Subprocessor List, giving the Controller the opportunity to object to such changes within 14 days. The Controller may object only on reasonable data-protection grounds. If the Controller objects on such grounds, the Parties will in good faith seek a commercially reasonable resolution; if no resolution is found, the Controller may terminate the Subscription with effect at the date the subprocessor change would have taken effect, in derogation of Clause 15 of the General Terms & Conditions.

8.5 Where a subprocessor fails to fulfil its data-protection obligations, the Processor remains fully liable to the Controller for the performance of that subprocessor's obligations.

9. Duration

9.1 This DPA is valid as long as the Processor is processing personal data on behalf of the Controller under the Agreement and this DPA. The Processor's obligation to ensure that confidentiality applies to Personal Data continues to apply even after the termination of this DPA.

10. Miscellaneous

10.1 No Party may assign, subcontract or otherwise transfer this DPA without the prior written consent of the other Party.

10.2 If there is any conflict between any provision of this DPA and any provision of the Agreement, in connection with personal data protection, the provisions of this DPA shall prevail.

10.3 Except for changes made by this DPA, the Agreement remains unchanged and in full force and effect.

10.4 This DPA is governed by the substantive laws of the Federal Republic of Germany, without prejudice to the GDPR and any other directly applicable Union law. Any disputes arising from or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Frankfurt am Main, Germany, where the Controller is a merchant.

Annex A — Technical and Organisational Measures (TOMs)

The Processor implements the following technical and organisational measures pursuant to Article 32 GDPR. The list is non-exhaustive and is updated from time to time to reflect the state of the art.