Data Processing Addendum (DPA) — Mubdie Ltd (UK‑GDPR)

Effective date: November 19, 2025
This Data Processing Addendum (“DPA”) supplements and is incorporated into the Mubdie Ltd Terms of Service (the “Agreement”). It applies where Mubdie Ltd (the “Processor”) processes personal data on behalf of a Customer (the “Controller”) in connection with Services under the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA governs with respect to the subject matter herein.

1. Definitions

• “Applicable Data Protection Law” means UK‑GDPR, the Data Protection Act 2018, and any other applicable privacy law.
• “Personal Data” means any information relating to an identified or identifiable natural person processed by Processor on behalf of Controller in connection with the Services.
• “Processing”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach” have the meanings given in Applicable Data Protection Law.
• “Sub‑processor” means any Processor engaged by Mubdie to process Personal Data under this DPA.

2. Roles and scope

• Controller is the entity ordering Services and determining the purposes and means of Processing Customer Personal Data.
• Processor processes Personal Data solely on documented instructions from Controller as necessary to perform the Services and Order. This DPA describes the data categories, processing activities, security obligations, rights and liabilities between the parties.

3. Subject‑matter, duration, nature and purpose of processing

• Subject‑matter: Personal Data included in Customer Content and metadata processed in delivering the Services.
• Duration: the Term of the Agreement plus any additional retention periods required by this DPA or Applicable Data Protection Law.
• Nature/purpose: hosting, storage, transmission, back‑up, maintenance, support, monitoring, and other Services specified in the Order.
• Types of data subjects: Controller’s customers, end users, employees, contractors, suppliers and other persons whose data Controller uploads to or stores using the Services.
• Categories of Personal Data: identifiers (name, email, phone), account/billing data, content (text, images, files) and any other Personal Data contained in Customer Content.

4. Processor obligations and instructions 4.1 Processor shall process Personal Data only on documented instructions from Controller, including as set out in the Agreement and Order, unless required to do otherwise by Applicable Data Protection Law (in which case Processor will to the extent permitted notify Controller of the legal requirement).
   4.2 Processor will implement and maintain organizational and technical measures to protect Personal Data as set out in Section 6 (Security). Processor will ensure personnel authorized to process Personal Data are subject to confidentiality obligations.
   4.3 Processor will not use Personal Data for its own purposes, including data monetisation, profiling unrelated to Service delivery, marketing or analytics not agreed in writing.

5. Sub‑processors 5.1 Controller authorises Processor to engage Sub‑processors to perform specific processing activities. A list of current Sub‑processors is available at mubdie.net/legal/subprocessors and will be updated.
   5.2 Processor will enter written contracts with Sub‑processors imposing data protection obligations no less protective than this DPA. Processor remains liable for Sub‑processor acts or omissions.
   5.3 Controller may object to a new Sub‑processor within 14 days of notice by providing reasonable grounds. If parties cannot resolve the objection, Controller may suspend or terminate the affected Services for that jurisdiction by written notice.

6. Security measures 6.1 Processor implements, maintains and periodically reviews appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

• access control and authentication (MFA for admin access);
• encryption of data in transit (TLS) and at rest (AES‑256 or equivalent where used);
• network and host hardening, vulnerability management and patching;
• logging, monitoring and alerting;
• data segregation and least privilege;
• secure change control and configuration management;
• regular backups, backup integrity checks and documented restore procedures;
• incident detection and response capabilities; and
• personnel security and role‑based access controls.
  6.2 The measures above are not exhaustive; Processor will maintain security aligned with industry standards (e.g., ISO 27001 controls, SOC 2 principles) appropriate to the Services.

7. Personal Data Breach notification and cooperation 7.1 Processor will notify Controller without undue delay and, where feasible, within seventy‑two (72) hours after becoming aware of a Personal Data Breach affecting Controller Personal Data, providing: description of the breach, categories and approximate number of Data Subjects and records, likely consequences, measures taken and contact details for further communication. Notification time may be extended where required to collect information; Processor will provide updates as information becomes available.
   7.2 Processor will reasonably cooperate with Controller to investigate, mitigate and remediate the breach, including providing Controller with reasonably requested information and assistance for any regulatory notifications or communications with Data Subjects.

8. Data subject rights 8.1 Taking into account the nature of the processing, Processor will assist Controller by appropriate technical and organisational measures, insofar as this is possible, to fulfil Controller’s obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) under Applicable Data Protection Law.
   8.2 If Processor receives a Data Subject request related to Controller Personal Data, Processor will promptly redirect the request to Controller unless otherwise legally required to respond. Processor will not respond to such request except on Controller’s documented instructions or as required by law.

9. International transfers 9.1 Where Processing involves transfers of Personal Data outside the United Kingdom/EEA, Processor will implement appropriate safeguards such as UK‑approved Standard Contractual Clauses (SCCs), adequacy mechanisms, Binding Corporate Rules, or other lawful measures. Controller and Processor will cooperate to execute appropriate transfer instruments.
   9.2 Where Processor relies on SCCs or other transfer tools, the parties will perform required actions and provide necessary assistance to implement those safeguards.

10. Audit, records and compliance 10.1 Processor will maintain records of processing activities performed on behalf of Controller as required by Applicable Data Protection Law and will provide Controller with reasonable information showing compliance with this DPA.
    10.2 Controller may, on reasonable notice and subject to confidentiality obligations, audit Processor’s compliance with this DPA by: (a) reviewing Processor’s compliance documentation and certifications (e.g., SOC 2 / ISO 27001), and (b) where necessary, conducting an on‑site audit, or using an independent auditor appointed by Controller, once per 12‑month period, provided Controller bears the auditor’s fees and the audit does not unreasonably disrupt Processor’s business. Processor may require an NDA before providing information.

11. Data retention, return and deletion 11.1 Processor will retain Personal Data only as necessary to provide the Services and as set out in the Agreement and Order, and will delete or return Personal Data upon termination or expiration of the Services in accordance with the Data Retention Policy and Controller’s reasonable instructions.
    11.2 If Controller requests return of Personal Data, Processor will securely return the data in a commonly used machine‑readable format within a commercially reasonable period (generally 30 days) and thereafter securely delete residual copies unless retention is required by Applicable Law (in which case Processor will isolate the data and protect it from further processing).
    11.3 Processor will securely delete or irreversibly anonymise backups containing Personal Data in accordance with its backup retention schedules and following Controller’s instructions or as required by Applicable Law.

12. Confidentiality Processor treats Personal Data as Confidential Information and will not disclose it except as necessary to perform Services, to Sub‑processors bound by equivalent obligations, or as required by law (where Processor will notify Controller unless legally prohibited).

13. Liability and remedies 13.1 Each party’s liability for breach of this DPA is subject to the Agreement’s liability framework, except that: (a) Processor’s liability for breaches of its obligations under this DPA or Applicable Data Protection Law shall not be limited with respect to damages arising from Processor’s wilful misconduct or gross negligence; and (b) Processor remains liable for acts or omissions of its Sub‑processors.
    13.2 Nothing in this DPA relieves either party of obligations and liabilities under Applicable Data Protection Law.

14. Changes and updates to this DPA Processor may update this DPA to reflect changes in law or regulatory guidance. Material changes will be notified at least thirty (30) days before effect; non‑material updates may be posted with notice. Continued use of Services after the effective date constitutes acceptance.

15. Term and survival This DPA remains in effect for the duration of the Agreement. Provisions which by their nature should survive termination (including confidentiality, deletion, audit, liability and data subject cooperation) survive termination.

16. Contact and data protection officer Controller contact: as specified in the Order.
    Processor DPO / privacy contact: legal@mubdie.net or dpo@mubdie.net.

17. Controller instructions Controller confirms that the Agreement and this DPA constitute Controller’s complete written instructions to Processor for the processing of Personal Data unless otherwise agreed in writing. Controller may issue reasonable additional documented instructions; if such instructions would cause Processor to be in breach of Applicable Law, Processor will notify Controller and, where possible, provide lawful alternatives.

18. Signature block (electronic acceptance) By continuing to use the Services under the Agreement, Controller and Processor accept and agree to be bound by this DPA.

Annex A — Processing details (minimum required information)

• Subject matter: Operation, hosting and support of Controllers’ websites, applications and Customer Content.
• Duration: for the Term of the Agreement and as required for retention obligations.
• Nature and purpose: hosting, storage, transmission, backup, technical support, monitoring and maintenance, customer service, billing and fraud prevention, and other services specified in the Order.
• Categories of Data Subjects: end users, employees, customers, vendors and other individuals whose data Controller uploads.
• Categories of Personal Data: contact and identity data (name, email, phone), account identifiers, billing and payment data, transactional data, IP addresses, metadata, user‑generated content that may contain personal data.
• Standard processing operations: collection (by Controller), storage, retrieval, hosting, transmission, display, modification (for maintenance/formatting), backup and deletion.

Annex B — Sub‑processor list (current)

• Infrastructure and cloud providers, CDN providers, email delivery providers, payment processors and selected managed service vendors. Current list and locations: mubdie.net/legal/subprocessors (this list is updated from time to time and notice will be given).

— End of DPA —