Data Processing Agreement

Version: 1.6
Effective Date: February 15, 2026

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Subscription Agreement between PartnerPortal LLC (“Processor”) and the customer entity using the Services (“Controller” or “Customer”).

This DPA is intended to satisfy the requirements of applicable data protection laws, including the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), UK GDPR, and applicable U.S. privacy laws including the California Consumer Privacy Act (“CCPA/CPRA”), where applicable.

1. Scope and Processing Instructions

Processor shall process Personal Data only:

• on documented instructions from Customer;

• as necessary to provide the Services; or

• as required by applicable law
  
  

Customer is responsible for determining the lawful basis and purposes for processing Personal Data.

Customer acknowledges that, where it connects third-party systems or enables integrations within the Services, including customer relationship management, accounting, billing, or payment systems, Processor may process Personal Data transmitted from or through such systems in order to provide the Services in accordance with Customer’s configuration and instructions.

2. Roles of the Parties

• Customer acts as the **Data Controller**.

• Processor acts as the **Data Processor** (or “Service Provider” under CCPA/CPRA where applicable)
  
  

Processor does not sell or share Personal Data for its own commercial purposes.

3. Description of Processing

Processor processes Personal Data solely to provide and support the PartnerPortal.io platform, including:

• hosting partner portals

• authentication and account management

• integrations and workflow processing

• analytics, monitoring, and security

• onboarding, support, and troubleshooting

• receiving, processing, and displaying data from third-party systems connected by Customer

• revenue attribution, commission-related reporting, transaction visibility, reconciliation, and related support functionality where enabled by Customer

Data Subjects

• Customer administrators and users

• partners and affiliates invited by Customer

• employees or representatives of Customer or its partners

• Customer’s prospects, leads, customers, buyers, payers, or other business contacts whose Personal Data is transmitted to Processor through Customer’s use of the Services or connected third-party systems

Categories of Personal Data

• names and contact information

• account and profile data

• portal activity and usage data

• integration-related data

• support communications

• third-party system data transmitted by or on behalf of Customer through connected integrations

  payment or billing-related data, including transaction metadata, customer billing or contact email, transaction amounts, currency, timestamps, refund status, and external identifiers such as customer IDs, charge IDs, refund IDs, invoice IDs, subscription IDs, or connected account identifiers

• internal service linkage data, including company, lead, partner, or transaction associations, to the extent such data relates to identified or identifiable individuals
  
  

Processor does not intentionally process special categories of personal data.

Duration

Processing continues during the subscription term and thereafter only as required for backup retention or legal obligations.

To the extent Customer enables integrations that create persistent reporting, audit, reconciliation, or transaction-history records within the Services, Processor may retain such records for the duration necessary to provide the Services, maintain those functions, comply with legal obligations, and satisfy standard backup retention practices, unless and until deletion is requested by Customer and is available under the applicable Service functionality.

4. Confidentiality and Security

Processor shall:

• ensure persons authorized to process Personal Data are bound by confidentiality obligations;

• implement appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, loss, or disclosure;

• maintain security practices appropriate to the risk and nature of the Services.
  
  

Additional security documentation may be available via:

https://partnerportal.safebase.us

5. Assistance with Data Subject Rights and Compliance

Processor shall assist Customer, taking into account the nature of processing, by:

• helping respond to data subject requests (access, deletion, correction, portability, etc.);

• assisting with data protection impact assessments and regulatory inquiries where reasonably requested;

• providing such assistance in a timely manner so Customer can meet applicable legal deadlines.

6. Personal Data Breach Notification

Processor shall notify Customer without undue delay after becoming aware of a Personal Data Breach and, where reasonably feasible, within seventy-two (72) hours of confirmation.

Such notification shall include available information reasonably necessary for Customer to meet applicable reporting obligations.

7. Subprocessors

Customer authorizes Processor to engage subprocessors necessary to provide the Services.

Current subprocessors include:

• Amazon Web Services (AWS) — infrastructure hosting

• MongoDB Atlas — database hosting

• Stripe — billing and payments

• HubSpot — CRM and communications

• Google (Workspace and Analytics)

• Intercom — support communications

• ChartMogul — analytics

• Okta (Auth0) — identity and access management

• Gitlab - Code source control and CI/CD

• Integration.app — integration framework

• SafeBase — trust center platform
  
  

Processor shall:

• impose data protection obligations on subprocessors equivalent to those in this DPA;

• provide prior notice of material subprocessor changes

• allow Customer a reasonable opportunity to object on legitimate data protection grounds.
  
  

If the parties cannot resolve a good-faith objection, Customer may terminate affected Services consistent with the Subscription Agreement.

8. International Transfers

Where Personal Data is transferred outside the EEA or UK, transfers shall be governed by appropriate safeguards, including:

• EU Standard Contractual Clauses adopted under European Commission Implementing Decision (EU) 2021/914; and

• the UK International Data Transfer Addendum or International Data Transfer Agreement (IDTA), where applicable.

These safeguards are incorporated by reference where required by law.

9. Audit Rights

Processor shall make available reasonable information necessary to demonstrate compliance with this DPA.

If such information is insufficient for Customer’s legal obligations, Processor will allow reasonable audits or inspections by Customer or an independent auditor, subject to:

• reasonable advance notice;

• confidentiality obligations;

• limitation to once annually unless required by law or following a security incident;

• minimization of operational disruption.

10. Return or Deletion of Data

Upon termination of Services, Processor shall delete or return Personal Data at Customer’s request, unless retention is required by law or standard backup retention practices.

Customer acknowledges that certain data stored within the Services, including integration-derived records, reporting history, transaction history, audit logs, and backup copies, may be subject to technical, legal, operational, or records-retention limitations on immediate deletion. Where applicable, Processor may also provide Customer with product functionality to delete or reset certain categories of stored data during the subscription term.

11. Liability

The liability of each party arising under or in connection with this DPA shall be subject to, and included within, the limitations and exclusions of liability set forth in the Subscription Agreement, unless otherwise required by applicable law.

Nothing in this DPA expands either party’s liability beyond the limits established in the Subscription Agreement.

12. Term

This DPA remains effective for the duration of the Subscription Agreement.