Data Processing Agreement

Last updated on October 30, 2025

This Data Processing Agreement (this “DPA”) is incorporated into the agreement between Profound and Customer referencing this Data Processing Agreement (the “Agreement”). Capitalized terms used but not defined in this DPA (or in another document referenced by this DPA) will be understood to have the meanings given to them in the Agreement.

1. Data Processing, Subject Matter, and Roles.

1.1 Data Processing.

In the course of providing the Services to Customer pursuant to the Agreement, Profound may Process Customer Data that constitutes “personal data,” “personal information,” “personally identifiable information,” or an analogous term under applicable law (“Customer Personal Data”). The Parties agree to comply with this DPA and all privacy and data protection laws applicable to the Processing of Customer Personal Data under the Agreement, including, as applicable, those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States (including the California Consumer Privacy Act or “CCPA”) (collectively, “Data Protection Laws”).

1.2 Subject Matter.

The subject matter, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of “Data Subjects” (as such term is defined under applicable Data Protection Laws) are set out in Annex I, which is an integral part of this DPA.

1.3 Roles.

Customer is a “Controller” or “Business” (as such terms are defined under applicable Data Protection Law) and appoints Profound as a “Processor” or “Service Provider” (as such terms are defined under applicable Data Protection Law) on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers and Businesses. If Customer is a Processor on behalf of a Controller for which Customer is a Processor (“Third-Party Controller”), then Customer (i) is the single point of contact for Profound, (ii) must obtain all necessary authorizations from such Third-Party Controller, and (iii) undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

2. Processing Instructions.

Profound shall Process Customer Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the DPA, Agreement, and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

3. Personnel.

Profound will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.

4. CCPA Limitations on Processing.

Except as permitted by applicable Data Protection Law, the Addendum, or this DPA, Profound is prohibited from: (a) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purposes of performing the Services and in accordance with Customer’s documented instructions; (b) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties; (c) combining Customer Personal Data with Customer Personal Data obtained from, or on behalf of, sources other than Customer; and (d) “Selling” or “Sharing” (as such terms are defined under applicable Data Protection Laws) Customer Personal Data.

5. Security and Security Incident.

5.1 Security.

Profound will implement reasonable and appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks presented by the Processing of Customer Personal Data in accordance with (a) the measures set forth in Annex II and (b) SOC-2, ISO-27001, NIST 800-53 or a substantially equivalent standard during the Term.

5.2 Security Incident Notification.

Profound will notify Customer without undue delay and within 72 hours after becoming aware of any actual or reasonably suspected unauthorized access to, or other Processing of, Customer Personal Data (“Security Incident”). If Profound’s notification of a Security Incident is delayed, it will be accompanied by reasons for the delay.

5.3 Security Incident Response.

Profound will take reasonable measures in response to a Security Incident, including (i) taking measures designed to mitigate any Security Incident and prevent the recurrence of the Security Incident, (ii) providing Customer with reasonable information relating to the Security Incident known to Profound, and (iii) providing other commercially reasonable assistance to Customer in complying with its obligations under applicable Data Protection Laws.

5.4 Vulnerability Testing.

Profound will perform vulnerability scanning of Profound’s software-as-a-service platform used to provide the Services.

5.5 Encryption.

Profound will encrypt Customer Personal Data in accordance with industry accepted standards, strong encryption techniques, and current security protocols.

6. Subprocessing.

6.1 Subprocessors.

Customer hereby authorizes Profound to engage any Processor that processes Customer Personal Data on behalf of Profound (“Subprocessor”). A list of Profound’s current Subprocessors is listed in Annex III.

6.2 Subprocessor Agreements.

Profound will enter into a written agreement with all Subprocessors which imposes substantially similar obligations on the Subprocessors as the obligations imposed on Profound under this DPA.

6.3 Subprocessor Changes.

Profound will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds that the appointment of such Subprocessor will result in a material violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Profound’s notification of the intended change. Customer and Profound will work together in good faith to address Customer’s objection. If Profound chooses to retain such new Subprocessor, Profound will inform Customer at least thirty (30) days before authorizing such Subprocessor to Process Customer Personal Data, and either party may immediately discontinue providing or using the relevant parts of the Services that uses such Subprocessor, as applicable, and may terminate the relevant parts of the Services that uses such Subprocessor within thirty (30) days.

7. Assistance.

7.1 Assistance.

Taking into account the nature of the Processing, and the information available to Profound, Profound will provide reasonable assistance, including in connection with implementing appropriate technical and organizational measures, to Customer designed comply with Data Subject or “Consumer” (as such term is defined under applicable Data Protection Laws) requests, reply to inquiries, complaints, and investigations, and conduct data protection impact assessments, data protection assessments, and prior consultations with regulators.

8. Audit.

Upon Customer’s reasonable written request, Profound will permit Customer, at Customer’s expense, to audit Profound’s applicable controls and compliance with this DPA (an “Audit”), provided such Audit is (a) conducted by Customer or a third-party auditor designated by Customer that has executed an appropriate confidentiality agreement with Profound, (b) Customer and Profound mutually agree on reasonable details of the Audit, including the start date, scope and duration of, and security and confidentiality controls applicable to, such audit, and (c) a similar Audit has not already been conducted less than twelve (12) months prior, unless it is required by a supervisory authority or other regulatory authority responsible for the enforcement of Data Protection Law. Customer will pay all costs and expenses incurred by Profound in connection with any such Audit. Customer may use the results of an Audit only for the purposes of meeting Customer’s regulatory audit requirements and confirming compliance with the requirements of the DPA.

9. International Data Transfers.

9.1 European Data Transfers.

Profound will obtain Customer’s specific prior written authorization for any transfer of Customer Personal Data subject to European Data Protection Law that is not subject to an adequacy decision by the European Commission (“International Data Transfer”). Customer hereby authorizes Profound to conduct International Data Transfers outside the EEA or Switzerland:

to any country subject to a valid adequacy decision of the European Commission;
on the basis of an organization’s binding corporate rules approved by EEA Supervisory Authorities; and
to any data importer with whom Profound has entered into standard contractual clauses (“SCCs”).

9.2 European Transfer Mechanisms.

Customer and Profound conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Profound; the optional docking clause in Clause 7 is implemented; Option 1 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annex I and II to the SCCs are Annex I, II and III to this DPA respectively. For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.

9.3 UK Data Transfers.

Customer hereby authorizes Profound to perform International Data Transfers outside the UK subject to the requirements:

to any country subject to a valid adequacy decision issued by the UK Government;
on the basis of an organization’s binding corporate rules approved by the UK Information Commissioner; and
to any data importer with whom Profound has entered into the UK Addendum or other standard contractual clauses issued by the UK Information Commissioner, as appropriate.

9.4 UK Transfer Mechanism.

Customer and Profound conclude the UK Addendum which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Profound, their details are set forth in this DPA and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B), II, and III to the “Approved EU SCCs” are Annex I, II, and III to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

10. Return and Deletion.

Following the date of expiration or earlier termination of this Addendum, Profound will promptly return or delete all Customer Personal Data; provided, however, that that Profound may retain copies of Customer Personal Data as expressly agreed by the parties or as required by applicable law or contained in standard backups that will remain subject to the protections of this Addendum.

ANNEX I

DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Data exporter:

Name: Customer (as defined above)
Activities relevant to the data transferred under these Clauses: Customer receives Profound’s services as described in the Agreement and Customer provides Personal Data to Profound in that context.
Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

Data importer:

Name: Profound (as defined above)
Activities relevant to the data transferred under these Clauses: Profound provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller

B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER

Categories of Data Subjects whose Customer Personal Data is transferred:
- Customer’s customers
- Customer’s personnel, staff and contractors
Categories of Customer Personal Data transferred:
- Name
- Contact details
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the International Data Transfer (e.g. whether the Customer Personal Data is transferred on a one-off or continuous basis):
- On a continuous basis.
Nature of the processing:
- The Customer Personal Data will be processed and transferred as described in the Agreement.
Purpose(s) of the International Data Transfer and further Processing:
- The Customer Personal Data will be transferred and further processed for the provision of the services as described in the Agreement.
The period for which the Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
- Customer Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing:
- For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of Ireland.
The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Profound will implement security safeguards designed to protect Customer Personal Data from unauthorized access, acquisition, or disclosure, destruction, alteration, accidental loss, misuse, or damage in accordance with the SOC 2, ISO 27001, NIST 800-53 or a substantially equivalent standard.

ANNEX III

LIST OF SUBPROCESSORS

Customer authorizes Profound to engage the following Subprocessors:

Name	Location of Processing	Nature and Purpose of Processing
Vercel	United States	Cloud / Application Hosting Provider
OpenAI	United States	AI Model Service Provider
Anthropic	United States	AI Model Service Provider
Google	United States	AI Model Service Provider / User authentication services
Supabase	United States	Database Provider
Cloudflare	United States	Content delivery network provider
Hubspot	United States	Customer Support
Clay	United States	Customer Support
Pylon	United States	Customer Support
Clerk	United States	User authentication services
Clickhouse	United States	Database
Snowflake	United States	Data warehouse
Zilliz	United States	Vector Database
Stripe	United States	Payment Processing