CHARACTERQUILT DATA PROCESSING AGREEMENT

Data Processing Agreement

Innabox, Inc. DBA CharacterQuilt

Last Updated: March 26, 2024

Data Processing Agreement

Key Terms

The key legal terms of the DPA are as follows:

Agreement

This DPA is the standard DPA used by Innabox, Inc.

Approved Subprocessors

List of Subprocessors available at characterquilt.com/subprocessors

Provider Security Contact

bhairav@innabox.ai, bhairav@characterquilt.ai

5 Walnut Court, Matawan, NJ 07747

Security Policy

As defined in the Agreement.

Service Provider Relationship

To the extent California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq (“CCPA”) applies, the parties acknowledge and agree that Provider is a service provider and is receiving Personal Data from Customer to provide the Service as agreed in the Agreement, which constitutes a business purpose. Provider will not sell any Personal Data provided by Customer under the Agreement. In addition, Provider will not retain, use, or disclose any Personal Data provided by Customer under the Agreement except as necessary for providing the Service for Customer, as stated in the Agreement, or as permitted by Applicable Data Protection Laws. Provider certifies that it understands the restrictions of this paragraph.

Restricted Transfers

Annex I(A) List of Parties

Data Importer

Name: Provider

Address: 5 Walnut Court, Matawan NJ 07747

Contact Person:

Name: Bhairav Mehta

Position: CEO

Address: 5 Walnut Court, Matawan NJ 07747

Activities relevant to transfer: See Annex 1(B)

Role: Processor

Annex I(B) Description of Transfer and Processing Activities

Service

CharacterQuilt Marketing Platform

Categories of Data Subjects

[x] Customer’s end users or customers

[x] Customer’s employees

Categories of Personal Data

[  x  ] Name

[  x  ] Contact information such as email, phone number, or address

[  x  ] User activity and analysis such as device information or IP address

Special Category Data

Is special category data Processed?

(   ) Yes (x) No

Frequency of Transfer

[ x ] Continuous

Nature and Purpose of Processing

Provider will Process Customer Personal Data as instructed in Section 3.2 of the DPA Standard Terms. The nature of processing includes:

[  x  ] Receiving data, including collection, accessing, retrieval, recording, and data entry

[  x  ] Holding data, including storage, organization, and structuring

[  x  ] Using data, including analysis, consultation, testing, automated decision making, and profiling

[  x  ] Updating data, including correcting, adaptation, alteration, alignment, and combination

[  x  ] Protecting data, including restricting, encrypting, and security testing

[  x  ] Sharing data, including disclosure, dissemination, allowing access, or otherwise making available

[  x  ] Returning data to the data exporter or data subject

[  x  ] Erasing data, including destruction and deletion

Duration of Processing

Provider will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of the Standard Terms; or (ii) by Applicable Laws.

Annex I(C)

Competent Supervisory Authority

The supervisory authority will be the supervisory authority of the data exporter, as determined in accordance with Clause 13 of the EEA SCCs or the relevant provision of the UK Addendum.

Annex II

Technical and Organizational Security Measures

[ x ] See Security Policy

Provider and Customer have not changed the DPA Standard Terms except for the details on the Cover Page above.

‍