Effective Date: April 7, 2026

D-Tools Data Processing Addendum

This Data Processing Addendum (“DPA”), forms part of the D-Tools Terms of Service (available at: https://www.d-tools.com/d-tools-software-terms-of-services) and/or the applicable agreement executed (as applicable, the “Agreement”) between D-Tools, Inc. (“Company” or “D-Tools”) and the entity that has engaged Company to provide the Services (“Customer”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. In the event of a conflict between this DPA and any other terms in the Agreement, the terms of this DPA will govern. Each of Company and Customer is referred to in this DPA individually as a "party", collectively the "parties". By entering into the Agreement, the parties are deemed to have signed all Exhibits, Attachments, Annexes, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable.

Definitions
1. “Customer Data” means any information Processed by Company solely on behalf of Customer, including without limitation any EU Personal Data and/or UK Personal Data.
2. “European Data Protection Laws” means, collectively, the GDPR and the UK Data Protection Laws, as applicable.
3. “GDPR” means the General Data Protection Regulation (EU) 2016/679.
4. “Personal Data” means any information relating to, linked to, or reasonably linkable to any identified or identifiable individual, household, or device.
5. “Processing” (including any grammatically inflected forms thereof) means any operation or set of operations which is performed on data or on sets of data, whether or not by automated means or manual means, including without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure (including by transmission), analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, including the actions of a person directing a third party to Process data on behalf of such person.
6. “Services” means the services provided to Customer by Company under the Agreement.
7. “UK” means the United Kingdom.
8. “UK Data Protection Laws” means the UK GDPR and the UK’s Data Protection Act 2018 (“UK DPA 2018”).
9. “UK GDPR” means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018.
To the extent Company Processes Personal Data regulated by the GDPR solely on behalf of Customer (“EU Personal Data”), and to the extent Customer is a controller (as defined in the GDPR) and the Company is a processor (as defined in the GDPR) on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 2 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Controller to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Company and to Company’s Processing of such EU Personal Data and the parties hereby agree to comply with such Controller to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Exhibit A. In the event of a conflict between the Agreement and the Controller to Processor Standard Contractual Clauses, the Controller to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
To the extent Company Processes EU Personal Data, and to the extent Customer is a processor (as defined in the GDPR) on behalf of a third party with respect to EU Personal Data and the Company is a processor on behalf of Customer with regard to such EU Personal Data, then to the extent required by the GDPR, Module 3 of the Standard Contractual Clauses for the Transfer of Personal Data as set out in European Commission Decision 2021/914/EC, available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (the “Processor to Processor Standard Contractual Clauses”) will apply to the transfer of such EU Personal Data by Customer to Company and to Company’s Processing of such EU Personal Data and the parties hereby agree to comply with such Processor to Processor Standard Contractual Clauses, which are hereby incorporated into the Agreement in their entirety, as set forth in Exhibit B. In the event of a conflict between the Agreement and the Processor to Processor Standard Contractual Clauses, the Processor to Processor Standard Contractual Clauses will control to the extent applicable to such EU Personal Data.
To the extent Company Processes Personal Data regulated by the UK Data Protection Laws solely on behalf of Customer (“UK Personal Data”), then to the extent required by the UK Data Protection Laws, the UK’s ‘International Data Transfer Addendum to the EU Commission Standard Contractual Clauses’, Version B1.0, in force from March 21, 2022, available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf (the “UK DTA”) will apply to the transfer of such UK Personal Data by Customer to Company and to Company’s Processing of such UK Personal Data and the parties hereby agree to comply with such UK DTA, which is hereby incorporated into the Agreement in its entirety and as set forth in Exhibit C. In the event of a conflict between the Agreement and the UK DTA, the UK DTA will control to the extent applicable to the UK Personal Data.
Customer represents, warrants, and covenants that: (i) it has (and will have) Processed, collected, and disclosed all Customer Data in compliance with applicable law and provided any notice and obtained all consents and rights required by applicable law to enable Company to lawfully Process Customer Data as permitted by the Agreement and/or this DPA; (ii) it has (and will continue to have) full right and authority to make the Customer Data available to Company under the Agreement and this DPA; and (iii) Company's Processing of the Customer Data in accordance with the Agreement, this DPA, and/or Customer's instructions does and will not infringe upon or violate any applicable law or any rights of any third party. Customer shall indemnify, defend and hold Company harmless against any claims, actions, proceedings, expenses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees arising out of Customer’s violation of this Section 5. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 5 shall not be subject to any limitations of liability set forth in the Agreement.
Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Company shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as product development and sales and marketing. To the extent any such data is considered personal data (as defined in, and regulated by the European Data Protection Laws), then, to the extent Company is subject to the European Data Protection Laws as a controller (as defined in the European Data Protection Laws), Company is the controller (as defined in the European Data Protection Laws) of such data and accordingly shall Process such data in accordance with the European Data Protection Laws.
This DPA (together with the Agreement), constitutes the entire agreement between the parties and supersedes all prior undertakings and agreements between the parties, whether written or oral, with respect to the subject matter of this DPA. Company reserves the right, in its sole discretion, to change, modify, replace, add to, supplement or delete any terms and conditions of this DPA at any time by posting an updated version of this DPA on this webpage.
In this DPA, unless a clear contrary intention appears: (i) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (ii) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by the Agreement; (iii) reference to any gender includes each other gender; (iv) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (v) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (vi) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; (vii) “including” (including grammatically inflected forms thereof) means including without limiting the generality of any description preceding such term; (viii) all references to “days” refer to calendar days; and (ix) the word "or" is not exclusive. This DPA has been executed in English and the English language version shall control notwithstanding any translations of this DPA.

Exhibit A

MODULE 2 – CONTROLLER TO PROCESSOR

STANDARD CONTRACTUAL CLAUSES

For the purposes of the Controller to Processor Standard Contractual Clauses:
1. Clause 7. The parties agree that the optional language in Clause 7 is included.
2. Clause 9(a). The parties agree that under Option 2, Company has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). Company will inform Customer in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
3. Clause 11. The parties agree that the optional language in Clause 11 is excluded.
4. Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
5. Clause 17. Option 1 shall apply and the Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
6. Clause 18. The parties agree that any dispute arising from the Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
7. Annex I.A.
  1. The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as set forth in the applicable order form or addendum.
  2. The name and address of Company, and the name, position, and contact details of the contact person of Company (which is the data importer) are as follows:
    
    Name: Zach Campbell
    
    Address: 3886 Mayberry Dr, Ste. E, Reno, NV 89519
    
    Contact person’s name, position and contact details: COO, zachc@d-tools.com
  3. The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
  4. The signature and date are the signature and date set forth in the Agreement.
  5. The roles of the parties are as follows: Company is a processor and Customer is a controller.
8. Annex I.B.
  1. The categories of data subjects are:
    1. Prospective, current, and former clients of Customer; and
    2. Any individuals whose personal data is contained within the Customer Data made available to Company by or on behalf of Customer in connection with Company’s provision of Services.
  2. The categories of personal data transferred are:
    1. Name, email, phone number, and other business contact details of prospective, current, and former clients of Customer; and
    2. Any categories of personal data contained within the Customer Data made available to Company by or on behalf of Customer in connection with Company’s provision of Services.
  3. The categories of sensitive data include any categories of sensitive data contained within the Customer Data made available to Company by or on behalf of Customer in connection with Company’s provision of Services.
  4. The frequency of the transfer shall be on a continuous basis.
  5. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by data importer to the data exporter in accordance with the terms of the Agreement.
  6. The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
  7. The duration of the processing under these Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Controller to Processor Standard Contractual Clauses).
  8. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure (including by transmission), analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
9. Annex I.C.
  1. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
10. Annex II.
  1. The data importer employs a number of technical and organisational measures as further specified in Exhibit D. In addition, pursuant to Clause 10(b), taking into account the nature of the processing, data importer will use commercially reasonable efforts to assist data exporter, at data exporter’s expense, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of data exporter’s obligation to respond to data subjects’ requests to exercise their rights with respect to their personal data under the GDPR.
11. Annex III.
  1. Customer hereby authorizes the use of the following sub-processors:
    1. Zoho Desk
    2. Intercom
    3. D-Tools Development Center Pvt Ltd.
    4. Amazon Web Services

Exhibit B

MODULE 3 – PROCESSOR TO PROCESSOR

STANDARD CONTRACTUAL CLAUSES

For the purposes of the Processor to Processor Standard Contractual Clauses:

1. 1. Clause 7. The parties agree that the optional language in Clause 7 is included.
  2. Clause 9(a). The parties agree that under Option 2, Company has Customer’s general authorization to subcontract its processing activities to the list of sub-processors set out in Section (a)(11)(i). Company will inform Customer in writing of any intended changes to the list of sub-processors set out in Section (a)(11)(i) at least 10 days prior to engaging with any other sub-processor.
  3. Clause 11. The parties agree that the optional language in Clause 11 is excluded.
  4. Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
  5. Clause 17. Option 1 shall apply and the Processor to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
  6. Clause 18. The parties agree that any dispute arising from the Processor to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
  7. Annex I.A.
    1. The name and address of Customer, and the name, position, and contact details of the contact person of Customer (which is the data exporter) are as set forth in the applicable order form or addendum.
    2. The name and address of Company, and the name, position, and contact details of the contact person of Company (which is the data importer) are as follows:
      
      Name: Zach Campbell
      
      Address: 3886 Mayberry Dr, Ste. E, Reno, NV 89519
      
      Contact person’s name, position and contact details: COO, zachc@d-tools.com

1. 1. 1. The activities relevant to the data transferred are the provision and receipt of the Services as described in the Agreement.
    2. The signature and date are the signature and date set forth in the Agreement.
    3. The roles of the parties are as follows: Company is a processor and Customer is a processor.
  2. Annex I.B.
    1. The categories of data subjects are:
      1. Prospective, current, and former clients of Customer; and
      2. Any individuals whose personal data is contained within the Customer Data made available to Company by or on behalf of Customer in connection with Company’s provision of Services.
    2. The categories of personal data transferred are:
      1. Name, email, phone number, and other business contact details of prospective, current, and former clients of Customer; and
      2. Any categories of personal data contained within the Customer Data made available to Company by or on behalf of Customer in connection with Company’s provision of Services.
    3. The categories of sensitive data include any categories of sensitive data contained within the Customer Data made available to Company by or on behalf of Customer in connection with Company’s provision of Services.
    4. The frequency of the transfer shall be on a continuous basis.
    5. The nature of the processing is such that the personal data will be subject to basic processing, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services by data importer to the data exporter in accordance with the terms of the Agreement.
    6. The purpose of the data transfer and further processing is provision of the Services by data importer to data exporter.
    7. The duration of the processing under these Processor to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with these Processor to Processor Standard Contractual Clauses).
    8. For transfers to sub-processors, personal data will be transferred to sub-processors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such sub-processors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, structuring, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure (including by transmission), analysis, deletion, modification, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such sub-processors shall continue as long as such sub-processors carry out personal data processing operations on behalf of the data importer.
  3. Annex I.C.
    1. The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
  4. Annex II.
    1. Section (a)(10)(i) of Exhibit A is incorporated herein by reference.
  5. Annex III.
    1. Section (a)(11)(i) of Exhibit A is incorporated herein by reference.

Exhibit C

UK DTA

For the purposes of the UK DTA:
1. For the purposes of Table 1 of the UK DTA, the start date shall be the later of the DPA Effective Date or the date the Agreement is entered into by the parties, and the names of the parties, their roles and their details shall be as set out in Exhibit A Section (a)(7) and Exhibit B Section (a)(7), respectively;
2. For the purposes of Tables 2 and 3 of the UK DTA, the Controller to Processor Standard Contractual Clauses and the Processor to Processor Standard Contractual Clauses, including the information set out in Exhibit A Section (a)(8), (10), and (11)(i) and Exhibit B Section (a)(8), (10), and (11)(i), respectively, shall apply; and
3. For the purposes of Table 4 of the UK DTA, either party may end the UK DTA.

Exhibit D

TECHNICAL AND ORGANIZATIONAL MEASURES

This Exhibit D describes the technical and organizational measures implemented by the Company that are designed to ensure a commercially reasonable level of security with respect to Company’s Processing of EU Personal Data, taking into account the nature, scope, context and purpose of such Processing, and the risks for the rights and freedoms of natural persons.

Measures of pseudonymization and encryption of personal data
- Pseudonymization of personal data that is no longer needed in plain text
- Encryption of websites (SSL)
- Encryption of email (TLS 1.2 or 1.3)
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services
- Confidentiality agreements with employees
- NDA´s with third parties
- Firewall
- Anti-Virus
- Regular backups
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Regular backups of the whole system
- Regular testing of backup and recovery
- Regular training of IT staff
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing
- In-house checks
- Regular review of processes by IT
- Regular audits
Measures for user identification and authorization
- Two-Factor-Authentication
- Authentication with username / password
- Regular checks of authorizations
- Password guidelines
- Limitation of the number of administrators
- Management of rights by system administrator
- Differentiation between authorization
Measures for the protection of personal data during transmission
- Use of encryption technologies
- Logging of activities and events
- Encryption of email (TLS 1.2 or 1.3)
- Use of Company internal / restricted drives
Measures for the protection of personal data during storage
- Logging of actions and events
- Limitation of the number of administrator’s
- Firewall
Measures for ensuring physical security of locations at which personal data are Processed
- Manual locking system
- Security locks
- Key control
Measures for ensuring events logging
- Logging activated on application level
- Regular manual checks of logs
Measures for ensuring system configuration, including default configuration
- Configuration change control process
- Personal data protection by default is observed
- Configuration only by system administrator
- Regular training of IT staff
Measures for internal IT and IT security governance and management
- IT security policy
- Training of employees on personal data security
- IT team with clear roles and responsibilities
Measures for certification/assurance of processes and products
- Clear overview of the provisions applicable to the provided products/services/processes
- Regular internal and/or external audits
- Assignment of audit responsibilities to qualified parties
Measures for ensuring personal data minimization
- Identification of the purpose of Processing
- Assessment of a link between Processing and purpose
- Identification of the applicable retention periods for each personal data category
- Secure erasure of the personal data after expiration of the retention period and/or in accordance with the Agreement
Measures for ensuring personal data quality
- Logging of entry and modification of personal data
- Assignment of rights for personal data entry
- Traceability of entry, modification of personal data by individual usernames (not user groups)
Measures for ensuring limited personal data retention
- Regular training on retention periods
- Regular audit and assessment of retained personal data
Measures for ensuring accountability
- Provision of training / awareness rising
- Regular controls and checks
- Appropriate policies on personal data protection
- Conclusion of SCCs
- Use of secure personal data erasure
- Legal basis for Processing exists for all activities
- Documented privacy policy
Measures for allowing personal data portability and ensuring erasure
- Personal data is stored in a structured format
- Observation of retention periods
- Establishment of personal data portability process
- Proper handling of data subject requests