Data Processing Addendum

1. Definitions

In this Data Processing Addendum ("DPA"), the following terms have the meaning given below:

• "Controller" — the Client (you), who determines the purposes and means of personal data processing.
• "Processor" — Solutions4sf, operated by Serhii Skrypnyk (sole proprietor, registered in Ukraine), who processes personal data on behalf of the Controller.
• "Personal Data" — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• "Processing" — any operation performed on personal data, including collection, storage, modification, retrieval, transmission, or deletion.
• "Sub-Processor" — any third party engaged by Solutions4sf to process personal data in connection with the Services.
• "Data Subject" — the identified or identifiable natural person to whom personal data relates.
• "GDPR" — Regulation (EU) 2016/679 (General Data Protection Regulation), and where applicable, the UK GDPR and Data Protection Act 2018.
• "Services" — the consulting, implementation, audit, training, and support services Solutions4sf provides under the Master Services Agreement (MSA) or Statement of Work (SOW).

2. Scope and Roles

This DPA applies whenever Solutions4sf processes Personal Data on behalf of the Client in the course of providing Services. The parties agree:

• The Client acts as the Controller of all Personal Data accessed during the engagement.
• Solutions4sf acts as the Processor under GDPR Article 28.
• This DPA is incorporated by reference into the MSA, SOW, or other governing agreement between the parties.
• If there is a conflict between this DPA and any other agreement, the terms of this DPA prevail with respect to data protection matters.

3. Subject Matter and Duration of Processing

Subject matter: Processing Personal Data necessary to provide Salesforce, Pardot (Marketing Cloud Account Engagement), RevOps consulting, audit, implementation, integration, and related services.

Duration: Processing continues for the duration of the engagement defined in the SOW, plus any reasonable post-engagement period needed for handover, knowledge transfer, or required record retention.

Nature and purpose: Configuring, auditing, integrating, and migrating Salesforce/Pardot environments. Reading, structuring, and (where instructed) modifying lead, contact, account, and engagement data.

4. Categories of Data Subjects

Personal Data processed under this DPA may relate to the following categories of Data Subjects:

• The Client's employees and contractors (e.g., Salesforce users, marketing operations staff).
• The Client's prospects, leads, and customers stored in Pardot/Salesforce.
• The Client's website visitors whose data is captured through forms, tracking pixels, or campaign URLs.
• Other individuals whose data is processed in the Client's CRM or marketing automation platforms.

5. Categories of Personal Data

The Personal Data processed typically includes (depending on Client's configuration):

• Identifiers: Name, email address, phone number, job title, company name.
• Engagement data: Email opens, clicks, form submissions, page views, campaign responses.
• Lead/account attributes: Industry, company size, revenue tier, lead source, lead score, lead grade.
• Communication content: Email content, automated message logs, conversation history (where applicable).
• System data: User credentials, audit logs, configuration history (limited to what is necessary).

Solutions4sf does not intentionally process special category data (race, ethnicity, religion, political opinions, biometric data, health data, sexual orientation, etc.) unless explicitly required by the SOW and accompanied by enhanced safeguards. The Client must notify Solutions4sf in advance if such data may be present.

6. Obligations of Solutions4sf as Processor

Solutions4sf agrees to the following:

6.1 Documented Instructions

Solutions4sf processes Personal Data only on documented instructions from the Client, including with regard to international data transfers, unless required to do so by Union or Member State law to which Solutions4sf is subject. In such cases, Solutions4sf will inform the Client of that legal requirement before processing, unless prohibited by law.

6.2 Confidentiality

Solutions4sf ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, either by contract or statutory duty.

6.3 Security Measures (GDPR Article 32)

Solutions4sf implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Access controls: Two-factor authentication on all accounts handling Client data; principle of least privilege; password manager for credential storage.
• Encryption: All Client data accessed via HTTPS/TLS; client credentials never stored in plaintext.
• Endpoint security: Encrypted disks on all devices; up-to-date operating systems and security patches.
• Logging and monitoring: Activity logs maintained for security incidents and audit trails.
• Network security: VPN used for sensitive operations; no public Wi-Fi for Client work.
• Backup and recovery: Periodic encrypted backups; tested recovery procedures.
• Incident response: Defined procedure for security incidents and breach notifications.

6.4 Sub-Processors

Solutions4sf may engage Sub-Processors to support the Services. The Client provides general written authorization for the use of Sub-Processors, subject to the conditions in Section 7 below.

6.5 Data Subject Rights Assistance

Solutions4sf assists the Client, by appropriate technical and organizational measures, in fulfilling the Client's obligation to respond to Data Subject requests under GDPR Articles 15-22 (access, rectification, erasure, restriction, portability, objection).

6.6 Breach Notification

Solutions4sf notifies the Client without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting the Client's data. The notification includes:

• Description of the nature of the breach.
• Approximate number of Data Subjects and records affected.
• Likely consequences of the breach.
• Measures taken or proposed to address the breach.
• Contact point for further information.

6.7 Data Protection Impact Assessment Assistance

Solutions4sf provides reasonable assistance to the Client in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required under GDPR Articles 35-36.

6.8 Audit Rights

Solutions4sf makes available to the Client all information necessary to demonstrate compliance with this DPA. Solutions4sf cooperates with audits, including inspections, conducted by the Client or another auditor mandated by the Client, subject to:

• 30 days' written notice (except for urgent regulatory or breach-related audits).
• Audits conducted during normal business hours.
• Reasonable confidentiality protections for Solutions4sf's other clients.
• Client bearing reasonable costs of audit.

6.9 Return or Deletion of Data

Upon termination of the Services, Solutions4sf, at the Client's choice, returns or deletes all Personal Data, except where retention is required by law. Solutions4sf provides written confirmation of deletion within 30 days of the request.

7. Sub-Processors

The Client authorizes Solutions4sf to engage the Sub-Processors listed in Section "Our Sub-Processors" of the Privacy Policy, which currently includes hosting providers, communication tools, analytics services, and productivity tools.

Notification of changes: Solutions4sf will provide the Client with at least 30 days' notice before adding or replacing a Sub-Processor that processes Client Personal Data. The Client may object to a new Sub-Processor on reasonable grounds related to data protection. If the parties cannot resolve the objection within 30 days, the Client may terminate the affected Services.

Sub-Processor obligations: Solutions4sf imposes data protection obligations on each Sub-Processor that are no less protective than those in this DPA, by means of a written agreement.

8. International Data Transfers

Solutions4sf is based in Ukraine. The Client may be located in the EU, UK, US, or another jurisdiction. International transfers of Personal Data may occur in connection with the Services.

For transfers from the EU/EEA, UK, or Switzerland to Ukraine or other third countries, Solutions4sf relies on:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission in Decision 2021/914, automatically incorporated into this DPA where applicable.
• UK International Data Transfer Addendum for transfers from the UK.
• Adequacy decisions where they apply.
• Supplementary measures as appropriate, including encryption in transit and at rest.

Ukraine has been recognized for the equivalent level of personal data protection by the European Commission since the adoption of national data protection legislation aligned with GDPR principles.

9. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the MSA or SOW, except as provided otherwise by applicable data protection law (e.g., GDPR Article 82 on the right to compensation for damages).

10. Term and Termination

This DPA takes effect on the date the underlying Services agreement (MSA or SOW) is executed and remains in force for as long as Solutions4sf processes Personal Data on behalf of the Client.

Upon termination of the Services agreement, Sections 6.9 (Return or Deletion of Data), 7 (Sub-Processors), 8 (International Data Transfers), and 9 (Liability) survive termination.

11. Conflict and Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions remain in full force. The parties will replace the invalid provision with one that achieves the same intent within applicable law.

This DPA is the parties' complete and exclusive agreement regarding data processing. It supersedes any prior data processing terms unless explicitly retained.

12. Contact

For data protection inquiries, including requests for a signed DPA copy, breach notifications, or audit coordination:

Email: [email protected]
Subject prefix for DPA matters: "DPA — [Your Company Name]"

Solutions4sf is operated by Serhii Skrypnyk, sole proprietor (ФОП), registered in Ukraine.

This DPA is effective as of April 27, 2026. Solutions4sf may update this DPA from time to time. Material changes will be communicated to active Clients. The latest version is always available at solutions4sf.com/dpa.