Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Notify Beforehand Terms of Service (the "Agreement") between Eversoft Fzco("Notify Beforehand," "we," "us," or "Processor") and the customer entity that has accepted the Agreement ("Customer," "you," or "Controller").

This DPA reflects the parties' commitments under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended ("CCPA/CPRA"), and other applicable data protection laws (collectively, "Data Protection Laws") when Notify Beforehand Processes Personal Data on Customer's behalf.

In the event of any conflict between this DPA and the Agreement, this DPA controls solely with respect to the Processing of Personal Data.

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement or, where applicable, in the GDPR. For the avoidance of doubt:

• "Personal Data" means any information relating to an identified or identifiable natural person that is uploaded to, processed by, or stored within the Service by or on behalf of Customer.
• "Processing" has the meaning given under the GDPR (collection, storage, retrieval, transmission, deletion, etc.).
• "Subprocessor" means any third party engaged by Notify Beforehand to Process Personal Data.
• "Data Subject" means the individual to whom Personal Data relates (e.g., your employees, contractors, or users).

For the purposes of Data Protection Laws, Customer is the Controller and Notify Beforehand is the Processor of Personal Data Processed under the Agreement. Each party will comply with its respective obligations under Data Protection Laws.

• Subject matter: Notify Beforehand Processes Personal Data to provide the Service — namely, certification expiry tracking, automated email reminders, document storage, and account administration.
• Duration: Throughout the term of the Agreement and for any retention period required by law or described in the Privacy Policy.
• Nature and purpose: Storage, retrieval, indexing, sending of automated reminder emails, generation of dashboards and exports, customer support, and security logging.
• Categories of Data Subjects:Customer's employees, contractors, and authorized account users.
• Categories of Personal Data: Names, email addresses, employer/role, certification name and issuing body, certification expiry dates, uploaded credential documents, account login metadata, IP address, and usage telemetry.
• Special categories: Notify Beforehand does not require, and Customer agrees not to upload, sensitive or special category data unless explicitly agreed in writing.

Notify Beforehand will Process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by applicable law. The Agreement, the Privacy Policy, and Customer's use of the Service's configurable features (e.g., notification preferences, exports, deletion controls) constitute Customer's instructions.

Notify Beforehand will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

Notify Beforehand ensures that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations and are trained on data protection.

Notify Beforehand implements appropriate technical and organizational measures to protect Personal Data, including:

• Encryption: AES-256 at rest, TLS 1.2+ in transit.
• Access control: Role-based access on the customer side; least-privilege internal access on the Notify Beforehand side, with multi-factor authentication required for production access.
• Network & infrastructure security: Hosted on Google Firebase (SOC 2 Type II, ISO 27001) with DDoS mitigation and managed WAF.
• Logging & monitoring: Authentication logs, webhook deliveries, and reminder cron runs are retained for security audit.
• Backups: Daily automated backups of Firestore data with point-in-time recovery for at least 7 days.
• Vulnerability management: Dependency scanning, periodic security review of code changes, and coordinated disclosure for reported issues at security@notifybeforehand.com.
• Incident response: Documented plan with defined detection, containment, eradication, recovery, and notification phases. See our Security & Incident Response page.

Customer authorizes Notify Beforehand to engage the Subprocessors listed below. We remain liable to Customer for the performance of each Subprocessor's data protection obligations.

Notify Beforehand will notify Customer of any new Subprocessor at least 30 daysbefore authorizing the new Subprocessor to Process Personal Data, by updating this list and (at Customer's request) emailing the billing contact on file. Customer may object on reasonable, documented data protection grounds; if the parties cannot resolve the objection, Customer may terminate the Agreement with respect to the affected portion of the Service on a pro-rata refund basis.

Where Customer transfers Personal Data from the European Economic Area, the United Kingdom, or Switzerland to Notify Beforehand outside those jurisdictions, the parties agree that the transfer is governed by the Standard Contractual Clauses approved by the European Commission (Module 2: Controller to Processor) and, for the United Kingdom, the UK International Data Transfer Addendum issued by the ICO. The SCCs and UK Addendum are incorporated into this DPA by reference.

For operational details (data importer, processing locations, technical and organizational measures), the relevant Annexes to the SCCs are deemed populated by sections 4 and 7 of this DPA and the Subprocessor list in section 8.

Notify Beforehand will, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures to fulfil Customer's obligations to respond to Data Subject requests under Data Protection Laws (access, rectification, erasure, restriction, portability, objection).

Most requests can be fulfilled directly by Customer through the dashboard's built-in tools (employee CRUD, CSV export, account deletion). For requests we cannot service via self-service tooling, contact privacy@notifybeforehand.com.

Notify Beforehand will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's data, and in any event within 72 hours. The notification will describe (to the extent known) the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

Notify Beforehand will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Customer may, no more than once per calendar year and on at least 30 days' written notice, request a summary audit report and answers to a reasonable security questionnaire. Where the Customer is regulated and audit rights cannot be fulfilled by reports alone, the parties will agree on the scope and timing of an on-site audit at Customer's expense, subject to mutually acceptable confidentiality terms.

Upon termination of the Agreement, Customer may export its Personal Data using the in-product CSV export and document download tools. Notify Beforehand will delete Personal Data from active systems within 30 days of termination and from backups within 90 days, except where retention is required by law.

To the extent Notify Beforehand Processes "personal information" of California consumers on Customer's behalf, Notify Beforehand acts as a "service provider" under the CCPA/CPRA and certifies that it:

• Processes the personal information solely to provide the Service or as otherwise permitted by the CCPA/CPRA;
• Does not sell or share the personal information;
• Does not retain, use, or disclose the personal information outside the direct business relationship with Customer; and
• Does not combine the personal information received from Customer with personal information received from any other source, except as expressly permitted by the CCPA/CPRA.

Each party's liability arising out of or in connection with this DPA is subject to the limitations of liability set out in the Agreement.

Notify Beforehand may update this DPA from time to time to reflect changes in law or in our processing operations. We will post the updated DPA at this URL and update the "Effective" date. Material changes will be notified to the billing contact on file at least 30 days in advance.

• Privacy: privacy@notifybeforehand.com
• Security: security@notifybeforehand.com
• Company: Eversoft Fzco, United Arab Emirates