Data Processing Agreement

• —Processor: Loxu.io, Tel Aviv, Israel (legal@loxu.io)
• —Controller: The Agency entity that accepts this DPA through the Loxu.io platform.
• —Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1).
• —Processing: Any operation performed on Personal Data, as defined in GDPR Art. 4(2).
• —Data Subject: Subscribers of the Controller whose Personal Data is processed via Forensic Links.
• —Forensic Data: Device fingerprints, IP addresses, geolocation, watch time, and access events collected via Forensic Links.

Subject matter: Processing of Forensic Data on behalf of the Controller to provide fraud prevention, chargeback dispute evidence, and content-access monitoring services.

Nature: Collection, storage, structuring, querying, deletion, and export of Forensic Data.

Purpose: As instructed by the Controller — fraud deterrence, dispute evidence generation, content-sharing monitoring, and blacklist contribution.

Categories of data subjects: Subscribers of the Controller who open Forensic Links.

Duration: For the term of the Controller's subscription, plus 30 days post-termination for data export.

Loxu.io (Processor) agrees to:

• —Process Personal Data only on documented instructions from the Controller, including with regard to transfers of data to third countries.
• —Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
• —Implement the technical and organisational security measures described in Section 5.
• —Respect the conditions for engaging sub-processors as set out in Section 4.
• —Assist the Controller in fulfilling its obligations to respond to Data Subject rights requests (Art. 15–22).
• —Assist the Controller in ensuring compliance with security (Art. 32), breach notification (Art. 33–34), DPIA (Art. 35), and prior consultation (Art. 36) obligations.
• —Delete or return all Personal Data upon termination of the agreement (see Section 8).
• —Make available all information necessary to demonstrate compliance and allow for audits (see Section 9).

The Controller grants general written authorisation for the Processor to engage the following sub-processors:

• —Supabase Inc. — database hosting and storage (United States)
• —Netlify Inc. — application hosting (United States)
• —Telegram Messenger Inc. — alert delivery (where Telegram integration is enabled)
• —Anthropic PBC — AI-powered support chat (where support chat is used)

The Processor will inform the Controller of any intended changes to sub-processors with at least 14 days' notice, giving the Controller the opportunity to object before the change takes effect.

All sub-processors are bound by data processing agreements providing at least equivalent protections to this DPA.

The Processor implements the following technical and organisational measures (GDPR Art. 32):

• —Encryption in transit: all data transmitted over TLS 1.2 or higher.
• —Encryption at rest: database encrypted at the infrastructure level by Supabase.
• —Access control: row-level security enforced at database level; agency data is strictly scoped by agency_id.
• —Authentication: agency sessions use HMAC-SHA256 signed tokens; admin access requires separate credentials.
• —Private storage: DPA documents stored in private Supabase Storage buckets with signed URL access only.
• —Audit logging: agency login events and GDPR requests are logged.
• —Data minimisation: Forensic Data is automatically purged after the configured retention period.

The Processor will assist the Controller in fulfilling Data Subject requests (access, erasure, portability, restriction, objection) via the tools available in the agency portal's Data & Privacy tab.

The Processor will forward any Data Subject request received directly to the Controller within 5 business days. The Controller is responsible for responding to Data Subjects within the GDPR timelines (typically 30 days).

Erasure of Personal Data from blacklist records is subject to the fraud-prevention exception under GDPR Art. 17(3)(e). In such cases, personally identifiable elements are deleted and an anonymised fraud marker is retained.

In the event of a Personal Data breach, the Processor will:

• —Notify the Controller without undue delay and within 72 hours of becoming aware of the breach.
• —Provide, where possible: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken to address it.
• —Maintain records of all breaches, including those not reported to supervisory authorities.

• —Upon termination of the subscription, the Controller has 30 days to export their Forensic Data via the agency portal.
• —After 30 days post-termination, all Personal Data is permanently deleted.
• —The Processor will provide written confirmation of deletion upon request.
• —Anonymised fraud hashes in the Master Blacklist are not subject to deletion on termination.

The Controller may audit the Processor's compliance with this DPA no more than once per calendar year, with at least 30 days' written notice. Audits must be conducted during business hours and must not unreasonably disrupt operations.

The Processor may satisfy audit requirements by providing relevant third-party certifications or audit reports in lieu of on-site inspection, where these adequately demonstrate compliance.

The parties' liability under this DPA is subject to the limitations set out in the Loxu.io Terms & Conditions. Where a party is held liable for a GDPR infringement that was wholly caused by the other party's non-compliance, the liable party is entitled to seek indemnification from the responsible party.

This DPA is governed by the laws of the State of Israel. Disputes arising under this DPA shall be resolved in accordance with the dispute resolution clause in the Loxu.io Terms & Conditions.