Data Processing Agreement

April 1, 2026

This Data Processing Agreement (“DPA”) applies if and to the extent that MTEK Solutions, LLC DBA Easemble (“Easemble,” "we," "us," or "our") processes end-user data on behalf of a Creator (“Creator,” “you,” or “your”) who has created a Creator Account under the Easemble Terms of Service (“Agreement”). This DPA is made pursuant to the Agreement and supplements and forms an integral part of the Agreement and is effective as of your first use of the Creator Portal. Unless stated otherwise, all terms, conditions, and definitions in the Agreement apply to this DPA. Should a conflict between this DPA and the Agreement exist, the terms of this DPA control.

‍

Acceptance of this DPA

Your access to and use of the Creator Portal is conditional on your acceptance of the terms and conditions of this DPA. By accessing and using the Creator Portal, you agree on your own behalf and on behalf of any party on whose behalf you may act to accept and abide by this DPA. If you do not agree with all of the terms and conditions of this DPA, do not access or use the Creator Portal.

‍

Modification to this DPA

We reserve the right to modify this DPA at any time by posting an updated DPA on our website at https://www.easemble.com/policies/dpa. If we make changes, we will notify you by revising the date at the top of the policy. We may also, at our sole discretion, provide you with an email notice of changes. You are responsible for regularly reviewing this DPA, and your continued use of the Creator Portal after the effective date of any change constitutes your acceptance of the updated DPA. If any modification is unacceptable, you shall cease using the Creator Portal. If you have any questions about this DPA, contact us at support@easemble.com.

‍

Definitions. Capitalized terms not defined below have the meaning given to them in the Agreement.

“Controller” means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.

‍

“Data Protection Laws” means data protection laws or privacy laws of any country or state applicable to our and/or your Processing of User Information, including Personal Information.

‍

“Data Subjects” means the identified or identifiable natural person to whom Personal Information relates.

“European Economic Area” or “EEA” means the member states of the European Union together with Iceland, Liechtenstein, and Norway, as may be updated from time to time.

‍

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

‍

“Personal Information” means any information relating to an identified or identifiable natural person, including any information that can reasonably be used to identify, contact, or locate such person, whether directly or indirectly. This includes identifiers such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Personal Information includes any information defined as “personal data,” “personal information,” or an equivalent term under Data Protection Laws.

‍

“Personal Information Breach” means a confirmed and actual breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to User Personal Information, where such event is reasonably likely to result in a risk to the rights and freedoms of natural persons under Data Protection Laws. A Personal Information Breach does not include: (i) unsuccessful attempts or activities that do not compromise the security, integrity, or availability of User Personal Information (such as unsuccessful logins, pings, port scans, or denial-of-service attacks); or (ii) events that are detected and remediated before resulting in unauthorized access to or loss of User Personal Information.

‍

“Process” or “Processing” means any operation or set of operations that is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.

‍

“Processor” means any entity (including us) that Processes User Personal Information on your behalf and in accordance with your documented instructions, as further described in this DPA.

‍

“Restricted Transfer” means any transfer of User Personal Information via the Creator Portal, whether directly or through onward transfer, that is subject to restrictions under Data Protection Laws, including: (i) where the EU GDPR applies, a transfer from the EEA to a country or recipient outside the EEA not recognized by the European Commission as providing adequate protection; (ii) where the UK GDPR applies, a transfer from the United Kingdom to a country or recipient not subject to adequacy regulations under Section 17A of the U.K. Data Protection Act 2018; and (iii) where the Swiss Federal Act on Data Protection applies, a transfer from Switzerland to a country or recipient not recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC) as providing adequate protection.

‍

“Sensitive Information” means any category of Personal Information that is subject to heightened protection under Data Protection Laws outside the European Economic Area, including U.S. state privacy laws such as the CCPA, CPRA, VCDPA, and similar legislation. Such data may include financial account information, government-issued identifiers, precise geolocation data, health or medical data, biometric information, racial or ethnic origin, or other data deemed sensitive or requiring additional safeguards under applicable law.

‍

“Special Category Information” means the categories of Personal Information described in Article 9(1) of the General Data Protection Regulation (GDPR) and similar laws, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person’s sex life or sexual orientation.

‍

“Standard Contractual Clauses” or “SCCs” means (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Information to third countries published at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri =CELEX:32021D0914&from=EN, (“EU SCCs”); and (ii) where the UK GDPR applies the international data transfer addendum to the EU SCCs adopted pursuant to Article 46(2)(c) of the UK GDPR and published at https://ico.org.uk/media/ for-organisations /documents/4019539/international-data- transfer-addendum.pdf, as may be amended or replaced, (“UK SCCs”); and (iii) where Personal Information is transferred from Switzerland to outside of Switzerland or the EEA, the EU SCCs as amended in accordance with guidance from the Swiss Data Protection Authority; (“Swiss SCCs”); as they may be amended, superseded or replaced from time to time.

‍

“Sub-Processor” means any third party engaged by us to Process User Personal Information on your behalf in connection with the provision of the Creator Portal. A Sub-Processor may include hosting providers, infrastructure and cloud service providers, analytics or automation vendors, communication platforms, or other subcontractors that Process User Personal Information under our instructions. Sub-Processors do not include: (i) third parties that provide us services without Processing User Personal Information (such as accounting, legal, or general business services); or (ii) third-party integrations or products that you choose to use independently of the Creator Portal.

‍

“UK GDPR” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act of 2018, currently found at https://ico.org.uk/media/for-organisations/documents/ 4019539/international-data-transfer-addendum.pdf, as may be amended.

‍

“User Personal Information” means any Personal Information that is supplied, made available, or otherwise provided by or on your behalf us, or that is otherwise Processed by us on your behalf, in connection with the provision of the Creator Portal and Subscription services and subject to this DPA. For clarity, User Personal Information does not include: (i) Personal Information relating to our own personnel or business contacts; (ii) Personal Information that we Process as a Controller for our own business purposes (such as billing, account management, or product analytics); or (iii) any data collected independently by us outside the scope of the Creator Portal.

‍

Scope

This DPA applies to all Processing of User Personal Information by us on your behalf in connection with your use of the Creator Portal. The purpose of this DPA is to ensure that such Processing is conducted in compliance with all Data Protection Laws and the terms of the Agreement. Under this DPA, you act as the Controller (or, where applicable, the Processor on behalf of your own Controller), and we act as the Processor (or, where applicable, Sub-Processor) of User Personal Information. This DPA governs our Processing of User Personal Information, including the collection, storage, transmission, use, disclosure, and deletion, and applies to all User Personal Information processed by us in any location worldwide on your behalf. If and to the extent that the Processing of User Personal Information is subject to the GDPR, the UK GDPR, or other comparable Data Protection Laws, this DPA constitutes the written data processing agreement required by such laws.

‍

Term

This DPA will remain in effect for the duration of the Agreement between you and us, and for as long as we Processes User Personal Information on you behalf. Upon termination or expiration of the Agreement, we will continue to Process User Personal Information only to the extent required to comply with our legal, regulatory, or contractual obligations, and will otherwise cease all Processing and securely delete or return such User Personal Information in accordance with the terms of this DPA. Our obligations under this DPA that, by their nature, are intended to survive termination—including obligations relating to data confidentiality, security, and deletion—will remain in effect for as long as we retain User Personal Information.

‍

Processing

We will Process User Personal Information solely to the extent necessary to provide, operate, maintain, support, and improve the Creator Portal; to perform our obligations under the Agreement; and to comply with Data Protection Laws. Such Processing may include activities such as collecting, receiving, organizing, structuring, storing, adapting, retrieving, using, transmitting, and deleting data as necessary to fulfill those purposes. We will not Process User Personal Information for our own purposes or for any purpose other than as expressly permitted under the Agreement and this DPA. Where required by law, we will notify you before Processing User Personal Information for any other lawful purpose, and such Processing will be subject to your documented instructions.

‍

Categories of User Personal Information

The User Personal Information processed in connection with the Creator Portal may include, as applicable, the following categories of data. Such data may relate to end users who are Easemble users or non-users and may be accessed by us as a result of access granted by a Creator to the Creator Portal or to Guides and other Creator Materials made available through the Creator Portal.

‍

Contact Information. Names, business titles, company names, professional or business email addresses, phone numbers, and other contact details of users who access or interact with the Creator Portal or Guides.
Account and Access Data. Usernames, account identifiers, authentication credentials or tokens, access permissions, and related information associated with access to the Creator Portal or specific Guides, whether or not the user maintains an Easemble account.
Usage, Interaction, and Metadata. Information generated through access to or use of the Creator Portal or Guides, including activity logs, timestamps, interaction metadata, content access history, navigation events, device identifiers, browser types, operating systems, IP addresses, and network information.
Creator Materials and Guide Content. Content made available through the Creator Portal or Guides, including text, images, videos, files, and other materials, as well as associated metadata, annotations, comments, feedback, or user-generated inputs that may contain personal information.
Communications and Feedback Data. Content of communications, feedback, comments, or requests submitted by users in connection with the Creator Portal or Guides, including support inquiries, chat messages, form submissions, or in-product feedback.
Other User-Provided Information. Any other information uploaded, transmitted, or otherwise made available by or on behalf of a Creator or user for processing in connection with the Creator Portal or Guides.

‍

Categories of Data Subjects

The User Personal Information processed in connection with the Creator Portal may relate to the following categories of data subjects, as applicable. Such data subjects may include individuals who access or interact with the Creator Portal, Guides, or other Creator Materials, whether or not they maintain an Easemble account.

‍

User’s Customers and End Users. Individuals whose information is provided to or made available to us by you in connection with the Creator Portal, including your customers, clients, internal users, account contacts, or other end users who access or interact with Guides or other Creator Materials.
Prospective Customers and Leads. Individuals identified, profiled, contacted, or otherwise included by you in connection with your use of the Creator Portal, including prospective customers, leads, business contacts, or representatives of target organizations.
User’s Personnel and Authorized Representatives. Your employees, contractors, agents, or other authorized representatives who access or use the Creator Portal or Guides on your behalf.
Vendors, Partners, and Affiliates of User. Individuals employed by or engaged by your vendors, service providers, business partners, or affiliates whose information may be included in User Personal Information through your use of the Creator Portal or Creator Materials.
Other Individuals. Any other individuals whose personal information you upload, transmit, make available, or otherwise cause to be processed through the Creator Portal, Guides, or other Creator Materials in the ordinary course of use.

‍

No Processing of Special Category or Sensitive Data

The Creator Portal is not designed or intended for the Processing of Sensitive Data or Special Category Data (as those terms are defined under Data Protection Laws), and we do not knowingly Process such data in connection with the Creator Portal. You agree to not provide, and will ensure that your users do not provide, any such data to us unless we have expressly agreed in writing that: (i) such Processing is required for the performance of the Creator Portal; and (ii) appropriate additional safeguards and instructions have been established. If you nevertheless submit any Sensitive Data or Special Category Data without such agreement, WE HAVE NO LIABILITY TO YOU ARISING FROM PROCESSING OF SUCH SENSITIVE DATA OR SPECIAL CATEGORY DATA.

‍

Compliance

We will comply with all Data Protection Laws and any reasonable instructions provided by you in the Processing of User Information. If we cannot provide such compliance for whatever reason, we agree to promptly inform you of our inability to comply. If, for any reason we, in our sole discretion, believe that any one or more of our available services cannot comply with Data Protection Laws, then we reserve the right to cease all Processing of User Information or stop providing such services to you or to users generally until we are either able to comply or you provide us with instructions that do violate applicable law. We are not liable for failing to provide the Creator Portal should we choose to invoke our rights provided in this section, and your sole remedy is the right to cancel any applicable Subscriptions or use of the Creator Portal.

‍

User Obligations

You must comply with your respective obligations under all Data Protection Laws in connection with the Processing of User Personal Information. You represent and warrant that you have provided all necessary notices, obtained all required consents, and established all lawful bases for our Processing of User Personal Information under the Agreement and this DPA. Specifically, you will:

‍

Lawful Basis and Instructions. Ensure that all Processing of User Personal Information by us is lawful and based on a valid legal basis under Data Protection Laws, and provide us with documented instructions for such Processing in accordance with this DPA.
Accuracy and Data Minimization. Take reasonable steps to ensure that all User Personal Information disclosed or otherwise made available to us is accurate, relevant, and limited to what is necessary for the intended Processing.
Notifications and Changes. Promptly, but in any event within 5 business days, notify us if: (a) any Data Subject withdraws consent or otherwise limits or restricts the Processing of their User Personal Information; or (b) you determine that the Processing of any User Personal Information under this DPA no longer complies with Data Protection Laws.
Instructions to Easemble. Provide us with any instructions regarding the Processing of User Personal Information in writing or by other mutually agreed means. You acknowledge that we are not responsible for reviewing the legality of your instructions.
Assessment of Easemble’s Security Measures. Before disclosing User Personal Information to us, you must review the technical and organizational measures described in this DPA and determine that such measures provide an appropriate level of security, taking into account the nature of User Personal Information subject to Processing.
Data Subject Requests and Regulatory Inquiries. Promptly, but in any event within 5 business days, notify us of any inquiry, complaint, or notice received from a data protection authority or Data Subject that relates to our Processing of User Personal Information. You will respond to Data Subject requests that you receive directly, except where you request our assistance under this DPA.
Use of the Creator Portal. Ensure that your use of the Creator Portal and your transfer of any User Personal Information to us comply with all Data Protection Laws and do not cause us to violate any of our obligations under this DPA.

‍

Security Measures

We will implement and maintain appropriate technical and organizational measures to protect User Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are designed to protect User Personal Information and to ensure a level of security appropriate to the risk associated with the Processing. We review and update these measures on a periodic basis (at least annually) to address evolving security risks, technology developments, and applicable legal requirements. Any material changes that could significantly reduce the level of protection afforded to User Personal Information will be communicated to you in advance where required by law or the DPA. These measures include:

‍

Information Security Program. We maintain a written information security program that includes administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, availability, and resilience of systems and Processing operations involving User Personal Information. This program is reviewed at least annually and updated as reasonably necessary to address evolving security risks or regulatory requirements.
Access Controls. We restrict access to systems and environments containing User Personal Information to authorized personnel based on the principles of least privilege and need-to-know. Access rights are reviewed periodically and revoked promptly upon termination or role change. Multi-factor authentication is required for all administrative access to User Personal Information.
Encryption and Transmission Security. Where supported by our systems or that of our Sub-Processors, User Personal Information is: (a) encrypted in transit using industry-standard protocols (TLS 1.2 or higher); and (b) encrypted at rest using AES-256 or a substantially equivalent standard. Keys and credentials are managed securely and rotated periodically in accordance with our internal key management policy.
Physical and Environmental Security. We rely exclusively on reputable third-party hosting and cloud service providers that maintain robust physical and environmental safeguards, including access control, monitoring, redundancy, and disaster recovery facilities. We do not operate our own data centers.
Vulnerability and Incident Management. We maintain processes to identify, assess, and remediate vulnerabilities and to detect and respond to potential security incidents. Security updates and patches are applied promptly based on severity. Confirmed Personal Information Breaches will be reported in accordance with this DPA, typically within 72 hours of awareness.
Business Continuity and Disaster Recovery. We maintain and periodically test disaster recovery and business continuity plans to ensure the timely restoration of access to User Personal Information in the event of a physical or technical incident. Testing occurs at least once annually.
Personnel Security and Training. Personnel with access to User Personal Information are subject to written confidentiality and non-disclosure obligations, complete data protection and security training at least once per year, and are required to comply with our internal security policies.
Vendor and Sub-Processor Oversight. We conduct due diligence on our Sub-Processors to verify they maintain security measures substantially similar to those required under this DPA. We monitor Sub-Processor compliance through periodic reviews and contractual assurances.
Restricted Transfers. To the extent that we engage in a Restricted Transfer of User Personal Information, Exhibit B is intended to satisfy the requirements of Annex II (Technical and Organizational Measures) of the EU Standard Contractual Clauses and equivalent requirements under other Data Protection Laws governing such transfers.

‍

Confidentiality

We will ensure that any person acting under our authority who has access to User Personal Information is subject to an appropriate written obligation of confidentiality and will Process such data only as necessary to provide the Creator Portal or to comply with Data Protection Laws. We will not disclose User Personal Information to any third party except: (i) as expressly permitted by this DPA or the Agreement; (ii) as instructed by you; or (iii) where disclosure is required by law, in which case we will promptly, but in any event within 72 hours, notify you (unless prohibited by law) before making such disclosure.

‍

Specific Exclusions

Except as expressly stated in this DPA or required by Data Protection Laws, we are not responsible for any Processing of User Personal Information that occurs as a result of (i) your instructions, configuration, or use of the Creator Portal; (ii) your failure to comply with your obligations under Data Protection Laws, including providing required notices, obtaining consents, or determining lawful bases for Processing; (iii) your acts or omissions or that of your users, including any unauthorized access, loss, or disclosure of data; (iv) Processing or transfers involving third-party systems, networks, or integrations selected or managed by User; or (v) the accuracy, completeness, or quality of any User Personal Information provided to us for Processing.

‍

User Instructions

We will Process User Personal Information only on your documented instructions, including with respect to any transfers of such data to a third country or international organization, unless required to do so by applicable law. Where Processing is required by law, we will promptly, but in any event within 72 hours, notify you (unless such notification is legally prohibited) before carrying out the Processing. Your instructions are initially set forth in the Agreement and this DPA and may be supplemented, amended, or replaced by additional written instructions from you as reasonably necessary for us to provide the Creator Portal. We may notify you if we reasonably believe an instruction violates Data Protection Laws, and in such case, we will not be required to follow the instruction until the matter is resolved in good faith between the parties. If we determine that compliance with an instruction would result in a material cost or operational impact, the parties will cooperate in good faith to find a commercially reasonable solution.

‍

Data Subject Requests

To the extent that we receive a request directly from a Data Subject relating to the exercise of their rights under Data Protection Laws with respect to User Personal Information, we will promptly, but in any event within 5 business days, notify you of the request. We will not respond to the request except on documented instructions from you, unless required by applicable law. Taking into account the nature of the Processing, we will assist you, at your cost, by implementing appropriate technical and organizational measures, insofar as possible, to fulfill your obligation to respond to Data Subject requests under Data Protection Laws. Where permitted, we may charge a reasonable fee to cover our costs in assisting with Data Subject requests that are excessive, repetitive, or manifestly unfounded.

‍

Data Protection Impact Assessments and Cooperation

Upon your written request, we will provide reasonable assistance, at your cost, to enable you to comply with your obligations under Data Protection Laws relating to Data Protection Impact Assessments or prior consultations with supervisory authorities, to the extent that such assistance relates to the Processing of User Personal Information and the information is reasonably available to us. Such assistance may include providing information about our technical and organizational measures, data protection practices, and Sub-Processor arrangements relevant to the Processing of User Personal Information. If we receive any official written inquiry, notice, or request from a supervisory authority concerning the Processing of User Personal Information, we will promptly, but in any event within 5 business days, notify you (unless legally prohibited) and cooperate reasonably with you in responding to such inquiry.

‍

Sub-Processors

You authorize us to engage Sub-Processors to Process User Personal Information in connection with the Creator Portal, listed on our website (https://www.easemble.com/policies/subprocessors). We must: (i) enter into a written agreement with each Sub-Processor imposing obligations substantially similar to those set out in this DPA; (ii) remain responsible for the Sub-Processor’s compliance with such obligations; and (iii) provide you with advance notice of any intended addition or replacement of Sub-Processors by updating the Sub-Processor list made available to you. You may object in writing to the appointment of a new Sub-Processor on reasonable data protection grounds within 30 days of notice, in which case the parties will work together in good faith to resolve the objection. If the parties cannot reach resolution, you may terminate the affected portion of the Creator Portal upon written notice, without penalty. We will ensure that Sub-Processors located outside the jurisdiction where User Personal Information originates provide a level of protection for such data consistent with the requirements of Data Protection Laws and the transfer mechanisms described in this DPA, including, where applicable, the SCCs. The parties agree that by complying with this section, We fulfill our obligations under Section 9 of the SCCs, if applicable. For the purposes of Clause 9(c) of the SCCs, you acknowledge that we may be restricted from disclosing Sub-Processor agreements, but we will use reasonable efforts to require any Sub-Processor who we appoint to permit it to disclose the Sub-Processor agreement to you and will provide (on a confidential basis) all information we reasonably can.

‍

Security Incident Notification

If we become aware of a confirmed Personal Information Breach involving User Personal Information, we will promptly, but in any event within 72 hours, notify you and provide information reasonably available at the time to describe (i) the nature of the incident; (ii) the categories and approximate number of affected Data Subjects; (iii) the types of User Personal Information involved; and (iv) the measures taken or proposed to address the breach. We will take all reasonable steps to mitigate the effects of the breach and prevent its recurrence, and will cooperate with you as reasonably necessary to meet your obligations under Data Protection Laws, including any legal requirements to notify Data Subjects or supervisory authorities. Our obligation to report or respond to a Personal Information Breach under this DPA is not an acknowledgment by us of fault or liability with respect to the incident.

‍

Consent to Processing in the United States

Unless otherwise provided in this DPA, we may Process User Personal Information globally as necessary to provide the Creator Portal. Your access and use of the Creator Portal constitutes consent to our Processing and transfer of User Personal Information from your country of origin to the United States and other jurisdictions in which we or our Sub-Processors operate. If the Agreement specifies a particular geographic location for hosting (“Country of Origin”), any transfer of User Personal Information outside that location will only occur with your written authorization and in compliance with Data Protection Laws.

‍

Transfer Mechanisms

We will not transfer or permit the transfer of User Personal Information to a country or territory outside the jurisdiction where it was originally collected unless such transfer complies with Data Protection Laws governing international transfers. For purposes of the SCCs, the parties agree that Exhibit A (List of Parties, Description of Processing and Transfer of Personal Information) and Exhibit B (Technical and Organizational Security Measures) to this DPA collectively satisfy the requirements of Annexes I and II to the SCCs. Where applicable, our Sub-Processor List, will satisfy the requirements of Annex III to the SCCs. Where such transfer constitutes a Restricted Transfer, the parties agree that one or more of the following lawful mechanisms will apply, as appropriate:

‍

EU Standard Contractual Clauses (SCCs): The SCCs issued by the European Commission under Implementing Decision (EU) 2021/914 are incorporated into this DPA by reference and will apply to any Restricted Transfer of User Personal Information from the EEA to Easemble. The SCCs will be completed as follows:
- Module Two (Controller → Processor) applies where you act as a Controller.
- Module Three (Processor → Processor) applies where you act as a Processor.
- Clause 7 (Docking Clause): applies.
- Clause 9: Option 2 (General Authorization) applies, with the notice period for Sub-Processor changes specified in this DPA.
- Clause 11: optional language is deleted.
- Clause 17: governed by Irish law.
- Clause 18(b): disputes resolved in the courts of Ireland.
- Annex I and II are satisfied by Exhibits A and B of this DPA, respectively.

‍

U.K. Transfers: For transfers subject to the U.K. GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”) issued by the U.K. Information Commissioner’s Office is incorporated by reference and supplements the SCCs. Tables 1–3 of the UK Addendum are deemed completed with the information contained in Exhibits A and B of this DPA, and Table 4 is deemed completed by selecting “neither party.”

‍

Swiss Transfers: For transfers subject to the Swiss Federal Act on Data Protection (FADP), the SCCs apply with the following modifications:
- References to “EU Member State” and “EU GDPR” include “Switzerland” and “FADP.”
- The competent authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).
- The term “Member State” shall not exclude Swiss data subjects’ rights to bring claims in Switzerland.

‍

Data Privacy Framework (DPF): To the extent we (or our relevant affiliate or Sub-Processor) maintain a current, active certification under the EU–U.S. Data Privacy Framework, including the U.K. Extension and Swiss–U.S. Data Privacy Framework, and such certification covers the transfer of User Personal Information, the parties agree that the DPF will serve as the lawful transfer mechanism for those transfers in place of the SCCs. Upon your written request, we will provide reasonable evidence of our current certification status (including a link to our public certification listing) and confirm the scope of User Personal Information covered by such certification.

‍

Other Transfer Mechanisms: If we adopt an alternative lawful transfer mechanism (such as Binding Corporate Rules, approved codes of conduct, or a new or successor DPF), such mechanism will automatically govern Restricted Transfers, provided it ensures an adequate level of protection under Data Protection Laws.

‍

Non-Compliance with Transfer Mechanisms

If we determine that it cannot comply with our obligations under an applicable transfer mechanism (including the SCCs, UK Addendum, or DPF), we will promptly notify you. You may suspend the relevant transfer until compliance is restored or terminate the affected portion of the Creator Portal if such compliance cannot be achieved. Before suspension or termination, the parties will cooperate in good faith to implement additional safeguards to remedy the issue. If any transfer mechanism used by the parties is invalidated or otherwise becomes unavailable under Data Protection Laws, the parties will promptly cooperate to implement an alternative lawful mechanism to ensure the continued Processing and transfer of User Personal Information in compliance with applicable law. We will notify you without undue delay if our Data Privacy Framework certification, if applicable, is withdrawn, expires, or otherwise ceases to be valid.

‍

Return or Deletion of Information

Upon termination or expiration of the Agreement, or upon written request by you, we will, at your choice, either delete or return all User Personal Information Processed on your behalf, unless retention of the data is required by applicable law, regulation, or contractual obligation. We will complete such deletion or return promptly, but in any event within 60 days of the effective date of termination or request, and will confirm completion of such action upon your written request. If applicable law requires us to retain certain User Personal Information, we will isolate and protect such data from further Processing (except to the extent required by law) and will continue to protect it in accordance with the terms of this DPA. Backup copies of deleted data will be securely overwritten or automatically purged in accordance with our standard data retention and backup rotation procedures.

‍

Audits and Certifications

Upon your written request, we will make available information reasonably necessary to demonstrate our compliance with this DPA and Data Protection Laws, including summaries of relevant third-party audits or certifications (such as ISO 27001, SOC 2, or equivalent). We will, at your cost, permit and reasonably cooperate with an audit by you or an independent auditor mandated by you, provided that: (i) such audit occurs no more than once in any 12-month period, unless required by law or following a confirmed Personal Information Breach; (ii) you provide at least 30 days’ prior written notice; and (iii) the audit is conducted in a manner that minimizes disruption and protects the confidentiality and security of our systems and other customers’ data. The audit may be conducted by your data protection officer or a mutually accepted authorized representative or third-party auditor, and any such third-party officer, representative, or auditor must sign a confidentiality agreement acceptable to us or otherwise be bound by a statutory or legal confidentiality obligation. Such third-party auditor may not disclose to you anything other than the results of our compliance or non-compliance with this DPA, and an audit does not entitle you to view or access records or processes: (a) not directly related to User Personal Information Processed by us; (b) not directly related to the Creator Portal provided to you under the Agreement; (c) in violation of applicable laws; or (d) in violation of our confidentiality obligations owed to a third party. Before any audit, we must agree in writing on the scope, which must describe the proposed duration and start date. You agree to provide us with the audit results, including any documented reports, which shall be subject to the confidentiality terms of the Agreement. We may satisfy audit requests by providing copies of independent audit reports or certifications demonstrating compliance with comparable data protection standards. Upon written request, we will make available to you summary information or certification reports demonstrating our Sub-Processors’ compliance with standards substantially equivalent to those described in this DPA.

‍

Compliance with Law and Legal Requests

If we receive a legally binding request from a governmental authority, court, or law enforcement agency to disclose any User Personal Information, we will, unless prohibited by law, promptly, but in any event within 72 hours, notify you of the request and provide reasonable information about its nature and scope. We will disclose only the minimum amount of User Personal Information necessary to comply with the request and will take all reasonable steps to challenge or limit the scope of any disclosure that we believe to be unlawful or disproportionate. Where disclosure is legally prohibited (for example, under criminal investigation secrecy laws), we will use reasonable efforts to notify you once the prohibition is lifted. We will document any disclosures made and, upon written request, provide you with a summary of the relevant legal process, to the extent permitted by law.

‍

California-Specific Provision

To the extent that the Processing of User Personal Information is subject to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”), the parties acknowledge that you are a “business” and we are a “service provider” (or, where applicable, “contractor”) under the CCPA. We will Process User Personal Information solely for the purpose of providing the Creator Portal and will not sell or share such data, retain, use, or disclose it for any purpose other than as necessary to provide the Creator Portal or as otherwise permitted by the CCPA, nor combine such data with personal information received from other sources except as allowed under the CCPA (for example, to detect or prevent security incidents or fraudulent activity). We will comply with these restrictions and will ensure that any Sub-Processors engaged as “service providers” or “contractors” under the CCPA are bound by written obligations that provide substantially the same level of protection.

‍

Limitation of Liability

The total liability of each party arising out of or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, will not exceed the greater of (i) $1,000,000 (or such other amount as is equal to the limit of our applicable cyber liability insurance policy in effect at the time of the event), or (ii) the total fees paid or payable by you to us under the Agreement during the 12 months immediately preceding the event giving rise to the claim. Nothing in this DPA limits either party’s liability to the extent such limitation is prohibited under Data Protection Laws, including liability for (a) breach of confidentiality obligations; (b) willful misconduct or fraud; or (c) death or personal injury resulting from negligence. For clarity, this DPA does not create additional liabilities for either party beyond those already agreed in the Agreement, and no provision of this DPA shall be construed as expanding or increasing a party’s total aggregate liability beyond the limits set forth in this section.

‍

Governing Law

This DPA will be governed by and construed in accordance with the same governing law and jurisdiction specified in the Agreement, except to the extent otherwise required by Data Protection Laws. If there is any inconsistency between this DPA and Data Protection Laws, the provisions of the Data Protection Laws shall prevail to the extent necessary to ensure compliance.

‍

Regional Supplements

Where required by Data Protection Laws, this DPA shall be supplemented by jurisdiction-specific terms that apply to the Processing of User Personal Information from such jurisdiction. In the event of any conflict between the terms of this DPA and any regional supplement, the supplement will prevail to the extent necessary to comply with Data Protection Laws.

‍

Indemnification

In addition to any indemnification provisions provided in the Agreement, the parties further agree that if one party is held liable for a violation of Data Protection Laws committed by the other party, the latter will, to the extent to which it is liable, indemnify the other party for any cost, charge, damages, expenses, or loss it has incurred as part of its obligations; and (ii) the limitations of liability provided in the Agreement, including the aggregate liability cap, applies to this section to the maximum extent permitted by applicable law.

‍

Amendments

We may update this DPA as reasonably necessary to comply with changes in Data Protection Laws or to implement new SCCs or other lawful transfer mechanisms. We will notify you at least 30 days before any material change becomes effective, unless a shorter period is required by law or regulatory guidance.

‍

Severability

If any provision of this DPA is found invalid or unenforceable, the remainder of this DPA will remain in full force and effect. Any invalid provision will be replaced by a valid provision that most closely reflects the parties’ intent.

‍

Integration

This DPA forms part of, and is subject to, the terms of the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA governs solely with respect to Processing of User Personal Information.

‍

Global Interpretation

References in this DPA to “Controller,” “Processor,” “Personal Information,” and similar terms shall be interpreted in a manner consistent with their meanings under applicable Data Protection Laws, including their equivalents such as “business,” “service provider,” or “operator,” as relevant to the jurisdiction.

‍

Entire Agreement

This DPA, together with the Agreement and its exhibits (including the SCCs, where applicable), constitutes the entire agreement between the parties concerning the Processing of User Personal Information and supersedes all prior understandings relating to that subject matter.

‍

Exhibit A

List of Parties, Description of Processing and Transfer of Personal Information, Competent Supervisory Authority

‍

LIST OF PARTIES

LIST OF PARTIES
The Exporter
Party	User
Address	As set out for the User in the Easemble Terms of Service
Contact	As provided by the User in its account and used for notification and invoicing purposes
Activities	Use of the Creator Portal
Signature	By entering into the Agreement, the Exporter is deemed to have signed the SCCs incorporated into this DPA and including their Annexes, as of the Effective Date of the Agreement
Role	Controller
Name of Representative	Any UK or EU representative named in the Exporter’s privacy policy
The Importer
Party	MTEK Solutions, LLC DBA Easemble
Address	As set out for the User in the Easemble Terms of Service
Contact	Privacy Officer privacy@easemble.com
Activities	The provision of the Creator Portal to the Exporter under which the Importer processes Personal Information upon the instructions of the Exporter according to the terms of the Agreement
Signature	By entering into the Agreement, the Importer is deemed to have signed the SCCs, incorporated into this DPA, including their Annexes, as of the Effective Date of the Agreement
Role	Processor
Name of Representative	Not applicable

‍

DESCRIPTION OF PROCESSING AND TRANSFERS

DESCRIPTION OF PROCESSING AND TRANSFERS
Categories of Data Subjects	The Personal Information transferred concerns the following categories of Data Subjects, as applicable: Existing Customers of the User. Individuals whose information is provided by you or collected on your behalf in connection with the provision of products or services, such as current customers, end users, or other individuals interacting with your offerings. Prospective Customers or Business Contacts. Individuals identified or engaged by us in the course of performing services for you, which may include potential customers, business prospects, or representatives of target organizations. User’s Vendors, Partners, or Affiliates. Individuals employed or engaged by third parties with whom you maintain a business relationship and whose information may be processed in connection with your operations or communications. End Users of Integrated or Linked Services (if applicable). Individuals whose Personal Information is processed through integrations, connected systems, or third-party tools used by you or us in the provision of services. User Personnel (limited). Your employees, agents, or representatives whose business contact or account information may be processed for purposes such as account management, service delivery, billing, or communications.
Categories of Personal Information	The Personal Information transferred may include, as applicable: Identification Data. Such as names, titles, company names, job roles, or other identifiers provided or generated in the course of delivering the Creator Portal. Contact Data. Such as business email addresses, phone numbers, mailing addresses, or other contact details used for communication or account management purposes. Account and Access Data.Such as usernames, passwords, user IDs, access logs, and related metadata necessary to provide or manage access to products or services. Usage and Interaction Data. Such as device information, activity logs, interaction history, or other technical data generated through the use of our or your systems or services. Transaction and Communication Data. Such as order details, payment references (excluding financial account information unless explicitly required), and records of communications or support inquiries. Marketing and Preference Data. Such as communication preferences, opt-in/opt-out status, and responses to marketing or engagement campaigns. Other Personal Information. Any other categories of Personal Information that you instruct us to process, consistent with the Agreement and Data Protection Laws.
Special Category Data	We do not intentionally collect, access, or process any sensitive or special categories of Personal Information (as defined under Data Protection Laws, including Article 9 of the GDPR) in the course of providing the Creator Portal. If you require us to process such data, this must be explicitly agreed in writing and subject to additional appropriate safeguards as required by law. Sensitive data means the following special categories of Personal Information: Personal Information revealing racial or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership The processing of genetic data Biometric data for the purpose of uniquely identifying a natural person Data concerning health or data concerning a natural person's sex life or sexual orientation Personal Information relating to criminal convictions and offences
Frequency of Processing	Continuous basis for the duration of the Agreement.
Nature of Processing	Processing operations include, without limitation: To perform and support the delivery of the Creator Portal to you, including any related activities such as identifying, collecting, analyzing, organizing, transmitting, or otherwise processing Personal Information as necessary to operate, maintain, support, and improve the functionality and effectiveness of the Creator Portal. Processing may involve accessing, receiving, storing, structuring, analyzing, or transmitting Personal Information relating to you, your customers, end users, business contacts, or other authorized individuals.
Purpose of Data Transfer	Personal Information is transferred to sub-contractors who need to process some of the Personal Information in order to provide their services to the Processor as part of the Creator Portal provided by the Processor to the Controller.
Retention Period	Unless agreed otherwise in writing, for the duration of the Agreement, subject to clause 14 of the DPA.
Sub-Processors	The Sub-Processor list on our website at https://www.easemble.com/policies/subprocessors sets out the Personal Information processed by each Sub-Processor and the services provided by each Sub-Processor.
Competent Supervisory Authority	Where the EU GDPR applies, the Irish Data Protection Authority - Data Protection Commission, (DPC). Where the UK GDPR applies, the UK Information Commissioner's Office, (ICO). Where the FADP applies, the Swiss Federal Data Protection and Information Commissioner, (FDPIC).

‍

Exhibit B

Technical and Organizational Security Measures

(Including Technical and Organizational Measures to Ensure the Security of Data)

‍

Below is a description of the technical and organizational measures implemented by the Processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.

‍

Where applicable, this Exhibit B will serve as Annex II to the SCCs.

‍

LIST OF PARTIES

LIST OF PARTIES
Measure	Description
Pseudonymization and Encryption	For the purpose of ensuring transfer control and safeguarding Personal Information, we implement encryption and access control measures that align with industry standards and the capabilities of the third-party platforms it uses to provide the Creator Portal. All Personal Information processed through these platforms is encrypted in transit using Transport Layer Security (TLS 1.2 or higher) and is encrypted at rest according to the security standards of the respective platform provider (typically AES-256 or equivalent). We do not maintain independent data storage systems for archived Personal Information. Any Personal Information exported or retained outside of those platforms (for example, for delivery to you) is protected through password-protected files, pseudonymization, or encryption using industry-accepted cryptographic standards. Access to Personal Information is restricted to authorized personnel involved in the delivery of the Creator Portal and is governed by role-based access controls and multi-factor authentication. We periodically review access permissions and monitor activity logs to detect unauthorized access or anomalies. We rely on each third-party platform’s certified security measures (e.g., SOC 2, ISO 27001, or equivalent) for encryption key management and secure data handling, and verifies that such providers maintain appropriate organizational and technical safeguards consistent with Data Protection Laws.
Confidentiality, Integrity, Availability, and Resilience	We implement and maintain technical and organizational measures designed to ensure the confidentiality, integrity, availability, and resilience of systems and services that process Personal Information on your behalf. Access to Personal Information is restricted to authorized personnel following the principles of least privilege and need-to-know. All personnel with access to Personal Information are subject to written confidentiality and non-disclosure obligations, which remain in effect both during and after their employment or engagement with us. We use encryption, authentication, and other security safeguards to protect Personal Information against unauthorized access, alteration, or loss. We also maintain redundant systems and secure backups to ensure data can be restored and services can continue in the event of a system failure or security incident. These measures are reviewed and updated regularly to maintain the continued security and reliability of our processing environment.
Restoration of Access to Personal Information in the event of a Physical or Technical Incident	We rely on reputable third-party cloud service providers and software platforms to host, store, and process Personal Information on your behalf. These providers maintain industry-standard redundancy, backup, and disaster recovery procedures to ensure the continued availability and integrity of Personal Information in the event of a physical or technical incident. In accordance with these providers’ documented security and continuity measures, systems are designed to restore access to Personal Information quickly in the event of service disruption, data loss, or other incidents. We monitor service provider performance and verifies that such providers maintain appropriate business continuity and disaster recovery certifications or attestations (such as ISO 27001 or SOC 2). We do not operate our own data centers or servers but maintains internal procedures to coordinate with our service providers to ensure prompt restoration of access to Personal Information if required.
Testing and Evaluation of Security Measures	We regularly test, assess, and evaluate the effectiveness of our technical and organizational measures to ensure the ongoing security of Personal Information processed on your behalf. These activities include periodic internal reviews, vulnerability scanning, and control assessments designed to confirm that implemented safeguards remain effective and appropriate for the risks presented by the processing. Security controls are reviewed and updated as needed to address new threats, system changes, or regulatory requirements. Where we use third-party platforms or hosting providers, we also verify that those providers maintain industry-recognized certifications and conduct independent audits (such as SOC 2 or ISO 27001). All findings from testing and assessments are documented, and corrective actions are tracked to completion to maintain the continued integrity, confidentiality, and availability of Personal Information.
User Identification and Authorization	Access to Easemble systems and applications is granted only to authorized users through unique user accounts. Each user is required to authenticate using secure login credentials, and multi-factor authentication is enabled where supported. User access rights are based on job responsibilities and follow the principle of least privilege. Access is reviewed periodically and revoked promptly when no longer required. These controls help ensure that only authorized personnel can access systems processing Personal Information on your behalf.
Data In Transit	We rely on reputable third-party service providers and platforms that use industry-standard encryption protocols to protect Personal Information during transmission. These providers employ Transport Layer Security (TLS 1.2 or higher) or equivalent encryption for all data sent over public or untrusted networks. Where applicable, such providers also support secure API connections, VPNs, or encrypted file transfer mechanisms to safeguard Personal Information transmitted between systems or with approved Sub-Processors. By using only third-party services that implement these encryption standards, we ensure that Personal Information is protected against unauthorized access, alteration, or disclosure while in transit between us, you, and authorized third parties.
Data Storage	We rely exclusively on reputable third-party service providers and platforms to store and process Personal Information. These providers use industry-standard encryption and access controls to protect Personal Information at rest, typically employing AES-256 or equivalent encryption standards within their environments. We only use third-party platforms that maintain recognized security certifications or attestations (such as ISO 27001 or SOC 2). Access to Personal Information stored within these platforms is restricted to authorized Easemble personnel who require it to perform their duties and is further protected by each provider’s technical and organizational safeguards against unauthorized access, alteration, or destruction.
Physical Security	We operate as a fully remote, cloud-based organization and does not host or maintain physical servers or on-premise data centers. All Personal Information is processed and stored within secure cloud environments operated by trusted third-party providers that implement industry-standard physical and environmental controls, including 24/7 monitoring, controlled facility access, redundant power systems, and disaster recovery protections. We ensure that our personnel access these platforms only through secure, encrypted connections and from devices protected by appropriate endpoint security and authentication measures. These measures ensure that Personal Information remains physically protected within the infrastructure of our authorized third-party service providers.
Events Logging	We maintain system and access logs to record key events within systems that process Personal Information. These logs capture activities such as authentication attempts, configuration changes, and data access events to support security monitoring and incident investigation. Logging is implemented through the features of our systems and authorized third-party platforms. Logs are protected from unauthorized modification or deletion, retained for a defined period, and reviewed periodically to detect unusual or unauthorized activity. These measures help us ensure accountability, traceability, and the ongoing security of Personal Information processed on your behalf.
System Configuration	We maintain secure system configurations for all environments used to process Personal Information. Default passwords and unnecessary services are disabled, and security settings are aligned with industry best practices and vendor recommendations. Configuration changes are documented, reviewed, and approved before deployment to ensure consistency and minimize security risks. Automated tools or managed service providers may be used to monitor for misconfigurations and maintain compliance with our security standards. These measures help ensure that systems processing Personal Information on your behalf remain secure, stable, and resilient against unauthorized changes or vulnerabilities.
IT Security Governance	We instruct our personnel to collect, process, and use Personal Information only as necessary for the performance of their assigned duties and solely for the purposes authorized by you under the Agreement. All employees and contractors are bound by written confidentiality obligations and receive training on proper data handling and information security practices. Where supported by the systems used to provide the Creator Portal, we implement logical access controls and data segregation measures designed to prevent unauthorized access to or exposure of Personal Information. Testing and production environments are separated where appropriate to protect live data from unintended use or disclosure. These governance measures help ensure that Personal Information is processed securely, appropriately, and in line with our internal policies and the scope of the Creator Portal provided to you.
Certification and Assurance of Processes and Products	We utilize reputable third-party data centers and service providers that maintain current ISO 27001 certifications or other substantially similar or equivalent security certifications or attestations (such as SOC 2 Type II). We will not engage third-party data centers or hosting providers that lack such certifications or attestations. Upon your written request (no more than once within any 12-month period), we will provide, within a reasonable time, a copy or summary of the most recently completed certification or attestation reports relevant to the Creator Portal, to the extent such disclosure does not compromise the security or confidentiality of our systems. Any certification or audit report shared with you shall be considered Confidential Information and subject to the confidentiality obligations set forth in the Easemble Terms of Service.
Data Minimization	We only collect and Process the Personal Information needed to provide the Creator Portal to you. Unnecessary or outdated data is not kept and is deleted or anonymized in line with our data retention practices.
Data Quality	Personal Information processed by us may include both information provided by you and information identified, created, or enriched by us in the course of providing the Creator Portal. We do not independently verify or guarantee the accuracy or completeness of the Personal Information provided by you. For Personal Information created or enriched by us, such as business contact details or lead intelligence obtained from reputable third-party sources, we take reasonable steps to ensure that the data is current, relevant, and obtained from reliable sources in accordance with applicable laws and the Agreement. We may provide tools, reports, and data outputs within the Creator Portal to help you review, validate, and manage the Personal Information processed or generated. You remain responsible for determining the accuracy, suitability, and lawful use of such data within your own systems and processes.
Data Retention	We apply a data classification and retention policy that defines how different types of data are stored and for how long they are retained. When a record containing Personal Information is deleted, it is permanently removed from our active databases. A copy of that data may remain in system backups until those backups are automatically replaced through our regular backup rotation process, in line with our data retention policy. Personal Information is not retained longer than necessary for the purposes of providing the Creator Portal to you or as required by law.
Data Sourcing and Verification	In providing the Creator Portal, we may collect or obtain Personal Information from publicly available sources, third-party data providers, or business information platforms that lawfully make such data available for business-to-business use. We take reasonable steps to verify that data sources comply with applicable data protection and marketing laws, and that any Personal Information obtained has been collected and processed on a valid legal basis. All data sourced or enriched by us is used solely for the purpose of providing the Creator Portal to you and is not sold, shared, or reused by us for unrelated purposes.
Accountability	We review our information security policies at least twice per year to ensure they remain current, effective, and properly implemented. All employees who handle Personal Information or other sensitive information must acknowledge and follow these policies and are re-trained annually on information security practices and responsibilities. We maintain a disciplinary policy for employees who fail to comply with our information security requirements, helping to ensure consistent accountability and adherence to established safeguards.
Data Portability and Erasure	We will assist you in meeting your obligations regarding data portability and erasure under Data Protection Laws. Upon your written request, we will provide Personal Information processed on your behalf in a commonly used, machine-readable format to enable data portability. When you request deletion of Personal Information, we will erase the data from active systems and ensure it is subsequently removed from backups according to our data retention and deletion policies. We will not restore or otherwise make deleted Personal Information available except at your documented request or as required by law.
Assistance to User	We will provide reasonable assistance to you (and, where applicable, to the Data Exporter) in fulfilling your obligations under Data Protection Laws. Personal Information is disclosed or transferred to third parties (such as sub-processors or service providers) only under a written contract that specifies the subject matter, duration, nature, and purpose of the processing, and that ensures compliance with data protection requirements. If Personal Information is transferred outside the European Economic Area (EEA), we ensure that an adequate level of protection is in place at the destination, consistent with Data Protection Laws — for example, through the use of EU Standard Contractual Clauses (SCCs) or other approved transfer mechanisms. These measures ensure that any onward processing or transfer of Personal Information is lawful, secure, and limited to the specific purposes authorized by you.

Ready to turn your manuals into interactive 3D? Try Easemble's free trial.

Revolutionizing assembly manuals with interactive 3D technology.

Try a free trial