Data Processing Agreement (AVV)

This Data Processing Agreement ("DPA" / "AVV") is concluded between: Controller (Auftraggeber): The Customer who has accepted CrunchJunky's Terms of Service. Processor (Auftragnehmer): Tiki-Taka Media GmbH, Curschmannstraße 9, 20251 Hamburg, Germany ("CrunchJunky"). This DPA governs the processing of personal data by CrunchJunky on behalf of the Customer in connection with the CrunchJunky marketing-reporting platform ("Service") and forms an integral part of the Terms of Service in accordance with Art. 28 GDPR / Art. 28 DSGVO.

CrunchJunky processes personal data on behalf of the Customer for the duration of the Customer's active subscription to the Service. Processing ceases and data is deleted in accordance with Section 9 upon termination.

CrunchJunky processes personal data solely to provide the Service as described in the Terms of Service: • Fetching, storing, and displaying advertising and analytics data imported by the Customer from connected data sources (Google Ads, Meta, LinkedIn, TikTok, Microsoft Ads, Google Analytics 4, Google Business Profile, Google Search Console). • Generating reports, dashboards, and AI-powered summaries for the Customer and their clients. • Sending scheduled report emails to recipients designated by the Customer. • Providing the monitoring, alerting, and campaign-management features included in the Service. Processing for any purpose beyond these is not permitted without the Customer's explicit written instruction.

The following categories of personal data may be processed, depending on the Customer's configuration: • Identity and contact data: names and email addresses of the Customer's team members and end-client contacts. • Advertising performance data: campaign names, ad-set names, audience segment labels, and performance metrics (impressions, clicks, conversions, spend) imported from connected platforms. This data may indirectly reference personal data if campaign names or audience labels contain personal identifiers. • Authentication tokens: OAuth access and refresh tokens issued by connected platforms on behalf of the Customer. • Report-delivery recipients: email addresses of report recipients designated by the Customer.

• Employees, contractors, or authorised users of the Customer. • The Customer's end clients (to the extent their contact information is entered into the platform). • Individuals whose data may be referenced in advertising platform data (indirectly, via campaign metadata).

The Customer, as controller, is responsible for: 5.1 Ensuring a lawful basis exists for all personal data provided to or processed through the Service. 5.2 Informing affected data subjects about the processing in accordance with Art. 13/14 GDPR. 5.3 Ensuring that connecting third-party data sources (advertising platforms) complies with those platforms' terms of service and applicable data-protection law. 5.4 Issuing documented instructions to CrunchJunky where deviating from standard Service behaviour is required. All instructions must be in writing (email is sufficient). 5.5 Notifying the competent supervisory authority and affected data subjects of personal data breaches as required by Art. 33/34 GDPR, using information provided by CrunchJunky under Section 7.3.

CrunchJunky, as processor, undertakes to: 6.1 Process personal data only on documented instructions from the Customer, unless required to do so by EU or Member State law (in which case CrunchJunky will inform the Customer before processing unless prohibited by law). 6.2 Ensure that all personnel authorised to process personal data are bound by statutory or contractual confidentiality obligations and are trained in data protection requirements. 6.3 Implement and maintain the technical and organisational measures described in Section 8 (Annex 1). 6.4 Assist the Customer — taking into account the nature of processing and the information available to CrunchJunky — in fulfilling its obligations to respond to data subject rights requests (Arts. 15–22 GDPR). CrunchJunky will forward any data subject requests received directly to the Customer within 5 business days. 6.5 Assist the Customer in ensuring compliance with Arts. 32–36 GDPR (security, breach notification, DPIAs) insofar as reasonably possible given CrunchJunky's role. 6.6 At the Customer's election, delete or return all personal data at the end of the service relationship, and delete existing copies unless EU or Member State law requires storage (see Section 9). 6.7 Make available to the Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits as described in Section 10.

7.1 The Customer grants a general authorisation for CrunchJunky to engage sub-processors. The current list of approved sub-processors is set out in Annex 2 below. 7.2 CrunchJunky will inform the Customer of any intended changes to the sub-processor list (additions or replacements) with at least 14 days' advance notice by email or in-app notification, giving the Customer the opportunity to object. If no objection is raised within 14 days, the Customer is deemed to have approved the change. 7.3 Where a Customer objects to a new sub-processor and CrunchJunky cannot provide the Service without that sub-processor, the Customer may terminate the subscription and receive a pro-rated refund for the unused period. 7.4 CrunchJunky will impose data-protection obligations on sub-processors that are equivalent to those set out in this DPA, and remains liable to the Customer for sub-processor compliance.

The following measures are maintained by CrunchJunky to ensure a level of security appropriate to the risk under Art. 32 GDPR: PSEUDONYMISATION AND ENCRYPTION • All data in transit is encrypted using TLS 1.2 or higher (HSTS enforced). • Sensitive data at rest (OAuth tokens, AI API keys, refresh tokens) is encrypted with AES-256 before database storage. • Passwords are hashed using bcrypt with a cost factor of 12; plain-text passwords are never stored. CONFIDENTIALITY • Tenant isolation: all database queries are scoped to the authenticated team ID at the application layer. Cross-tenant data access is architecturally prevented. • Employee access to production data is restricted to a minimal set of authorised personnel on a need-to-know basis. INTEGRITY • Input validation and parameterised database queries prevent injection attacks. • CSRF protection tokens are enforced on all state-changing operations. AVAILABILITY AND RESILIENCE • The Service is deployed on Vercel's globally distributed edge network with automatic failover, providing high availability. • The database (Neon) operates with continuous replication and point-in-time recovery. ACCESS CONTROL • Multi-factor authentication (MFA) is required for all access to production infrastructure. • Access rights are reviewed periodically and revoked promptly upon personnel changes. • All production access events are logged. INCIDENT MANAGEMENT AND BREACH NOTIFICATION • A documented incident-response process is maintained. • In the event of a personal data breach, CrunchJunky will notify the Customer within 72 hours of becoming aware, providing: (i) a description of the nature of the breach; (ii) the approximate number of records and data subjects affected; (iii) the likely consequences; (iv) measures taken or proposed to address the breach. TESTING AND REVIEW • Security measures are reviewed at least annually and updated in response to identified risks or changes in the threat landscape. • Dependency updates and vulnerability patches are applied on a regular cycle.

The following sub-processors are currently engaged by CrunchJunky: Name: Vercel Inc. Purpose: Platform hosting, CDN, serverless function execution Location: United States (EU data region: Frankfurt, Germany) Transfer mechanism: Standard Contractual Clauses + EU–US Data Privacy Framework DPA: vercel.com/legal/dpa Name: Neon Inc. Purpose: PostgreSQL database hosting Location: United States (EU data region: eu-central-1, Frankfurt) Transfer mechanism: Standard Contractual Clauses DPA: neon.tech/dpa Name: Stripe, Inc. Purpose: Payment processing and subscription management (billing data only) Location: United States Transfer mechanism: Standard Contractual Clauses + EU–US Data Privacy Framework DPA: stripe.com/legal/dpa Name: Resend Inc. Purpose: Transactional email delivery (password resets, scheduled report emails) Location: United States Transfer mechanism: Standard Contractual Clauses

The Customer may conduct or commission an audit of CrunchJunky's compliance with this DPA no more than once per calendar year, or at any time following a confirmed personal data breach. Audits must be: • Notified to CrunchJunky in writing at least 14 days in advance. • Conducted during normal business hours. • Carried out by the Customer or a mutually agreed independent third party bound by confidentiality obligations. • Borne in cost by the Customer. CrunchJunky may satisfy audit requests by providing a current independent audit report (ISO 27001, SOC 2, or equivalent) where available, in lieu of an on-site audit.

Upon termination of the Customer's subscription: 11.1 CrunchJunky will retain the Customer's personal data for 30 days following termination to allow the Customer to export their data. The Customer may request a data export at any time during this window by emailing hello@crunchjunky.io. 11.2 After 30 days, CrunchJunky will delete or irreversibly anonymise all personal data processed on the Customer's behalf, except where a longer retention period is required by EU or German law (e.g. billing records retained under § 257 HGB). 11.3 Upon request, CrunchJunky will provide written confirmation of deletion.

This DPA is governed by German law. Disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Hamburg, Germany.

In the event of conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to the processing of personal data.