DATA-PROCESSING ADDENDUM

Last updated 18 June 2025 – version v2025-06-18

This Data-Processing Addendum (“DPA”) is incorporated by reference into the Master Services Agreement (“MSA”) between Great Finds, LLC, a Wyoming limited liability company, operating its audience-data service under the brand “24/7 Intent (“Company”) and the customer identified in the applicable Order Document (“Client”). It prevails over any conflicting term in the MSA, but solely with respect to the Processing of Personal Data.

​

1. Definitions

“Controller” / “Business” means the entity that determines the purposes and means of Processing Personal Data.

“Processor” / “Service Provider" means the entity that Processes Personal Data on behalf of the Controller.

“Data Protection Laws” means all laws and regulations applicable to Processing of Personal Data under the Agreement, including EU/UK GDPR, Swiss FADP, and U.S. state privacy laws (e.g., CCPA/CPRA).

“Personal Data” means any information relating to an identified or identifiable natural person that is Processed under the Agreement.

“Personal Data Breach” means any unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Company.

“SCCs” means the European Commission Standard Contractual Clauses for international transfers of Personal Data (Commission Implementing Decision (EU) 2021/914) and, where applicable, the UK Addendum issued by the UK ICO.

“Sub-processor” means any Processor engaged by Company to assist in Processing Personal Data.

ANNEX I — DETAILS OF PROCESSING

2. Roles & Scope

Roles: Client is the Controller / Business. Company is the Processor / Service Provider.

Subject-matter & duration: Provision of daily-synced intent-audience Services for the term of the MSA.

Nature & purpose of Processing: Matching, scoring, segmenting, and syncing Audiences; analytics; support; security; billing.

Data categories: Contact data (name, email, phone); online identifiers; device/IP data; ad-platform IDs; CRM activity; audience-interest scores.

Data subjects: End-users and prospects located worldwide, as determined by Client.

Sensitive data: Company does not intentionally collect special-category data under GDPR or “sensitive personal information” under CPRA. Client agrees not to provide such data.

3. Client Instructions

Company will Process Personal Data solely on documented instructions from Client, as set out in the MSA, this DPA, and Order Documents, unless required to do otherwise by applicable law (in which case Company will notify Client unless prohibited).

4. Confidentiality & Security

Company ensures that persons authorized to Process Personal Data are bound by confidentiality.

Company implements and maintains appropriate technical and organisational measures (“TOMs”) as described in Annex II (Security Measures).

Company will assist Client with data-protection impact assessments and prior consultations to the extent required by Data Protection Laws.

5. Sub-processors

Authorized list. Current Sub-processors and their locations are published at https://legal.247intent.com/subprocessors.

Notice & objection. Company will notify Client at least ten (10) business days before adding a new Sub-processor. Client may reasonably object on privacy grounds; if the Parties cannot resolve the objection in good faith, Client may terminate the affected Services (pro-rated refund of prepaid fees).

Flow-down. Company will impose data-protection obligations on Sub-processors at least as protective as those in this DPA and remains fully liable for their acts and omissions.

6. Data Subject Rights

Taking into account the nature of Processing, Company will assist Client—via appropriate technical or organizational measures—in fulfilling requests to exercise data-subject rights (access, deletion, rectification, portability, opt-out, etc.). If Company receives a request directly, it will promptly forward it to Client.

7. Security-Incident Notification

7.1 Notice Timing. If Company confirms a Personal-Data Breach affecting Client’s Personal Data, Company will notify Client without unreasonable delay and, in any event, within the timeframe required by applicable law.

7.2 Notice Content. The notice will describe, to the extent known at the time: (a) the nature of the incident; (b) the categories and approximate volume of Personal Data affected; (c) the remedial actions Company has taken or plans to take; and (d) any steps Client should take to mitigate potential harm.

7.3 Ongoing Updates. Company will provide additional information about the incident as it becomes available in the course of its investigation.

8. Data Transfers

Client authorizes Company to transfer Personal Data outside the EEA/UK/Switzerland as necessary to provide the Services, provided such transfers comply with Data Protection Laws.

SCCs. Where required, the SCCs (Module 2: Controller → Processor) are hereby incorporated. Annexes I & II of the SCCs are populated by § 2 and Annex II of this DPA. The UK Addendum applies for UK transfers. The SCCs apply only if and to the extent Client transfers EU/UK Personal Data.

If a transfer mechanism is invalidated or replaced, the Parties will promptly cooperate to implement an alternative lawful mechanism.

9. Return or Deletion

Upon termination of the Services—or at any time upon Client’s written request—Company will delete or return all Personal Data (at Client’s choice) within 30 days, unless retention is required by law.

10. Audit Rights

10.1 Security Package. No more than once in any twelve (12)-month period, and only upon Client’s written request, Company will provide one of the following, at Company’s option:

- an executive summary of Company’s most-recent third-party penetration test; or

- a completed industry-standard security questionnaire (e.g., SIG Lite).

10.2 Sufficiency. Client agrees that the documentation delivered under Section 10.1 fully satisfies any audit or inspection right it may have under applicable U.S. privacy or data-protection laws. Client has no right to conduct or request on-site inspections, penetration tests, or other intrusive audits of Company’s facilities or systems.

10.3 Confidentiality. All information provided under this Section 10 constitutes Company Confidential Information and may be used solely to verify Company’s compliance with this Data-Processing Addendum and the Agreement.

11. CPRA Service-Provider Certification

For Personal Data subject to the California Consumer Privacy Act (as amended by CPRA), Company:

Processes such data only for the limited business purpose of providing the Services and in accordance with the Agreement;

Will not “sell” or “share” (as those terms are defined in CPRA) Personal Data;

Will not combine Personal Data with other data except as permitted under CPRA § 1798.140(ag)(1).

12. Liability & Term

Liability under this DPA is subject to the limitations set forth in § 12 of the MSA. This DPA terminates automatically upon expiration or termination of the MSA.

Annex II – Technical & Organisational Measures (TOMs)

Access control: SSO with MFA for all production systems; least-privilege RBAC; quarterly access reviews.

Encryption: AES-256 at rest; TLS 1.2+ in transit; hashed API secrets.

Network security: Segmented VPCs; firewalls; IDS; DDoS mitigation.

Application security: Secure SDLC; automated SAST/DAST; third-party pen tests annually.

Logging & monitoring: Centralized log aggregation; real-time alerting; 90-day log retention.

Backup & DR: Daily encrypted backups; data stored in ≥ 2 geographic regions; 24-hour RTO, 4-hour RPO.

Incident response: Documented playbooks; breach-response team on call 24 × 7.

Sub-processor due diligence: Security questionnaire and DPA required; annual re-assessment.