Data Processing Addendum

Status: Operating entity confirmed (Chykalophia Group, LLC). Specific clauses below still awaiting counsel review before V1 production cutover. The structure follows the standard B2B SaaS Data Processing Addendum pattern with GDPR Art. 28(3) elements and the 2021 EU Standard Contractual Clauses incorporated by reference.

This Data Processing Addendum ("DPA") supplements the Terms of Service between Chykalophia Group, LLC, an Illinois limited liability company that operates the SendBriefs product ("Chykalophia," "Processor"), and the customer entity that accepted the Terms of Service ("Customer," "Controller"). The Terms of Service plus this DPA plus the Privacy Policy plus the Subprocessors page collectively form the "Agreement."

This DPA reflects the parties' agreement on the processing of Customer Personal Data and applies to the extent Chykalophia processes Customer Personal Data on behalf of Customer as a Processor under GDPR Art. 28, UK GDPR, or any other applicable data-protection law. To the extent of any conflict, this DPA prevails over the Terms of Service with respect to processing of Customer Personal Data.

If Customer requires this DPA executed as a separate signed document, contact legal@sendbriefs.com and we will provide it as a Word/PDF exhibit on letterhead. The content of the executed version will be substantively identical to this published DPA.

1. Definitions#

Terms used in this DPA have the meanings given in GDPR Art. 4 (or in the equivalent data-protection law applicable to the processing), with the following additions:

• "Customer Personal Data" means any personal data Chykalophia processes on Customer's behalf as a Processor in providing the Service, as described in Annex I §A.
• "Data Protection Law" means any law applicable to the processing of personal data in the jurisdictions where Customer or its data subjects are located, including: the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"); the UK General Data Protection Regulation and the UK Data Protection Act 2018 (collectively "UK GDPR"); the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); the Virginia Consumer Data Protection Act ("VCDPA"); and other US state privacy laws (CO, CT, UT, TX, OR, MT, etc.) and equivalent legislation in other jurisdictions.
• "Sub-processor" means any third party engaged by Chykalophia to process Customer Personal Data on Chykalophia's behalf, as listed and updated at /legal/subprocessors.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, supplemented, or replaced from time to time.
• "UK IDTA" means the UK International Data Transfer Addendum to the SCCs published by the UK Information Commissioner's Office, version B.1.0 (2022), as amended or replaced.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed by Chykalophia or a Sub-processor.

Capitalized terms not defined here have the meanings given in the Terms of Service.

2. Scope and roles#

For the purpose of this DPA and to the extent of Customer Personal Data:

• Customer acts as the Controller (or in some contexts the Processor on behalf of its own controller — e.g., when Customer's clients are themselves controllers of certain data).
• Chykalophia acts as a Processor (or sub-processor where applicable).
• Each Sub-processor acts as a sub-processor of Chykalophia.

The parties acknowledge that the determination of purposes and means of processing Customer Personal Data rests with Customer; Chykalophia processes only on Customer's documented instructions as set out in the Agreement and any additional written instructions Customer provides through the Service or in writing.

3. Processing details (GDPR Art. 28(3) elements)#

The full description of subject matter, duration, nature, purpose, types of personal data, and categories of data subjects is set out in Annex I to this DPA, in compliance with GDPR Art. 28(3) and the SCCs.

4. Processor obligations#

Chykalophia will:

4.1 Processing on documented instructions#

Process Customer Personal Data only on Customer's documented instructions (as set out in the Agreement and any further written instructions Customer provides), including with respect to transfers to a third country or international organization, unless required to do otherwise by EU, member-state, UK, or US law applicable to Chykalophia. In such a case, Chykalophia will inform Customer of that legal requirement before processing, unless the law prohibits that disclosure on important grounds of public interest.

If Chykalophia believes a Customer instruction violates Data Protection Law, Chykalophia will notify Customer without undue delay and may suspend the affected processing pending resolution.

4.2 Personnel confidentiality#

Ensure that personnel authorized to process Customer Personal Data are bound by appropriate written or statutory obligations of confidentiality, and that access is restricted on a least-privilege, need-to-know basis.

4.3 Security measures#

Implement and maintain the technical and organizational security measures described in Annex II to this DPA, which meet the requirements of GDPR Art. 32 (and equivalents). The measures are subject to regular review and update; material reductions are not permitted without Customer notice.

4.4 Sub-processors#

(a) Customer provides general written authorization for Chykalophia to engage Sub-processors to process Customer Personal Data, subject to the terms of this §4.4 and the dated list maintained at /legal/subprocessors.

(b) Chykalophia will impose data-protection obligations on each Sub-processor that are substantially the same as those imposed on Chykalophia under this DPA, by written contract.

(c) Chykalophia will notify Customer at least 30 days in advance of any addition of a new Sub-processor or replacement of an existing one, including the name, location, and processing activities of the proposed Sub-processor. Notice will be sent to the billing contact on file and reflected on the Subprocessors page.

(d) Customer may object to a proposed Sub-processor within the 30-day notice window on reasonable data-protection grounds. The parties will work in good faith to resolve the objection (alternative configuration, region, or Sub-processor where feasible). If the parties cannot resolve the objection, Customer may terminate the affected subscription on written notice with a prorated refund of prepaid unused fees as Customer's sole remedy.

(e) Chykalophia remains liable to Customer for the acts and omissions of its Sub-processors that constitute a breach of this DPA to the same extent Chykalophia would be liable if it performed the relevant act or omission itself.

4.5 Data-subject rights assistance#

Taking into account the nature of processing and the information available, assist Customer in fulfilling its obligation to respond to requests from data subjects under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, opt-out from automated decision-making) by providing reasonable technical and organizational measures. Where Customer cannot independently fulfill a request through Customer's administrative controls in the Service, Customer may submit a request to privacy@sendbriefs.com.

4.6 Compliance assistance#

Assist Customer in ensuring compliance with GDPR Arts. 32 (security), 33 (breach notification to supervisory authority), 34 (breach notification to data subjects), 35 (data protection impact assessments), and 36 (prior consultation with supervisory authorities), taking into account the nature of processing and the information available.

4.7 Security incident notification#

Notify Customer of a confirmed Security Incident affecting Customer Personal Data without undue delay and, where feasible, within 72 hours of Chykalophia's confirmation of the incident. The notice will include, to the extent then known:

• (i) The nature of the Security Incident, including the categories and approximate number of data subjects and personal data records affected;
• (ii) The likely consequences of the Security Incident;
• (iii) The measures taken or proposed to address the Security Incident and mitigate adverse effects; and
• (iv) Contact information for follow-up communications.

Notification is not an admission of fault or liability. Chykalophia will cooperate with Customer's reasonable requests for additional information related to the Security Incident.

4.8 Audit rights#

Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Chykalophia generally satisfies this obligation by providing:

• Recent third-party audit reports (e.g., SOC 2 Type II once issued);
• Responses to security questionnaires in standard formats (CAIQ, SIG, custom);
• Penetration-test summaries;
• Sub-processor compliance documentation.

For Enterprise Customers, direct on-site audits are available on at least 30 days' written notice, no more than once per calendar year, during normal business hours, in a manner that does not unreasonably interfere with Chykalophia's operations, at the requesting party's expense. The auditor must execute a confidentiality agreement reasonably acceptable to Chykalophia and be bound by professional obligations of confidentiality. Audit findings are Confidential Information under §8 of the Terms of Service.

4.9 Return or deletion on termination#

On termination of the Agreement, delete or return all Customer Personal Data to Customer in accordance with the retention schedule in Privacy Policy §6, and certify deletion on Customer's written request, subject to any legal-retention obligations to which Chykalophia or its Sub-processors are subject (e.g., Stripe's retention of payment records for tax compliance, which Chykalophia cannot waive).

5. International transfers#

To the extent Chykalophia processes Customer Personal Data originating in the European Economic Area (EEA), Switzerland, or the United Kingdom outside of those jurisdictions, the following apply:

5.1 Adequacy / Framework#

Where the receiving country has been determined adequate by the European Commission, or where Chykalophia or the relevant Sub-processor is self-certified under the EU-US Data Privacy Framework, the transfer relies on that adequacy decision or Framework certification.

5.2 Standard Contractual Clauses (EEA/Swiss origin)#

For transfers from the EEA or Switzerland to a third country that is not adequate, the parties hereby incorporate by reference the EU Standard Contractual Clauses (Module Two: Controller-to-Processor and/or Module Three: Processor-to-Sub-processor, as applicable), as follows:

• Module Two applies where Customer is a Controller and Chykalophia is a Processor.
• Module Three applies where Customer is itself a Processor and Chykalophia is a Sub-processor.
• Clause 7 (Docking clause): Not applicable (limited to the parties signing the DPA).
• Clause 9 (Use of sub-processors): Option 2 (general authorization) applies, with the 30-day notice period set out in §4.4(c).
• Clause 11 (Redress): The optional independent dispute-resolution paragraph does not apply.
• Clause 17 (Governing law): The SCCs are governed by the law of Ireland.
• Clause 18 (Choice of forum and jurisdiction): Irish courts have jurisdiction for disputes arising out of the SCCs.
• Annex I to the SCCs is replaced by Annex I to this DPA (parties, processing details, categories of data subjects, types of personal data).
• Annex II to the SCCs is replaced by Annex II to this DPA (technical and organizational measures).
• Annex III to the SCCs (list of sub-processors) is satisfied by reference to the dated Subprocessors page.

5.3 UK International Data Transfer Addendum#

For transfers from the United Kingdom, the UK IDTA is incorporated by reference, appending to the SCCs in §5.2 with the modifications specified in the UK IDTA. The UK IDTA applies in addition to (not in place of) the SCCs for the UK component of any combined EEA-and-UK transfer.

5.4 Swiss data#

For transfers of personal data originating in Switzerland, references in the SCCs to GDPR are deemed to include references to the Swiss Federal Act on Data Protection (FADP), and references to the EU Supervisory Authority include the Swiss Federal Data Protection and Information Commissioner.

5.5 Transfer Impact Assessment#

Chykalophia has performed a Transfer Impact Assessment ("TIA") in accordance with recommendations of the European Data Protection Board, taking into account the legal landscape of the United States and the practical accessibility of EU/UK data to US government authorities, as well as supplementary measures (encryption in transit and at rest, tenant isolation, access controls, audit logging). The TIA is reviewed annually and is available to Enterprise Customers on request via privacy@sendbriefs.com.

6. CCPA / CPRA — service-provider terms#

To the extent Customer is a "business" and Chykalophia processes "personal information" about California residents on Customer's behalf, the parties agree that Chykalophia is a "service provider" as defined by Cal. Civ. Code §1798.140(ag), and:

• (a) Chykalophia will not retain, use, disclose, or otherwise process the personal information for any purpose other than the specific business purpose of providing the Service and as permitted under the CCPA/CPRA;
• (b) Chykalophia will not "sell" or "share" (as defined in CCPA/CPRA) the personal information;
• (c) Chykalophia will not retain, use, or disclose the personal information outside the direct business relationship with Customer;
• (d) Chykalophia will not combine the personal information received from Customer with personal information received from other sources, except for the limited purposes permitted by 11 CCR §7050(a);
• (e) Chykalophia will comply with all applicable obligations under CCPA/CPRA and will provide the level of protection required of personal information.

Chykalophia certifies that it understands and will comply with the restrictions in this §6.

7. Liability#

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability in §10 of the Terms of Service, including the data-protection super-cap in §10.3.

8. Order of precedence#

In the event of conflict between this DPA and any other component of the Agreement, the following order applies (most authoritative first):

1. The SCCs and UK IDTA as incorporated in §5 above;
2. This DPA;
3. The Privacy Policy;
4. The Subprocessors page;
5. The Terms of Service;
6. Any Order Form or Master Services Agreement between the parties.

9. Term and termination#

This DPA is effective as of the effective date of the Terms of Service and remains in force for as long as Chykalophia processes Customer Personal Data. The obligations in §4.7 (Security Incident notification), §4.9 (Return or deletion), §6 (CCPA/CPRA), §7 (Liability), and §10 (Notices) survive termination of the Agreement.

10. Notices#

Notices under this DPA must be sent to:

• To Chykalophia: legal@sendbriefs.com, with a copy by certified mail to: Chykalophia Group, LLC · Attn: Legal Notices · 929 Michigan Ave, Apt 3 · Evanston, IL 60202 · USA.
• To Customer: the billing email address on file in Customer's account.

---

Annex I — Description of processing#

A. List of parties#

• Data exporter (Controller): Customer entity that accepted the Terms of Service. Contact: as designated in Customer's account.
• Data importer (Processor): Chykalophia Group, LLC, 929 Michigan Ave, Apt 3, Evanston, IL 60202, USA. Contact: legal@sendbriefs.com.

B. Description of transfer#

• Categories of data subjects: Customer's personnel, Customer's clients, Customer's clients' end-recipients of Briefs, and other individuals whose personal data Customer includes in Customer Data.
• Categories of personal data: identifiers (name, email, account ID), commercial information (subscription tier, billing data), internet/network activity (login events, feature usage), professional/employment information (job title, agency affiliation), and any other personal data Customer chooses to include in briefs or integration data.
• Special categories of personal data: None intentionally collected. Customer agrees not to upload special-category data under GDPR Art. 9 without prior arrangement with Chykalophia (see Terms §5).
• Frequency of transfer: Continuous (during the term of the subscription).
• Nature of processing: Hosting, rendering, scheduling, branding, approving, and delivering Customer-authored Briefs; providing related services described in the Terms of Service §2.
• Purpose of processing: To provide the SendBriefs Service to Customer.
• Period of storage: For the term of the Agreement plus the retention periods in Privacy Policy §6.

C. Competent supervisory authority#

For EEA-origin transfers, the supervisory authority of the EU member state where the Controller is established. For UK-origin transfers, the UK Information Commissioner's Office. For Swiss-origin transfers, the Swiss Federal Data Protection and Information Commissioner.

---

Annex II — Technical and organizational measures#

The technical and organizational measures described in Privacy Policy §11 apply, including:

• Encryption — TLS 1.2+ in transit; AES-256 at rest.
• Tenant isolation — Postgres row-level security enforces workspace boundaries at the database layer.
• Access controls — Role-based permissions, required MFA for administrative access, least-privilege defaults.
• Monitoring — Automated anomaly detection on authentication and data-access patterns with on-call alerting.
• Backups — Encrypted, rolling 35-day retention with point-in-time recovery.
• Audit — CASA (Cloud App Security Assessment) readiness in progress; SOC 2 Type II readiness via internal verification follows; third-party Type II audit certification scheduled after Series A funding.
• Personnel — Confidentiality obligations, security training, background checks for personnel with access to production systems.
• Vulnerability management — Coordinated disclosure program with 90-day window; regular internal vulnerability scanning; remediation SLAs by severity.
• Incident response — Documented runbook, on-call rotation (scaled to team size), and 72-hour customer-notification commitment per §4.7 above.

Material changes to these measures will not reduce the level of protection below what is described above, and will be announced in advance to Enterprise Customers.

---

Annex III — Sub-processors#

The current list of authorized Sub-processors is maintained at /legal/subprocessors and updated whenever a Sub-processor is added, removed, or relocated, with at least 30 days' advance notice per §4.4(c) of this DPA.

This Annex III is satisfied by reference to the Subprocessors page as that page is updated from time to time. By accepting this DPA, Customer authorizes the Sub-processors listed on the Subprocessors page as of the effective date of the Agreement.

---

Effective date: 2026-05-11. Last updated: 2026-05-11. Earlier versions are archived in our git history and available on request.