Data Processing Addendum

INFRAME AFFILIATES LTD. - DATA PROCESSING ADDENDUM

Effective Date: This Data Processing Addendum ("DPA") shall be effective from the date it is agreed to by both Parties, concurrent with the acceptance of the Master Subscription Agreement or any Order Form incorporating this DPA by reference.

This DPA is entered into between:

INFRAME AFFILIATES LTD., a company registered in England and Wales with company number 16332640, having its registered office at 71-75, Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ ("INFRAME," "Processor");

AND

The Brand entity identified in the applicable Order Form or Account registration that is a party to the Master Subscription Agreement ("Brand," "Controller").

(Processor and Controller are each a "Party" and collectively the "Parties").

This DPA is incorporated into and forms an integral part of the Master Subscription Agreement entered into between INFRAME and the Brand (the "Agreement").

WHEREAS: (A) The Controller is a user of INFRAME's Subscription Services and, in connection with such use, the Processor will process certain Personal Data on behalf of the Controller. (B) The Parties wish to lay down their rights and obligations concerning the processing of Personal Data in accordance with Article 28(3) of the UK General Data Protection Regulation (UK GDPR).

IT IS AGREED AS FOLLOWS:

1. DEFINITIONS

1.1. Capitalized terms used in this DPA and not otherwise defined herein shall have the meanings ascribed to them in the Agreement (including the General Terms and the INFRAME Privacy Policy referenced therein). 1.2. For the purposes of this DPA: (a) "Controller Personal Data" means the Personal Data of the Controller's customers or end-users that is processed by the Processor on behalf of the Controller in connection with the provision of the Subscription Services, specifically data from the Controller's Shopify Store necessary for tracking sales, calculating Commissions, and related functionalities of the Shopify App. (b) "Data Protection Laws" means the UK GDPR and any other applicable data protection and privacy laws, regulations, and mandatory guidance from relevant supervisory authorities in the United Kingdom. (c) "Data Subject", "Personal Data", "Processing", "Data Controller", "Data Processor", "Personal Data Breach", and "Supervisory Authority" shall have the meanings ascribed to them in the UK GDPR. (d) "Sub-processor" means any third-party data processor engaged by INFRAME to process Controller Personal Data.

2. PROCESSING OF CONTROLLER PERSONAL DATA

2.1. Roles of the Parties: The Parties acknowledge and agree that for the purposes of the Data Protection Laws, the Controller is the Data Controller and INFRAME is the Data Processor of the Controller Personal Data. INFRAME processes other Personal Data as a Controller as set out in its Privacy Policy (e.g., Brand contact details for account management). 2.2. Processor's Obligations: INFRAME shall: (a) Process Controller Personal Data only on the documented instructions of the Controller, including with regard to transfers of Controller Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which INFRAME is subject; in such a case, INFRAME shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Agreement (including this DPA) constitutes the Controller's documented instructions to INFRAME for the processing of Controller Personal Data. (b) Ensure that persons authorised to process the Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. (c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further detailed in Section 6 (Security Measures) of this DPA and in INFRAME's general security documentation. (d) Comply with the conditions referred to in Sections 3 (Sub-processing) for engaging another Sub-processor. (e) Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the UK GDPR. (f) Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR (Security of Processing, Notification of a Personal Data Breach, Data Protection Impact Assessment, Prior Consultation), taking into account the nature of processing and the information available to INFRAME. (g) At the choice of the Controller, delete or return all the Controller Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data. This is further detailed in Section 8 (Return and Deletion of Data). (h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as detailed in Section 7 (Audits). (i) Immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws. 2.3. Controller's Obligations: The Controller warrants that: (a) It has complied, and will continue to comply, with all applicable Data Protection Laws in its collection and provision of Controller Personal Data to INFRAME for processing. (b) It has a valid legal basis (e.g., consent, contractual necessity) for the processing of Controller Personal Data by INFRAME in accordance with this DPA and the Agreement. (c) Its instructions to INFRAME for the processing of Controller Personal Data shall comply with Data Protection Laws.

3. SUB-PROCESSING

3.1. The Controller provides a general written authorisation for INFRAME to engage Sub-processors for the processing of Controller Personal Data. 3.2. INFRAME shall maintain a list of its current Sub-processors involved in the processing of Controller Personal Data, which shall be made available to the Controller upon request or via a designated web page. INFRAME shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Controller the opportunity to object to such changes. Such notice may be provided by email or through the Services. 3.3. If the Controller objects to a new or replacement Sub-processor on reasonable grounds relating to data protection within fourteen (14) days of such notice, INFRAME will use reasonable efforts to make available to the Controller a change in the Services or recommend a commercially reasonable change to the Controller's configuration or use of the Services to avoid processing of Controller Personal Data by the objected-to new Sub-processor. If INFRAME is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, the Controller may terminate the applicable Order Form(s) with respect to only those Services which cannot be provided by INFRAME without the use of the objected-to new Sub-processor by providing written notice to INFRAME. 3.4. Where INFRAME engages a Sub-processor, it shall do so by way of a written contract which imposes on the Sub-processor data protection obligations that are no less protective than those imposed on INFRAME by this DPA. INFRAME shall remain fully liable to the Controller for the performance of that Sub-processor's obligations. 3.5. For clarity, INFRAME uses general service providers for its platform (e.g., cloud hosting, payment processing for its own fees) as outlined in its Privacy Policy. This section primarily concerns Sub-processors specifically engaged for the processing of Controller Personal Data from the Brand's Shopify store where applicable (e.g., if a specialized analytics Sub-processor was used for commission data beyond general platform infrastructure).

4. INTERNATIONAL TRANSFERS

4.1. Controller Personal Data processed by INFRAME on behalf of the Controller shall be processed and stored within the United Kingdom (UK) or the European Economic Area (EEA). 4.2. INFRAME shall not transfer Controller Personal Data to any country outside the UK/EEA unless it has ensured appropriate safeguards are in place for such transfer in compliance with Data Protection Laws (e.g., by entering into Standard Contractual Clauses as approved by the UK Information Commissioner's Office, or relying on an adequacy decision). The Controller hereby grants INFRAME a mandate to execute any such Standard Contractual Clauses with a Sub-processor on its behalf, if necessary.

5. DATA SUBJECT RIGHTS

5.1. Taking into account the nature of the processing, INFRAME shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Laws (such as rights of access, rectification, erasure, restriction, portability, and objection). 5.2. If INFRAME receives a request directly from a Data Subject concerning their Controller Personal Data, INFRAME shall promptly notify the Controller, unless otherwise prohibited by law, and shall advise the Data Subject to submit their request to the Controller. The Controller shall be responsible for responding to all such requests.

6. SECURITY MEASURES

6.1. INFRAME shall implement and maintain appropriate technical and organisational measures to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures shall be appropriate to the level of risk presented by the processing and the nature of the Controller Personal Data to be protected, taking into account the state of the art and the costs of implementation. 6.2. Such measures may include, as appropriate: (a) The pseudonymisation and encryption of Personal Data; (b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 6.3. Further details of INFRAME's security measures are available in its security documentation, which can be provided to the Controller upon reasonable request.

7. AUDITS AND COMPLIANCE

7.1. INFRAME shall make available to the Controller, upon reasonable written request (not more than once annually, unless a Personal Data Breach has occurred), information necessary to demonstrate compliance with its obligations under this DPA and Article 28 of the UK GDPR. 7.2. INFRAME shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (who is not a competitor of INFRAME), relating to INFRAME's processing of Controller Personal Data. Any such audit shall be subject to: (a) Reasonable prior notice to INFRAME; (b) Agreement on the scope and timing of the audit to minimize disruption to INFRAME's business operations; (c) The Controller and its auditors agreeing to reasonable confidentiality obligations. 7.3. The Controller shall bear its own costs for such audits. If an audit reveals a material breach of this DPA by INFRAME, INFRAME shall promptly remedy the breach at its own cost. 7.4. To satisfy audit requests, INFRAME may provide the Controller with relevant attestations, certifications, or third-party audit reports (e.g., ISO 27001, SOC 2), subject to confidentiality obligations. If such reports are not sufficient to demonstrate compliance in the Controller's reasonable judgment, a direct audit as described above may be conducted.

8. RETURN AND DELETION OF DATA

8.1. Upon termination or expiration of the Agreement, or earlier at the Controller's written request, INFRAME shall, at the choice of the Controller, securely delete or return all Controller Personal Data to the Controller. 8.2. INFRAME shall delete existing copies of Controller Personal Data unless applicable law requires storage of the Personal Data. If return or deletion is impracticable or prohibited by law, INFRAME shall take measures to block further processing of such Controller Personal Data and shall continue to protect it in accordance with this DPA. 8.3. The Controller may request data export or deletion via the mechanisms provided in the Subscription Services or by written notice to INFRAME, as detailed in the Agreement.

9. PERSONAL DATA BREACH NOTIFICATION

9.1. INFRAME shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, upon becoming aware of a Personal Data Breach affecting Controller Personal Data. 9.2. Such notification shall, as a minimum: (a) Describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) Communicate the name and contact details of INFRAME's Data Protection Officer or other contact point where more information can be obtained; (c) Describe the likely consequences of the Personal Data Breach; (d) Describe the measures taken or proposed to be taken by INFRAME to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. 9.3. Where, and in so far as, it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay. 9.4. INFRAME shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

10. LIABILITY

10.1. The liability of each Party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, INFRAME's total aggregate liability to the Controller arising out of or in connection with this DPA shall not exceed the maximum aggregate liability stipulated in the Agreement for claims relating to the Subscription Services. 10.2. Nothing in this DPA shall limit either Party's liability for data protection fines imposed by a Supervisory Authority for that Party's own breach of Data Protection Laws, or for any liability that cannot be limited or excluded by applicable law.

11. TERM AND TERMINATION

11.1. This DPA shall remain in effect for as long as INFRAME processes Controller Personal Data on behalf of the Controller under the Agreement. 11.2. Termination or expiration of the Agreement shall automatically terminate this DPA, except for those provisions which by their nature are intended to survive termination (e.g., confidentiality, data deletion).

12. GOVERNING LAW AND JURISDICTION

12.1. This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales. 12.2. The Parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this DPA.

13. MISCELLANEOUS

13.1. Order of Precedence: In the event of any conflict between the terms of this DPA and the terms of the Agreement (including the General Terms or any Order Form), the terms of this DPA shall prevail with regard to the subject matter of data protection. 13.2. Amendments: This DPA may only be amended by a written agreement signed by duly authorised representatives of both Parties. 13.3. Severability: If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect the other provisions of this DPA, and all provisions not affected by such invalidity or unenforceability shall remain in full force and effect.

IN WITNESS WHEREOF, the Parties have caused this Data Processing Addendum to be executed by their duly authorized representatives.

For and on behalf of INFRAME AFFILIATES LTD. (Processor):

Signature: ******_****** Name: ******_****** Title: ******_****** Date: ******_******

For and on behalf of [Brand Name] (Controller):

Signature: ******_****** Name: ******_****** Title: ******_****** Date: ******_******

(Note: This DPA may be executed electronically, and its acceptance may be part of the Controller's acceptance of the Master Subscription Agreement or an Order Form that incorporates this DPA by reference.)

ANNEX 1: DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA

This Annex forms part of the DPA and describes the processing that the Processor will perform on behalf of the Controller.

A. Subject-matter and duration of the processing

  • Subject-matter: Processing of Controller Personal Data by INFRAME to provide the Subscription Services as described in the Agreement, primarily for the purpose of enabling affiliate marketing partnerships, tracking sales and commissions generated via Affiliate Links on the Controller's Shopify Store, and facilitating related payments.
  • Duration: For the term of the Agreement and until deletion/return of Controller Personal Data as per Section 8 of this DPA.

B. Nature and purpose of the processing

  • Nature: Collection (via Shopify App integration), storage, retrieval, use (for calculation and analytics), disclosure (to Controller, and to Creators as necessary for commission reporting), and deletion of Controller Personal Data.
  • Purpose: To enable the Controller to operate its affiliate marketing programs through the INFRAME platform, specifically:
    • To track conversions and sales attributed to Affiliate Links.
    • To calculate Commissions payable to Creators.
    • To provide reporting and analytics to the Controller regarding affiliate program performance.
    • To facilitate the payment of Commissions.
    • To ensure the security and integrity of the affiliate tracking process.

C. Type of Personal Data and categories of Data Subjects

  • Type of Controller Personal Data (processed by INFRAME from Controller's Shopify Store):
    • Order information (e.g., order ID, order value, currency, product details of items purchased, date/time of order, refund status).
    • Customer identifiers associated with an order (e.g., a unique customer ID assigned by Shopify, IP address associated with the order for fraud prevention, if provided by Shopify and necessary for tracking).
    • Affiliate referral information (e.g., Affiliate Link ID, Creator ID associated with the sale).
    • INFRAME does not directly process customer names, full payment card details, or customer contact details like email addresses or phone numbers from the Controller's Shopify store for the purpose of commission tracking, unless such data is unavoidably part of standard order data passed by Shopify and strictly necessary for the explicit purpose of tracking and verifying commissions. The primary focus is on anonymized or pseudonymized order and transaction data required for commission attribution.
  • Categories of Data Subjects (whose data forms part of Controller Personal Data):
    • Customers of the Controller who make purchases or complete other compensable actions on the Controller's Shopify Store via an Affiliate Link.

D. Specific processing instructions (if any beyond the Agreement)

  • None, other than as specified in the Agreement and this DPA.

[END OF DATA PROCESSING ADDENDUM]