Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service and applies to the processing of personal data by StatOn ("Processor", "we") on behalf of the User ("Controller", "you"). For purposes of this DPA: • "Personal Data" means any data relating to an identified or identifiable natural person collected through the Service; • "Controller" means you, the StatOn user who determines the purposes and means of processing visitor data; • "Processor" means StatOn, which processes personal data on behalf of the Controller; • "Sub-processor" means any third party engaged by the Processor to assist in processing personal data; • "Data Subject" means the identifiable natural person to whom the personal data relates (i.e., your website visitors); • "Applicable Data Protection Law" means all applicable laws relating to data protection, including GDPR, ePrivacy Directive, and any national implementing legislation.

YOU ARE THE DATA CONTROLLER. You determine the purposes and means of processing personal data collected through the Service. You are solely responsible for: • The lawfulness of data collection and processing; • Obtaining all required consents from data subjects; • Providing required notices and privacy policies to data subjects; • Conducting data protection impact assessments; • Complying with all obligations of a data controller under applicable law; • Selecting the appropriate privacy mode for your jurisdiction and use case; • Ensuring that your instructions to us are lawful. WE ARE THE DATA PROCESSOR. We process personal data solely on your documented instructions and for the purpose of providing the Service. We do not determine the purposes or means of processing visitor data. Interaction of our support team with your data is strictly governed by the restricted access policy described in detail in Section 4 of this DPA.

We will process personal data only on your documented instructions, which include: • The configuration and settings you apply within the Service; • The public privacy mode you select (Cookieless, Balanced, or Strict EU); • The events and tracking parameters you configure; • Any specific instructions provided through our support channels. If we believe that your instructions violate applicable data protection law, we will inform you. However, we are not obligated to independently assess the legality of your instructions, and compliance with applicable law remains your responsibility.

We implement appropriate technical and organizational measures to protect personal data, including: • AES-256 encryption of sensitive data at rest; • TLS encryption of data in transit; • Access controls and authentication; • Regular security assessments; • Employee confidentiality obligations. TECHNICAL ACCESS RESTRICTIONS: By default, sensitive protected fields may be encrypted using AES-256 on the Processor's servers. While the Processor has the technical capability to decrypt certain protected fields, internal policies strictly prohibit access to the Controller's analytics data without explicit authorization from the Controller. ACCESS BY CONTROLLER'S INSTRUCTION: The Processor's personnel may access the Controller's data only with the Controller's direct authorization, expressed by activating the "Grant Support Access" function in the Service interface. By activating this function, the Controller authorizes the Processor to view analytics data for the purpose of resolving technical issues. The Processor restricts such access to authorized personnel and to the period during which the Controller maintains the access authorization. These measures are provided "as is." We do not guarantee that they will prevent all security incidents. You acknowledge that absolute security is not achievable and accept the inherent risks of data processing.

You provide us with general written authorization to engage sub-processors for the provision of the Service. The current list of sub-processors is available upon request or in the Service documentation. We undertake to notify you (e.g., by email or through account notifications) of any intended changes regarding the addition or replacement of sub-processors, giving you the opportunity to reasonably object to such changes before data is transferred to them. We will ensure that all sub-processors comply with data protection obligations no less stringent than those in this DPA. We shall remain liable for the acts and omissions of our sub-processors to the extent required by applicable law, but subject to the limitations of liability set forth in our Terms of Service.

We will assist you in responding to data subject rights requests to the extent technically feasible and as required by applicable law. This assistance may be subject to reasonable fees. You are primarily responsible for responding to data subject requests. We will redirect any requests we receive directly from data subjects to you, unless legally prohibited from doing so.

In the event of a personal data breach affecting data processed on your behalf, we will notify you without undue delay after becoming aware of the breach. The notification will include, to the extent available: • A description of the nature of the breach; • Categories and approximate number of affected records; • Likely consequences; • Measures taken or proposed. YOU are responsible for: • Assessing whether the breach requires notification to supervisory authorities and data subjects under applicable law; • Making all required notifications to authorities and data subjects; • Bearing all costs associated with breach notifications, except where the data breach resulted from gross negligence or a direct breach of security obligations on the part of the Processor (StatOn). Our notification to you does not constitute an acknowledgment of fault or liability.

Upon termination of the Service or upon your request, we will delete personal data processed on your behalf within a reasonable timeframe, unless retention is required by applicable law. We may retain anonymized, aggregated data that cannot be linked to identified individuals. We are not responsible for data stored in standard backup systems; those backups will be deleted in accordance with our standard backup rotation schedule.

Upon reasonable request and subject to appropriate confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. Audits shall be conducted at your expense, during normal business hours, with reasonable advance notice, and shall not unreasonably disrupt our operations. We may satisfy audit requests by providing relevant certifications, audit reports, or compliance documentation.

If personal data is transferred outside the European Economic Area, we will ensure that appropriate transfer mechanisms are in place as required by applicable law (e.g., Standard Contractual Clauses). You acknowledge that certain technical routing of data through international internet infrastructure is outside our control.

Our liability under this DPA is subject to and included within the limitations of liability set forth in our Terms of Service. In no event shall our aggregate liability under this DPA and the Terms of Service combined exceed the limits specified in the Terms of Service. We shall not be liable for any fines, penalties, or sanctions imposed on you by any regulatory authority, regardless of the cause.

This DPA is effective for as long as we process personal data on your behalf. It survives termination of the Terms of Service to the extent we continue to process personal data. Upon termination, we will delete or return personal data as described in Section 8.

13.1. For Controllers in the European Union (GDPR): As the Processor (StatOn) is incorporated in Ukraine (a country that does not have an adequacy decision from the European Commission), any transfer of personal data from the European Economic Area (EEA) to the Processor is governed by the Standard Contractual Clauses (SCCs) approved by European Commission Decision 2021/914. The Parties hereby agree that Module 2 "Controller to Processor" (Transfer controller to processor) of the SCCs is automatically incorporated into this DPA by reference and constitutes an integral part thereof. 13.2. For Controllers in the United States (CCPA/CPRA and applicable state laws): In the context of US privacy legislation, StatOn acts exclusively as a "Service Provider" and the User acts as a "Business." StatOn undertakes not to sell or share the personal information of your website visitors. StatOn will not retain, use, or disclose personal information for any purpose other than providing the Service as specified in these Terms. StatOn is strictly prohibited from combining personal information received from the User with data from other users. 13.3. For Controllers in Ukraine: Under the Law of Ukraine "On Personal Data Protection," the User acts as the "Owner" (Володілець) of personal data, and StatOn acts as the "Manager" (Розпорядник). StatOn undertakes to comply with the requirements of this law when processing data on behalf of the Owner.