Data Processing Addendum

Terms used in this Data Processing Addendum ("DPA") have the following meanings:

• "Customer" means the GoStealth business or team account holder that has accepted this DPA.
• "Controller", "Processor", "Data Subject", "Personal Data", "Processing" have the meanings given in applicable data protection law (including the GDPR).
• "Applicable Data Protection Law" means all privacy and data protection laws applicable to the Processing of Personal Data under the Agreement.
• "Sub-processor" means a third party engaged by GoStealth to Process Personal Data on behalf of the Customer.

For Personal Data Processed under this DPA, the Customer acts as the Controller and GoStealth acts as the Processor.

Each party will comply with its obligations under Applicable Data Protection Law.

The subject matter of the Processing is the provision of the GoStealth service as described in the Terms of Service.

This DPA applies for the duration of the Customer's subscription to the Service and for any additional period during which GoStealth Processes Personal Data on behalf of the Customer.

GoStealth Processes Personal Data solely to provide the Service: scanning data brokers, submitting removal requests, monitoring for re-listings, and providing account and support functions. We will not Process Personal Data for any other purpose without the Customer's documented instructions.

Data subjects: the Customer's authorized users and any individuals whose information the Customer submits for scanning (for example, members of a family plan who have consented).

Categories of Personal Data:

• Identifying information (name, email, phone, address history)
• Account credentials
• Payment metadata (handled by Stripe; we do not see card numbers)
• Usage data and scan history

The Customer authorizes GoStealth to engage the following categories of Sub-processors:

• Stripe — payment processing and billing
• Email provider (SMTP) — transactional email delivery
• Cloud hosting provider — infrastructure and databases
• Error monitoring provider — application observability

GoStealth will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. We will give the Customer at least 30 days' notice before engaging a new Sub-processor, and the Customer may object on reasonable grounds.

GoStealth implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in our Privacy Policy and include encryption at rest and in transit, strong password hashing, access controls, and regular security reviews.

Taking into account the nature of the Processing, GoStealth will assist the Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill the Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

GoStealth will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Customer's data. The notification will include the information required under Applicable Data Protection Law to the extent known at the time.

Upon termination of the Service, at the Customer's choice, GoStealth will delete or return all Personal Data Processed on behalf of the Customer, and delete existing copies unless retention is required by applicable law. Deletion will complete within 30 days of termination, subject to backup rotation cycles.

GoStealth will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including through third-party audit reports where available. The Customer may request additional audits no more than once per year, at the Customer's expense, on reasonable advance notice, subject to confidentiality obligations.

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of protection, the parties agree that such transfers will be governed by the Standard Contractual Clauses [SCCs PLACEHOLDER — final version, modules, and any UK Addendum must be confirmed by legal counsel before publishing].

Questions about this DPA, or to request a countersigned copy, contact privacy@gostealth.io.