Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Q4 Holdings LLC, a Wyoming limited liability company doing business as BoostPPC ("BoostPPC", "Processor", or "we"), and the customer entering into the Terms of Service ("Customer" or "Controller"). This DPA applies to the extent that BoostPPC processes Personal Data on Customer's behalf in the course of providing the Service.

This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR. References to "GDPR" include the UK GDPR where applicable.

1. Definitions

In this DPA, capitalized terms have the meanings given to them in GDPR Article 4 except as otherwise defined here. Additionally:

• "Customer Data" means personal data that BoostPPC processes on behalf of Customer in connection with the Service.
• "Sub-processor" means any third party engaged by BoostPPC to process Customer Data.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries, as amended from time to time.
• "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office (ICO).

2. Scope and applicability

2.1 This DPA applies where BoostPPC processes Personal Data subject to GDPR on behalf of Customer.

2.2 Roles. Customer is the Controller and BoostPPC is the Processor with respect to Customer Data. For Customer Data relating to a Customer's own clients (for consultant accounts), Customer warrants that it is the Controller or has authority to act on behalf of the Controller and to enter into this DPA.

2.3 In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data-protection obligations.

3. Details of processing

3.1 Subject matter. Provision of the Service as described in the Terms of Service: ingestion of Amazon advertising and business data, generation of reports and recommendations, and storage of related Customer Data.

3.2 Duration. For the term of the Customer's subscription, plus any retention period specified in BoostPPC's Privacy Policy (typically up to 90 days of backup retention after account deletion).

3.3 Nature and purpose. Hosting, storing, analyzing, transmitting, and otherwise processing Customer Data solely to provide the Service to Customer and to perform BoostPPC's obligations under the Terms of Service.

3.4 Categories of data subjects. Individuals whose data appears in Customer Data, including: Customer's employees and authorized users, and (for consultant accounts) representatives of Customer's end clients.

3.5 Categories of Personal Data. Account information (name, email), authentication data, communications, and any personal data incidentally contained within uploaded Amazon bulk files or business reports. Amazon data primarily consists of advertising metrics, keyword data, and aggregate sales figures and does not normally include the personal data of Amazon end-customers.

3.6 No special categories. Customer agrees not to upload special-category data (GDPR Article 9) or criminal-conviction data (GDPR Article 10) to the Service. BoostPPC has not designed the Service to handle such data.

4. BoostPPC's obligations

4.1 Processing on documented instructions. BoostPPC will process Customer Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law. Where required by such law, BoostPPC will inform Customer of the legal requirement before processing, unless the law prohibits such notice on grounds of public interest.

4.2 Customer's instructions. Customer's instructions are reflected in the Terms of Service, this DPA, and Customer's ordinary use of the Service. Customer may issue additional reasonable instructions in writing.

4.3 Confidentiality. BoostPPC ensures that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations.

4.4 Security. BoostPPC implements appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures include:

• TLS encryption for all data in transit.
• Encryption at rest for database storage.
• Bcrypt-hashed passwords; no storage of plaintext credentials.
• Access controls and audit logging for administrative access.
• Routine backup and recovery procedures.
• Documented incident-response procedures.

4.5 Assistance to Controller. Taking into account the nature of the processing, BoostPPC will assist Customer with appropriate technical and organizational measures, as reasonably possible, to fulfil Customer's obligations to respond to data-subject requests and to ensure compliance with GDPR Articles 32 through 36 (security, breach notification, impact assessments, prior consultation).

4.6 Personal data breach notification. BoostPPC will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer Data, and in any event within 72 hours, providing the information reasonably available at the time and supplementing it as more details become known.

4.7 Return or deletion. On termination of the Service, BoostPPC will delete Customer Data in accordance with the retention period in the Privacy Policy, unless EU or Member State law requires storage. Customer may request export of Customer Data prior to deletion using the Service's data-export features or by contacting admin@boostppc.app.

4.8 Audits and information. BoostPPC will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, on reasonable prior written notice and no more than once per year, subject to confidentiality protections. In practice, BoostPPC will satisfy audit obligations through written responses to reasonable questionnaires and, where appropriate, third-party certifications.

5. Sub-processors

5.1 General authorization. Customer provides general authorization for BoostPPC to engage Sub-processors to process Customer Data, subject to this Section 5.

5.2 Current Sub-processors. As of the Effective Date, BoostPPC's Sub-processors are:

5.3 Notification of changes. BoostPPC will give Customer at least 30 days' prior notice of any addition or replacement of a Sub-processor. If Customer objects to a new Sub-processor on reasonable data-protection grounds, the parties will work together in good faith to resolve the objection; if no resolution is possible, Customer may terminate the affected Service by written notice without penalty.

5.4 Sub-processor terms. BoostPPC will impose on each Sub-processor data-protection terms substantially equivalent to those in this DPA, and will remain liable to Customer for the acts and omissions of its Sub-processors.

6. International data transfers

6.1 Where BoostPPC transfers Customer Data from the EEA, the UK, or Switzerland to a country not deemed adequate by the European Commission (or equivalent UK authority), the transfer is governed by the Standard Contractual Clauses (Module 2 – Controller to Processor) or, where applicable, the UK Addendum.

6.2 The SCCs are incorporated into this DPA by reference, with the following terms:

• Clause 7 (Docking): not applicable.
• Clause 9 (Use of sub-processors): Option 2 — general written authorization, with 30 days' prior notice (Section 5.3 of this DPA).
• Clause 11 (Redress): the independent dispute resolution option is not selected.
• Clause 17 (Governing law): law of Ireland.
• Clause 18 (Choice of forum and jurisdiction): courts of Ireland.
• Annexes: The details of processing in Section 3 of this DPA, the security measures in Section 4.4, and the list of Sub-processors in Section 5.2 serve as the Annexes to the SCCs.

6.3 For UK transfers, the UK Addendum applies, with: Table 1 completed by reference to the parties to this DPA, Table 2 incorporating the SCCs identified above, Table 3 by reference to Sections 3, 4, and 5 of this DPA, and Table 4 — Importer.

7. Liability

7.1 Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Service. The aggregate cap on liability under the Terms of Service applies in the aggregate to all claims under both the Terms of Service and this DPA.

7.2 For SCC-based transfers, the SCCs' liability provisions (Clause 12) apply as between the parties only to the extent required by law; otherwise the Terms of Service limitations apply.

8. Term and termination

8.1 This DPA is effective from the date Customer accepts the Terms of Service (or from the date Customer signs this DPA, whichever is later) and continues until the Service terminates and BoostPPC has fulfilled its return/deletion obligations.

9. Miscellaneous

9.1 Order of precedence. In case of conflict between this DPA and any SCCs incorporated by reference, the SCCs prevail to the extent of the conflict.

9.2 Amendments. BoostPPC may amend this DPA where required by changes in applicable data-protection law or by guidance from supervisory authorities, on reasonable notice to Customer. Other amendments require the written agreement of both parties.

9.3 Entire agreement on data protection. This DPA, together with the Terms of Service and Privacy Policy, is the entire agreement between the parties concerning the processing of Personal Data.

How to execute this DPA