DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum (“Addendum” or “DPA”) is entered into between HERA Technologies Inc., a California corporation with offices at 520 S Grand Ave, Suite 695, Los Angeles, CA 90071 (“Processor” or “HERA”), and the entity or individual subscribing to HERA’s services (“Controller” or “Client”). This Addendum is incorporated into and forms part of the Master Service Agreement or Terms of Service (“Agreement”) between the parties.

1.1. “Data Protection Laws” means all applicable legislation relating to data protection and privacy, including but not limited to the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and any other applicable state or federal privacy laws in the United States.

1.2. “Personal Data” means any information relating to an identified or identifiable natural person that is processed by HERA on behalf of the Client in the course of providing Lead Generation, Software Implementation, and Support services.

1.3. “Processing” means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, or alteration.

1.4. “Sub-processor” means any third party appointed by HERA to process Personal Data on behalf of the Client.

2.1. Role of the Parties: The parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the Controller and HERA is the Processor.

2.2. Instructions: HERA shall process Personal Data only in accordance with Client’s documented instructions, which include the provisions of the Agreement and this DPA, unless otherwise required by applicable law.

2.3. Compliance: Client is responsible for ensuring that its instructions comply with Data Protection Laws and that it has obtained all necessary consents or has a valid legal basis for the Processing of Personal Data.

3.1. Technical and Organizational Measures: HERA shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures will be industry-standard and appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.

3.2. Confidentiality: HERA shall ensure that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.1. Appointment of Sub-processors: Client grants HERA general authorization to engage Sub-processors (e.g., cloud infrastructure providers, CRM platforms like Salesforce, HubSpot, or Clio, and communication tools) to support the delivery of Services.

4.2. Liability: HERA shall remain fully liable to the Client for the performance of the Sub-processor’s obligations. HERA shall ensure that any Sub-processor is bound by data protection obligations at least as restrictive as those in this DPA.

5.1. Assistance: Taking into account the nature of the processing, HERA shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s obligation to respond to requests for exercising Data Subject rights (e.g., access, deletion, or portability).

6.1. Notification: HERA shall notify Client without undue delay and, where feasible, within forty-eight (48) to seventy-two (72) hours after becoming aware of a Personal Data Breach involving Client's data.

6.2. Cooperation: HERA shall provide reasonable cooperation and information to Client to allow Client to fulfill any data breach notification obligations under Data Protection Laws.

7.1. Reviews: HERA shall make available to Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Client or an auditor mandated by Client, at Client's sole expense and subject to strict confidentiality agreements.

8.1. International Transfers: If HERA transfers Personal Data from the European Economic Area (EEA), the UK, or Switzerland to a country not recognized as providing an adequate level of protection, HERA shall ensure that such transfers are subject to appropriate safeguards, such as the Standard Contractual Clauses (SCCs).

9.1. Return or Deletion: Upon termination of the Services or at Client's request, HERA shall, at the choice of Client, delete or return all Personal Data to Client and delete existing copies, unless applicable law requires continued storage of the Personal Data.

10.1. Each party’s liability under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.

A. List of Parties

• Data Exporter: The Client (Controller)
• Data Importer: HERA Technologies Inc. (Processor)

B. Description of Transfer/Processing

• Categories of Data Subjects: Potential leads, prospective customers, Client employees, and Client end-users.
• Types of Personal Data: Names, email addresses, phone numbers, job titles, LinkedIn profiles, and CRM interaction data (via Salesforce, HubSpot, Microsoft Systems, etc.), including lead contact information and behavioral data (such as engagement/interaction signals).
• Nature of Processing: AI-driven lead generation and data enrichment, software implementation and support, integration support, maintenance, and related analytics.
• Duration: The term of the Agreement plus the period until all data is deleted or returned.

C. Competent Supervisory Authority

• The supervisory authority of the jurisdiction where the Client is established or as otherwise determined by applicable Data Protection Laws.