Data Processing Agreement

Parties

• legal.dpaPage.dataController Name AI LLC, 30 N Gould St, Sheridan, WY 82801, USA legal.dpaPage.controllerSuffix
• legal.dpaPage.dataSubject legal.dpaPage.dataSubjectDescription

Data Protection Officer

legal.dpaPage.dpo.withDpo Data Protection Officer. legal.dpaPage.dpo.contact [email protected].

Definitions

In this Addendum, the following terms have the meanings set out below:

• "Affiliate" means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Customer or Name.ai, where control is defined as the possession, directly or indirectly, of the power to direct the management and policies of an entity.
• "Customer Personal Data" means any Personal Data provided by or made available by Customer to Name.ai, or collected by Name.ai on behalf of Customer, which is processed by Name.ai to perform the Services.
• "Controller to Processor SCCs" means the EU Standard Contractual Clauses published by the European Commission on 4 June 2021; the UK International Data Transfer Addendum issued by the UK ICO; or any similar clauses adopted by a data protection regulator for cross-border Personal Data transfers.
• "Data Protection Laws" means any local, state, or national law regarding the processing of Personal Data applicable to Name.ai in the jurisdictions in which the Services are provided, including the EU GDPR, UK GDPR, Swiss DPA, CCPA, and India's SPDI Rules 2011.
• "EU Area" means the European Union, European Economic Area, United Kingdom, and Switzerland.
• "Security Incident" means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
• "Third Country" means countries that have not received an adequacy decision from an applicable authority for cross-border data transfers.

Scope and Purpose

This Addendum applies to Name.ai's processing of Customer Personal Data under the Agreement to the extent such processing is subject to Data Protection Laws. Name.ai processes personal data to operate a domain name marketplace — including account management, domain listing, offer negotiation, payment processing, and domain transfer facilitation.

Roles of the Parties

The parties acknowledge and agree that with regard to the processing of Customer Personal Data, Customer acts as a Business or Controller, and Name.ai acts as a Service Provider or Processor. Customer is solely responsible for ensuring timely communications to its Affiliates or relevant Controllers as required by applicable Data Protection Laws. Customer is solely responsible for complying with security incident notification laws applicable to Customer.

Categories of Data Processed

• Identity data: name, email address
• Contact data: phone number (where provided)
• Authentication data: hashed passwords, OAuth tokens
• Financial data: payment method details via Stripe (not stored directly by Name.ai)
• Usage data: page views, feature interactions, IP addresses
• Domain transaction data: offers, negotiations, purchase history

Data Processing Terms

Name.ai shall comply with all applicable Data Protection Laws and shall:

• Process Customer Personal Data only on documented instructions from Customer, for the specific purpose of providing the Services, and in accordance with applicable Data Protection Laws. Name.ai will not sell or share Customer Personal Data, nor process it outside its business relationship with Customer.
• Ensure that personnel authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organisational security measures to ensure a level of security appropriate to the risk, including pseudonymisation and encryption of Customer Personal Data; ensuring ongoing confidentiality, integrity, and availability of processing systems; and regularly testing and evaluating the effectiveness of security measures.
• Notify Customer at least 30 calendar days in advance of any intended changes or additions to sub-processors, including data protection obligations in contracts with sub-processors that are materially the same as those in this Addendum, and remaining liable for any failure by sub-processors to fulfil their obligations.
• To the extent legally permissible, promptly notify Customer of any legally binding requests for disclosure of Customer Personal Data. Maintain a record of all legally binding disclosure requests.

Sub-processors

Name.ai engages the following sub-processors. Customer hereby agrees that Name.ai is generally authorised to engage and appoint sub-processors, subject to the notification obligations described above. Each sub-processor is bound by a data processing agreement consistent with applicable law.

Restricted Transfers (Standard Contractual Clauses)

Where the transfer of Customer Personal Data from Customer to Name.ai is a Restricted Transfer and EU Area Law applies, the transfer shall be subject to the appropriate Controller to Processor SCCs, incorporated into and forming part of this Addendum:

• For Customer Personal Data protected by the EU GDPR: EU SCCs (Module Two — controller to processor) shall apply, with Clause 7 optional docking clause applying; Clause 9 Option 2 (with sub-processor notice period as set out above); Clause 11 optional language not applying; Clause 17 governed by Irish law; disputes before the courts of the Republic of Ireland.
• For Customer Personal Data protected by the Swiss DPA: EU SCCs apply as modified for Switzerland, with references to "Regulation (EU) 2016/679" interpreted as the Swiss DPA, "EU/Member State" interpreted as Switzerland, and competent authority/courts being those of Switzerland.
• For Customer Personal Data protected by the UK GDPR: EU SCCs apply as modified and interpreted by the Part 2 Mandatory Clauses of the UK International Data Transfer Addendum issued by the UK ICO.
• Name.ai shall process Personal Data using AI and machine learning technologies within the Frankfurt Region, Germany, in accordance with this Addendum and applicable Data Protection Laws. AI processing of Personal Data is limited to the services provided by Name.ai.

Where a Transfer Mechanism is insufficient to safeguard transferred Personal Data, Name.ai will promptly implement supplementary measures to ensure Personal Data is protected to the standard required under applicable Data Protection Laws.

Security Measures

Name.ai implements and maintains the following technical and organisational security measures:

• AES-256 encryption at rest; TLS 1.2+ encryption in transit
• Multi-factor authentication and single sign-on for administrative access
• Role-based access controls with principle of least privilege; periodic access reviews
• Regular security audits, penetration testing, and vulnerability management
• Incident management and breach notification procedures
• ISO/IEC 27001:2022 and ISO 27701:2019 aligned Information Security Management System
• Regular employee security awareness and privacy training; background checks on employees with access to Customer Data
• AWS infrastructure with multi-availability zone resiliency, disaster recovery, and regular backup restoration testing
• Third-party sub-processor compliance with equivalent security standards

Data Breach Notification

In the event of a Security Incident affecting Customer Personal Data, Name.ai will notify Customer without undue delay. Notification will include, to the extent reasonably available: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences of the breach, and measures taken or proposed to address the breach. Name.ai shall take all necessary measures to remedy or mitigate the effects of the Security Incident and keep Customer informed of developments.

Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, or denial-of-service attacks.

Data Retention and Deletion

Personal data is retained only as long as necessary for the purposes described. Customer-collected data is stored in the database while Customer is active. Once a customer is offboarded, data will be retained for five weeks in active storage and then archived for one year in cross-region backup, after which it is deleted securely to prevent unauthorised access or recovery. On account deletion, PII fields are replaced with a redaction token within 90 days; financial fields are preserved in anonymised form for up to 10 years as required by law. Sub-processors are required to delete or return Customer Personal Data upon termination of their engagement.

Data Subject Rights

Your rights regarding your personal data (access, rectification, erasure, restriction, portability, objection, and right to withdraw consent) are described in the Privacy Policy at https://name.ai/legal/privacy. To exercise these rights, contact the Data Protection Officer using the details above. Name.ai will assist Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Customer's obligation to respond to requests for exercising data subject rights.

Warranties

The parties warrant that they and any staff and/or sub-contractors will comply with their respective obligations under applicable Data Protection Laws for the term of this Addendum.

Indemnity

To the extent permissible by law, Customer shall defend Name.ai and its Affiliates from and against any claims, demands, suits, or proceedings made or brought against any of them by any third party, and indemnify and hold them harmless from all losses, damages, liabilities, fines, penalties, settlements, and costs arising from any breach by Customer of this Addendum or of its obligations under applicable Data Protection Laws.

Governing Law

This DPA is governed by the laws of the State of Wyoming, United States. Where applicable, Name.ai also complies with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and India's IT (SPDI) Rules 2011. In the event of any inconsistency between the provisions of this Addendum and the Agreement, they will take priority in this order: (a) Standard Contractual Clauses or other approved cross-border transfer mechanisms; (b) this Addendum; (c) the Agreement.

Annex 1 — Description of Processing Activities

This Annex includes details of the processing of Customer Personal Data by Name.ai in connection with the Services.

• Data Exporter: Customer (as defined in the Agreement), acting as Controller
• Data Importer: Name AI LLC, 30 N Gould St, Sheridan, WY 82801, USA — Contact: Data Protection Officer, [email protected] — acting as Processor
• Categories of data subjects: Customer's authorised users of the Services
• Categories of personal data: Names; email addresses; and, where provided by Customer or its users in connection with Services — address, date of birth, and past employment details
• Sensitive personal data: None
• Frequency of transfer: Continuous
• Nature and purpose of processing: Provision of the Services as described in the Agreement — including querying, cleansing, standardising, enriching, and storing query information to provide people data and enable domain marketplace features
• Retention period: As described in the Agreement, Addendum, and applicable Order Forms
• Competent Supervisory Authority: As determined by application of Clause 13 of the EU SCCs