1. Definitions

• "Applicable Data Protection Laws" means all privacy and data protection laws and regulations applicable to either party under the Agreement, including without limitation the GDPR, UK GDPR, Turkish Personal Data Protection Law (KVKK), and other applicable laws.
• "Controller" means a person or legal entity that determines the purposes and means of the Personal Data Processing.
• "Customer" means the party to the Agreement with Muyki. Customer may be a client, marketing agency, individual, individual entrepreneur or legal entity on behalf of which End Users use the Service.
• "Customer Account Data" means Personal Data related to Customer, its representatives and End Users which Muyki processes as a separate Controller as described in this DPA.
• "Customer Content" means Personal Data related to End Users and Customer's Subscribers which Muyki processes on behalf of Customer as a Processor in the course of providing the Service.
• "Customer's Subscribers" means Data Subjects with whom Customer communicates using the Service and/or whose data is uploaded to the Service by Customer (customers, prospective customers, messaging platform contacts or other individuals).
• "Data Breach" means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data being Processed by Muyki.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "End Users" means Customer and other Data Subjects with lawful access to the Service on behalf of or under a lawful authorization of Customer.
• "Personal Data" means any information relating to a Data Subject as defined in Applicable Data Protection Laws. Under this DPA, Personal Data covers Customer Content and Customer Account Data.
• "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure or destruction.
• "Processor" means an entity that processes Personal Data on behalf of a Controller.
• "Service" means any product or service provided by Muyki to Customer pursuant to the Agreement, including MaiNext.
• "Standard Contractual Clauses" (SCCs) means the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries, as amended from time to time.
• "Sub-processor" means any Processor engaged by Muyki to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.

2. Relationships of the Parties

2.1. Muyki as a Processor. The parties acknowledge and agree that with regard to the Processing of Customer Content, Muyki is a Processor acting on behalf of Customer. Muyki shall Process Customer Content only for the purposes described in this DPA and only in accordance with Customer's instructions.

2.2. Muyki as a Controller. The parties acknowledge that, with regard to the Processing of Customer Account Data, Muyki is an independent controller. Muyki will Process Customer Account Data as a Controller in order to carry out necessary functions, such as entering into the agreement, account management, compliance with law, accounting, tax, billing, audit, and sales and marketing communication with Customer. Muyki will Process such data in accordance with its Privacy Policy.

2.3. Customer Instructions. Except as provided in section 2.2, Muyki will Process Customer Content only in accordance with Customer's instructions. By entering into the Agreement, including this DPA, Customer instructs Muyki to Process Customer Content in order to provide the Service.

2.4. Customer as a Processor. If Customer is a processor on behalf of another Controller, Customer warrants that the relevant Controller has authorized (i) the instructions described in this DPA and the appointment of Muyki as a sub-processor and (ii) Muyki's engagement of Sub-processors as described in Section 3.

2.5. Compliance with Law. Each party will comply with its obligations under its Applicable Data Protection Laws with respect to its Processing of Personal Data.

2.6. Customer's Obligations. Customer agrees that it shall comply with its obligations under Customer's Applicable Data Protection Laws. In particular, Customer must provide notice and obtain all consents (or other legal grounds) and rights necessary under Customer's Applicable Data Protection Laws for (i) engaging Muyki to Process Customer Content on behalf of Customer and (ii) transfer of Customer Account Data to Muyki pursuant to the Agreement and this DPA. Customer shall be responsible for providing notice to all Customer Subscribers that Muyki is used as a data processor. Customer shall indemnify and hold harmless Muyki from any claims arising from Customer's failure to comply with these obligations.

3. Sub-processing

3.1. Authorized Sub-processors. Customer specifically authorizes and agrees that Muyki may engage Sub-processors to Process Customer Content. Muyki may engage new Sub-processors subject to providing notice to Customer at least ten (10) calendar days before the new Sub-processor accesses Customer Content. In emergency situations, Muyki will give such notice as soon as reasonably practicable.

3.2. Sub-processor Obligations. With respect to all Sub-processors, Muyki shall: (a) remain responsible for the Sub-processor's compliance with the obligations of this DPA; and (b) enter into a legally binding agreement with the Sub-processor imposing data protection obligations substantially similar to those set out in this DPA.

3.3. Objection. If, within five (5) calendar days after receipt of notice from Muyki, Customer notifies Muyki that Customer objects to Muyki's appointment of a new Sub-processor based on reasonable data protection concerns, the parties will discuss such concerns in good faith. If the parties cannot mutually agree to a resolution, Customer may terminate the Agreement and DPA for convenience. If Customer does not notify Muyki of objections within the specified period, Muyki is deemed authorized to engage the new Sub-processor.

4. Security Measures

Muyki will implement and maintain throughout the term of this DPA technical and organizational security measures set forth in Annex 2 to protect Personal Data from Data Breach and to preserve the security and confidentiality of the Personal Data. Muyki shall ensure that any person authorized to Process Personal Data shall be under an appropriate obligation of confidentiality.

Customer acknowledges that (a) Customer is responsible for its secure use of the Service, including securing account authentication credentials; and (b) the Security Measures may be updated from time to time, provided that such updates do not result in the degradation of the overall security of the Service.

5. Security Reviews and Reports

Upon written request, and subject to reasonable confidentiality controls, Muyki will respond to reasonable requests for information from Customer to confirm Muyki's compliance with this DPA, including responses to Customer's information security and due diligence questionnaires. Customer shall not exercise this right more than once per calendar year.

6. Data Breach and Notification

6.1. Notification Timeframe. Upon becoming aware of a confirmed Data Breach that may significantly affect the interests and fundamental rights of data subjects, Muyki will notify Customer without undue delay and in no event later than 72 hours after the discovery of such incident, unless prohibited by applicable law.

6.2. Content of Notification. Such notices will describe, to the extent possible, details of the Data Breach, including steps taken to mitigate the potential risks and steps Muyki recommends Customer take to address the Data Breach.

6.3. Cooperation. Muyki shall cooperate with Customer and take reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Data Breach.

6.4. Customer's Obligations. Customer is solely responsible for fulfilling any third-party notification obligations related to any Data Breach under Customer's Applicable Data Protection Laws (e.g., notification to data protection authorities or communication to Data Subjects).

7. Data Subject Rights and Cooperation

Muyki will upon Customer's request provide Customer with assistance that may be reasonably required by Customer to comply with its obligations under Customer's Applicable Data Protection Laws to respond to Data Subjects' requests to exercise their rights (e.g., rights of access, rectification, erasure, restriction, portability and objection), in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Service.

If Muyki receives a request from a Data Subject in relation to Customer Content for (i) unsubscription from messages sent by Customer through the Service or (ii) deletion of Customer Content with respect to the Data Subject, Customer authorizes and instructs Muyki to unsubscribe or delete Content Data related to such Data Subject.

If such reasonable assistance requires Muyki to assign significant resources, it will be provided at Customer's expense.

8. Return or Deletion of Data

Upon receipt of a request by Customer and following the termination of the Agreement, Muyki must delete or return to Customer all Customer Content from Muyki's systems. Notwithstanding the foregoing, Muyki may retain some parts of Customer Content if required by law according to its data retention policies, and such data will remain subject to the requirements of this DPA.

9. Miscellaneous

9.1. Communication. Muyki shall send all notifications mentioned in this DPA via email provided by Customer during the sign-up process or post them in the user interface of the Service. All objections and requests by Customer related to Processing of Personal Data must be sent to hello@muyki.com.

9.2. Governing Law. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Customer's Applicable Data Protection Laws.

9.3. Termination. This DPA will automatically terminate upon expiration or termination of the Agreement.

9.4. Liability. Customer agrees that any regulatory penalties incurred by Muyki in relation to Personal Data that arise as a result of Customer's failure to comply with its obligations under this DPA or Customer's Applicable Data Protection Laws shall count toward and reduce Muyki's liability under the Agreement. Muyki is liable for any regulatory penalties incurred by Customer or Muyki in relation to Personal Data that arise as a result of Muyki's failure to comply with its obligations under this DPA or Muyki's Applicable Data Protection Laws. Neither party will be responsible for any fines issued or levied against the other party by a regulatory authority in connection with such other party's violation of its Applicable Data Protection Laws.

9.5. Relationship with the Agreement. This DPA forms an integral part of the Agreement. If there is any conflict between this DPA and the Agreement, this DPA will govern. This DPA shall replace any existing DPA the parties may have previously entered into in connection with the Service.

ANNEX 1. Details of Processing

1A. Muyki as a Processor (Customer Content)

• Purpose and nature of Processing: Provision of the Service under the Agreement, including support, communication regarding Customer Account, logging of activities, ensuring the accessibility, security and usability of the Service.
• Retention period: Until the termination or expiration of the Agreement.
• Categories of data subjects: End Users: Customer's Subscribers.
• Categories of personal data: End Users: identification information (name, email), linked pages and accounts, IT information (IP addresses, geographic location, usage data), financial information (payment details). Customer's Subscribers: identification information, chat history and content, messaging platform usage information, and other personal information determined and controlled by Customer.
• Sensitive data: No. Customer shall not provide sensitive personal data unless expressly agreed.
• Data source: Customer sign-up process, use of the Service by Customer, including communication with subscribers and third-party integrations (e.g., WhatsApp, Meta) linked by Customer.

1B. Muyki as a Controller (Customer Account Data)

• Purpose and nature of Processing: Entering into the Agreement, account management, compliance with laws, accounting, tax, billing, audit, sales and marketing communication with Customer.
• Retention period: Until the termination of the Agreement and expiration of retention period required by law.
• Categories of data subjects: Customer and its representatives; End Users.
• Categories of personal data: Full name, title, company, email, identification information, linked pages and accounts, products in use, IT information, financial information.

ANNEX 2. Security Measures

Muyki implements and maintains technical and organizational security measures designed to protect Personal Data from Data Breaches. We currently observe the following Security Measures:

• Access Management: Access based on "Need to know" and "Least privilege" principles. Unique username/password, authentication procedures. Access credentials deactivated upon termination of employment or services.
• Encryption: Data at rest encrypted using industry-standard encryption. All external network communications protected with TLS encryption.
• Network Security: Network access restricted between servers. Measures to detect, mitigate, and prevent unauthorized access.
• Personnel Security: Personnel obligated to maintain confidentiality of Personal Data. Security and privacy training conducted. Pre-employment verification checks.
• Third-Party Providers: Written agreements with providers including confidentiality, privacy, and security obligations. Security assessment of third-party providers who may gain access to Personal Data.
• Incident Management: Security incident management policies and procedures. Prompt investigation upon discovery of Data Breach. Notification to Customer as required by this DPA.
• Backup and Recovery: Backups retained and encrypted. Measures to restore availability and access to Personal Data in the event of a physical or technical incident.

ANNEX 3. International Provisions

EEA, Switzerland and the United Kingdom. If Customer's Applicable Data Protection Laws include the GDPR, the Swiss FADP, or the UK GDPR, the following provisions apply. To the extent Muyki processes Customer Personal Data originating from the EEA, United Kingdom, or Switzerland, Muyki will implement appropriate safeguards for international data transfers, including Standard Contractual Clauses as approved by the European Commission or other competent authorities, where required.

Turkey (KVKK). If Customer's Applicable Data Protection Laws include the Turkish Personal Data Protection Law (KVKK), Muyki will process Personal Data in accordance with KVKK requirements and applicable data transfer regulations.

California (CCPA). If Customer's Applicable Data Protection Laws include the California Consumer Privacy Act (CCPA), with respect to Customer Content, Muyki is a service provider under the CCPA. Muyki will not (i) sell Customer Data; (ii) retain, use or disclose Customer Data for any purpose other than providing the Service; or (iii) retain, use or disclose Customer Content outside of the direct business relationship between Muyki and Customer.