Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of the Terms of Service between you ("Customer," acting as the data controller) and 10041543 Manitoba Ltd. operating as "Everybooking" ("Everybooking," acting as the data processor) and governs Everybooking's processing of personal data that Customer uploads or generates within the Service. Capitalized terms not defined here have the meaning given in the Terms of Service.

1. Roles and scope

For purposes of GDPR, UK GDPR, PIPEDA, and CCPA, Customer is the controller (or "business" under CCPA) and Everybooking is the processor (or "service provider" under CCPA) with respect to Customer Data. This DPA applies to all Customer Data processed by Everybooking on Customer's behalf for the duration of the subscription.

2. Details of processing (Annex 1)

• Subject matter: Provision of the Everybooking SaaS platform for quote generation, booking management, customer communication, and related services.
• Duration: For the duration of the subscription, plus the 30-day data-export window following termination and any backup retention period.
• Nature and purpose of processing: Collection, storage, retrieval, transmission, AI-assisted analysis, automated communication (email, SMS, voice), reporting, and deletion of Customer Data as needed to provide the Service.
• Categories of data subjects: Customer's end- customers, prospects, leads, attendees, contacts, employees, and vendors whose data Customer chooses to upload.
• Categories of personal data: Name, contact details (email, phone, address), booking history, payment tokens, dietary or accessibility notes, communication content, IP addresses, device data, free-form notes entered by Customer's staff, and any other data Customer chooses to upload.
• Special category data: Customer should not upload special-category data (health, biometric, religion, political opinions, etc.) unless Customer has a valid lawful basis and has notified Everybooking in writing. Use of such data is at Customer's risk.

3. Customer instructions

Everybooking will process Customer Data only on documented Customer instructions, which include: (a) the Terms of Service and this DPA, (b) the configuration choices Customer makes within the Service, (c) Customer's use of features (e.g., enabling AI agents, connecting integrations), and (d) any additional written instructions Customer provides. We will notify Customer if we believe an instruction infringes applicable data protection law, though we are not legally obligated to monitor Customer's compliance.

4. Confidentiality and personnel

Everybooking ensures that personnel with access to Customer Data are bound by written confidentiality obligations and have received appropriate privacy and security training. Access is granted on a need-to-know basis and revoked on role change or departure.

5. Subprocessors

Customer authorizes Everybooking to engage subprocessors to provide the Service. A current list is published at everybooking.com/legal/subprocessors. Everybooking imposes data protection obligations equivalent to those in this DPA on each subprocessor by written agreement and remains liable to Customer for the acts and omissions of subprocessors.

Notice of new subprocessors: We will notify Customer at least 30 days before adding or replacing a subprocessor, by updating the subprocessors page and emailing account owners who have opted in to subprocessor change notifications. Customer may object on reasonable grounds; if the objection cannot be resolved, Customer may terminate the affected portion of the Service for cause.

6. International data transfers

Where Everybooking transfers Customer Data outside the EEA, UK, Switzerland, or Canada to a jurisdiction not subject to an adequacy decision, Everybooking will rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, incorporated by reference, with Everybooking acting as the data exporter where applicable. Supplemental safeguards include encryption in transit and at rest, access controls, and audit logging.

7. Security measures (Annex 2)

Everybooking maintains administrative, technical, and physical safeguards including:

• Encryption: TLS 1.2+ in transit; AES-256 at rest for databases and storage.
• Access controls: Role-based access, multi- factor authentication required for production access, least- privilege principles, periodic access reviews.
• Audit logging: All access to Customer Data is logged and retained for 12 months minimum.
• Network security: Segmented production networks, web application firewall, DDoS mitigation, intrusion detection.
• Vulnerability management: Regular dependency scanning, scheduled patching, annual third-party penetration testing (planned post-launch).
• Personnel: Background checks where lawful, confidentiality agreements, recurring security training.
• Business continuity: Daily encrypted backups with 35-day rolling retention, documented disaster recovery plan, regular restore testing.
• Vendor management: Subprocessors are vetted for equivalent security standards before onboarding.

8. Data subject requests

Everybooking will provide reasonable assistance, taking into account the nature of the processing and the information available, to enable Customer to respond to requests from data subjects exercising rights under applicable data protection law (access, rectification, erasure, restriction, portability, objection). Where a request is received directly by Everybooking, we will promptly forward it to the relevant Customer and will not respond directly except to confirm receipt and direct the requestor to the Customer.

9. Personal data breach notification

Everybooking will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and in any event no later than 48 hours after confirmation. Notifications will include: nature of the breach, approximate categories and number of data subjects and records affected, consequences, and measures taken or proposed.

Customer is responsible for notifying its own supervisory authority and affected data subjects where required. Everybooking will provide reasonable cooperation with Customer's notification obligations.

10. Audits

Once per calendar year (or more frequently if required by a supervisory authority or in the event of a breach), Customer may request a copy of Everybooking's most recent third-party audit reports (e.g., SOC 2 once available) and/or submit a written questionnaire of reasonable scope. On-site audits require mutually agreed scope, dates, and confidentiality, will not unreasonably interfere with the Service, and are at Customer's expense unless a material breach is identified.

11. Return or deletion at termination

On termination of the Subscription, Customer may export Customer Data via in-product tools for 30 days. Following the export window, Everybooking will delete Customer Data from active systems within 30 days and from rolling backups within 35 days, except where retention is required by applicable law (e.g., tax, audit, anti-fraud).

12. Liability

Each party's liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, save where prohibited by applicable law (notably, no limitation applies to data subjects' rights or statutory liability under GDPR Article 82).

13. CCPA-specific provisions

With respect to personal information of California residents: Everybooking is a "service provider" as defined by the CCPA. Everybooking will not (a) sell or share personal information, (b) retain, use, or disclose personal information outside the direct business relationship between the parties, or (c) combine personal information received from Customer with information received from other parties, except as permitted by the CCPA.

14. Order of precedence

In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters concerning personal data processing. The SCCs (where applicable) prevail over conflicting terms in this DPA.

15. Execution

This DPA is incorporated by reference into the Terms of Service. Customers who require a countersigned copy may request one by emailing legal@everybooking.com.

16. Contact

Data protection inquiries: privacy@everybooking.com
Legal inquiries: legal@everybooking.com
Mailing address: 10041543 Manitoba Ltd. o/a Everybooking, PO Box 20621 Stn Main, Steinbach, Manitoba R5G 1S1, Canada