This Data Protection Addendum (“Addendum”) is incorporated by reference into any agreement under which 7 Figure Ops (“Processor”) provides services to a client (“Controller”) (collectively, the “Parties”) concerning the Processing of Personal Data. This Addendum governs such processing and supplements the Principal Agreement, which remains in full force except as explicitly modified here.

1. Definitions

Use permitted GDPR definitions, including:

• “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, “Sub-processor”, “Applicable Data Protection Law” (e.g., GDPR, UK GDPR, CCPA).

2. Scope & Term

• Applies to any Processing of Personal Data by Processor on behalf of Controller under the Principal Agreement.

• Effective from the later of: (a) Addendum’s effective date or (b) start of Principal Agreement; terminates upon expiration or upon Processor ceasing all such Processing.

3. Roles & Personnel

• Controller acts as Controller; Processor acts as Processor.

• Processor ensures personnel and agents processing data are bound by confidentiality and trained on compliance.

4. Compliance with Laws & Instructions

• Processor will Process Personal Data only:
  a) on documented instructions from Controller, including cross-border transfers;
  b) to comply with applicable law—but will inform Controller unless legally prohibited.

• Processor will comply with all applicable data protection laws (GDPR, UK GDPR, CCPA, etc.)

5. Sub-processors

• Controller authorizes Processor to engage Sub-processors.

• Processor remains fully responsible for their compliance.

• Notice of new Sub-processors provided at least 30 days in advance; Controller may object and, if unresolved, may terminate affected Processing agreement.

6. Security Measures

• Processor will implement technical and organizational safeguards appropriate to risks (e.g., encryption, access controls, incident management).

7. Data Subject Rights

• Processor will assist Controller in responding to Data Subject requests (access, correction, erasure, portability, etc.) as required by law.

8. International Transfers

• Where Personal Data is transferred from the EU/UK/Switzerland to countries without adequacy, Processor will implement Standard Contractual Clauses or other lawful mechanisms.

9. Data Breach Notification

• Processor will notify Controller without undue delay—and within 48 hours of awareness—of any data breach involving Controller’s Personal Data. Processor will cooperate fully in investigating and responding.

10. Data Retention, Return & Deletion

• Upon termination or at Controller’s written request, Processor shall either return or securely delete all Personal Data and copies thereof (unless retention is legally required). Processor will confirm completion.

11. Audit & Documentation

• Controller may audit Processor’s compliance (or request third-party audit outcomes/CDPA) once per year or as needed under data protection laws.

• Processor will maintain records necessary for demonstrating compliance.

12. Liability & Indemnity

• Processor shall indemnify Controller for losses arising from unauthorized Processing or breach of this Addendum, to the extent permitted by law and consistent with the Principal Agreement’s liability limits.

13. Changes to the Addendum

• Processor may update this Addendum to reflect changes in law or regulation, providing at least 30 days’ notice. Continued provision of services constitutes acceptance of changes.

14. Order of Precedence

• In case of conflict between this Addendum and the Principal Agreement, this Addendum prevails for data protection obligations. Where SCCs or region-specific terms also apply, they rank highest, then this Addendum, then the Principal Agreement .