Data Processing Addendum (Short-Form)

Last updated:

This Data Processing Addendum (“DPA”) forms part of the agreement (“Agreement”) between the Customer and Hogan3 LLC (“iContentsPro,” “Processor,” “Service Provider”) for the provision of the iContentsPro application (the “Services”). Capitalized terms not defined here have the meanings in the Agreement.

1) Roles

For personal data within Customer Data, Customer is the controller/business and iContentsPro is the processor/service provider/contractor.

2) Processing Instructions

Processor will process personal data only on documented instructions from Customer, including as set out in the Agreement and this DPA, unless required by law. Processor will promptly inform Customer if it is unable to comply with Customer instructions or legal requirements that would materially affect its ability to provide the Services.

3) Confidentiality

Processor ensures that persons authorized to process personal data are bound by confidentiality obligations.

4) Security

Processor implements appropriate technical and organizational measures to protect personal data, including encryption in transit and at rest, access controls, least privilege, logging/monitoring, vulnerability management, and backups. See Security & Compliance.

5) Sub-processors

Customer authorizes Processor to engage sub-processors to provide the Services. Processor will impose data protection obligations no less protective than those in this DPA and remains responsible for sub-processor performance. Processor will notify Customer of material changes to sub-processors per the Agreement.

6) Assistance

Taking into account the nature of processing and the information available, Processor will assist Customer in: (a) responding to data subject/consumer requests; (b) meeting security, breach notification, impact assessment, and consultation obligations under Applicable Data Protection Laws.

7) Data Breach Notification

Processor will notify Customer without undue delay upon becoming aware of a personal data breach affecting Customer Data and will provide information reasonably required for Customer to meet its obligations.

8) International Transfers

Where personal data is transferred internationally, the parties will rely on appropriate safeguards (e.g., EU/UK Standard Contractual Clauses) unless an adequacy decision applies. Processor will execute such instruments as reasonably required.

9) Deletion/Return

Upon Customer's request or termination of the Services, Processor will delete or return personal data and delete existing copies within a reasonable period (typically within 90 days), unless law requires retention.

10) Audits

Upon reasonable written notice, Processor will make available information necessary to demonstrate compliance with this DPA (e.g., policy summaries, third-party reports if available). Where additional audit is required by law or Customer's regulator, audits will be conducted no more than annually, during business hours, under confidentiality, and at Customer's expense.

11) CCPA/CPRA (Service Provider/Contractor)

• Processor will not sell or share personal information (for cross-context behavioral advertising).
• Processor will not retain, use, or disclose personal information for any purpose other than the business purpose of providing the Services or as otherwise permitted by law.
• Processor will comply with applicable provisions of the CCPA and support Customer in responding to consumer requests.

12) Liability & Order of Precedence

Each party's liability for this DPA is subject to the limitations set out in the Agreement. If there is a conflict between this DPA and the Agreement with respect to processing of personal data, this DPA controls.

Signatures

This DPA is effective as of the Effective Date of the Agreement or the date of Customer's acceptance, whichever is earlier.

For a signable PDF, contact sales@icontentspro.com or support@icontentspro.com.