Scribe SparkData Processing Agreement

0. Parties

Data Processor:

Coderilla GmbH
Alte Kasernstrasse 16
97082 Würzburg
Germany
Email: data-privacy@coderilla.de

Data Controller:

The Customer — the legal entity or individual that has accepted the Scribe Spark Terms of Service and is using the Service to process personal data of third parties (e.g. leads, contacts or clients).

1. Definitions

• "Controller" means the Customer who determines the purposes and means of processing personal data.
• "Processor" means Coderilla GmbH, which processes personal data on behalf of the Controller.
• "Personal Data" has the meaning given in Art. 4(1) GDPR — any information relating to an identified or identifiable natural person.
• "Processing" has the meaning given in Art. 4(2) GDPR.
• "Data Subject" means the natural person to whom personal data relates (e.g. a lead or contact entered by the Controller into the Service).
• "Sub-processor" means any third-party processor engaged by Coderilla GmbH to process personal data on behalf of the Controller.
• "Service" means the Scribe Spark software-as-a-service platform operated by Coderilla GmbH.

2. Subject Matter, Nature and Purpose of Processing

Coderilla GmbH processes personal data solely to provide the Service to the Customer. The detailed description of the nature, purpose, categories of data and data subjects is set out in Annex I to this DPA.

The Processor shall process personal data only on the documented instructions of the Controller (including as set out in this DPA and the Terms of Service) and not for any other purpose, unless required to do so by applicable law. In such cases, the Processor shall inform the Controller before processing, unless prohibited by law on important grounds of public interest.

3. Duration of Processing

The Processor shall process personal data for the duration of the Customer's active subscription to the Service. Upon termination or expiry of the subscription, personal data shall be deleted or returned in accordance with Section 9 of this DPA.

4. Obligations of the Processor (Coderilla GmbH)

Coderilla GmbH undertakes to:

• Process personal data only on documented instructions from the Controller, unless required to do so by applicable law; in such cases, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law on important grounds of public interest
• Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement and maintain appropriate technical and organizational measures in accordance with Art. 32 GDPR as specified in Annex II to this DPA
• Engage sub-processors only in accordance with Section 5 of this DPA and impose data protection obligations on any sub-processor equivalent to those set out in this DPA
• Assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to requests for exercising data subjects' rights under GDPR
• Assist the Controller in ensuring compliance with obligations under Art. 32–36 GDPR (security, breach notification, DPIAs, prior consultation)
• Notify the Controller without undue delay and within 48 hours after becoming aware of a personal data breach involving the Controller's data
• Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for audits in accordance with Section 10
• Immediately inform the Controller if it believes an instruction infringes GDPR or applicable data protection law

5. Sub-processors

The Controller hereby grants general authorization for Coderilla GmbH to engage the sub-processors listed in Annex III to this DPA. Coderilla GmbH shall inform the Controller of any intended addition or replacement of sub-processors via email or in-app notification, giving the Controller the opportunity to object to such changes within 30 days of notification.

Each sub-processor is bound by data protection obligations equivalent to those set out in this DPA. All sub-processors are bound by the Standard Contractual Clauses (SCCs) approved by the European Commission and/or the EU–US Data Privacy Framework where transfers outside the EU/EEA occur.

6. Obligations of the Controller (Customer)

The Controller is responsible for:

• Ensuring that it has a valid legal basis under Art. 6 GDPR (and Art. 9 GDPR where applicable) for processing the personal data it submits to the Service
• Informing data subjects (e.g. leads and contacts) about the processing of their personal data in accordance with Art. 13–14 GDPR
• Ensuring that personal data entered into the Leads feature or other parts of the Service is accurate, adequate and limited to what is necessary
• Providing documented instructions to the Processor where processing beyond the standard Service functionality is required
• Maintaining appropriate records of processing activities under Art. 30 GDPR in its capacity as Data Controller
• Complying with all applicable data protection laws in connection with its use of the Service

7. Assistance with Data Subject Rights

Coderilla GmbH shall promptly notify the Controller if it receives a request from a data subject exercising their rights under GDPR (e.g. access, rectification, erasure, portability, restriction or objection). Coderilla GmbH shall not respond directly to such requests except on documented instructions from the Controller or where required by applicable law.

Coderilla GmbH shall provide the Controller with reasonable technical and organizational assistance to enable the Controller to comply with such requests within the legal deadlines. Requests concerning data subjects' rights with respect to the Customer's own account data may be addressed directly to data-privacy@coderilla.de.

8. Data Breach Notification

In the event of a personal data breach involving data processed under this DPA, Coderilla GmbH shall notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of the breach.

The notification shall include, to the extent available at the time:

• A description of the nature of the breach, including where possible the categories and approximate number of data subjects and records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

Coderilla GmbH shall cooperate with the Controller in fulfilling the Controller's obligation to notify the competent supervisory authority and, where applicable, affected data subjects, in accordance with Art. 33–34 GDPR.

9. Return and Deletion of Data

Upon termination or expiry of the Customer's subscription, or upon the Controller's written request, Coderilla GmbH shall, within 30 days and at the Controller's choice:

• Delete all personal data processed on behalf of the Controller and confirm such deletion in writing; or
• Return all personal data to the Controller in a machine-readable format and delete existing copies

Coderilla GmbH may retain personal data beyond this period only to the extent required by applicable EU or German law (e.g. commercial or tax retention obligations) and only for the duration and to the extent required by that law.

10. Audit Rights

The Controller has the right to verify compliance with the obligations under this DPA, limited to once per calendar year unless a specific audit is required by applicable law or following a confirmed personal data breach. Coderilla GmbH shall make available all information necessary to demonstrate compliance and allow for audits or inspections conducted by the Controller or a mandated auditor.

Where possible, such audits shall be carried out on the basis of available certifications, third-party audit reports or written documentation provided by Coderilla GmbH. On-site audits require reasonable advance notice of at least 14 days, shall be conducted during regular business hours and shall not unreasonably disrupt the Processor's business operations. The costs of audits beyond documentation review shall be borne by the Controller unless the audit reveals a material breach of this DPA.

11. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), Coderilla GmbH ensures that appropriate safeguards are in place in accordance with Chapter V GDPR, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914); and/or
• The EU–US Data Privacy Framework where the recipient is a certified participant; and/or
• An adequacy decision by the European Commission under Art. 45 GDPR

Details of the safeguards applied by each sub-processor are set out in Annex III.

12. Liability

Each party shall be liable for damages caused to data subjects as a result of its own breach of GDPR or this DPA in accordance with Art. 82 GDPR. Coderilla GmbH shall not be liable for damages caused by processing carried out on the Controller's instructions where those instructions were unlawful or incorrect, provided Coderilla GmbH has fulfilled its obligation to inform the Controller of such concerns.

The limitation of liability provisions in the Terms of Service apply to this DPA to the maximum extent permitted by applicable law.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of the Federal Republic of Germany. Disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Würzburg, Germany, to the extent permitted by applicable law. This DPA forms part of and is subject to the Terms of Service.

14. Contact

For all data protection inquiries related to this DPA, please contact:

Coderilla GmbH
Alte Kasernstrasse 16
97082 Würzburg
Germany
Email: data-privacy@coderilla.de

Annex I — Description of Processing Activities

(as required by Art. 28(3) GDPR and Appendix 1 of the Standard Contractual Clauses)

A. Nature and Purpose of Processing

Coderilla GmbH processes personal data solely to provide the Service to the Customer. Processing activities include:

• Storing and managing lead and contact data entered by the Customer into the Leads feature of the Service
• Processing content (text, images, media) created or uploaded by the Customer for AI-assisted content generation and publishing
• Facilitating the scheduling and publishing of content to third-party social media platforms on the Controller's behalf
• Hosting and storing all Customer data within the Service infrastructure

B. Types of Personal Data Processed

Leads Feature

Content & Publishing Features

• Text content, captions, hashtags and creative briefs
• Images, videos and other media files uploaded by the Customer
• Social media page/account identifiers and publishing tokens authorized by the Customer

C. Categories of Data Subjects

• Leads feature: Natural persons whose contact information has been entered by the Customer (e.g. potential business leads, clients, partners or other contacts)
• Content & publishing features: The Customer's authorized users and — where content includes personal data — any individuals depicted or referenced therein

Annex II — Technical and Organizational Measures (TOMs)

(as required by Art. 32 GDPR and Appendix 2 of the Standard Contractual Clauses)

Coderilla GmbH has implemented and maintains the following measures to ensure a level of security appropriate to the risk:

• Encryption at rest and in transit: All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher
• Access controls: Role-based access control (RBAC) with the principle of least privilege; access to production systems is restricted to authorized personnel only
• Authentication: Firebase Authentication with secure session management; multi-factor authentication available for internal systems
• Infrastructure security: Hosted on Google Cloud Platform (GCP). The underlying infrastructure is operated by Google and is certified according to recognized security standards such as ISO 27001 and SOC 2. Coderilla GmbH leverages these security measures in combination with its own access controls, IAM policies, and network-level protections.
• Data minimization: Only data necessary for providing the Service is collected and processed
• Organizational measures: Internal data protection policies, confidentiality agreements with all staff and contractors, regular security awareness training
• Incident response: Documented data breach response plan with defined escalation and notification procedures
• Backups: Regular automated backups with access controls equivalent to those on primary data
• Content moderation: Automated analysis of uploaded media using Google Cloud Vision for content safety; results are accessible only to organization administrators within the Service

The Processor may update these measures over time to reflect improvements in security technology and practice, provided that the overall level of protection is not diminished.

Annex III — List of Approved Sub-processors

(as required by Art. 28(2) GDPR and Appendix 3 of the Standard Contractual Clauses)

The Controller grants general authorization to engage the following sub-processors. Coderilla GmbH will notify the Controller via email or in-app notification of any intended additions or replacements, giving the Controller 30 days to object.