Data Processing Agreement

This Data Processing Agreement (“DPA”) is an addendum to the terms of service between Birch Team, Inc. (“Birch”). References to “Birch” include Birch Team, Inc. and Revealbot S.L. (Spain). Revealbot S.L. is Birch Team, Inc.'s EU establishment within the meaning of Art. 3(1) GDPR and acts as Birch Team, Inc.'s intra-group sub-processor. This DPA is entered into between Birch and the customer (“Customer”). It is intended to ensure compliance with the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), and other applicable data protection laws worldwide. By using Birch’s marketing and advertising SaaS services, Customer agrees to the terms of this DPA, which is effective and binding upon the parties through online acceptance. This DPA applies when Birch processes Personal Data on behalf of Customer in the course of providing its services.

1. Roles of the Parties

Controller and Processor: For purposes of GDPR, the Customer is the Data Controller (the entity determining the purposes and means of processing Personal Data), and Birch is the Data Processor processing Personal Data on Customer’s behalf. Birch will only process the Personal Data on documented instructions from the Customer and in accordance with this DPA. Birch does not determine the purposes or means of Customer’s data processing; such decisions remain with Customer. For purposes of CCPA (as amended by the CPRA), Customer is a “Business” and Birch acts as a “Service Provider” in processing Personal Information on behalf of Customer.

Responsibilities: Customer, as Controller/Business, is responsible for obtaining all necessary consents and ensuring a valid legal basis for the Personal Data it instructs Birch to process, and for compliance with applicable data protection laws regarding that data. Birch, as Processor and Service Provider, shall process Personal Data only for the purposes authorized by Customer and consistent with Section 3 (Purpose of Processing), and shall comply with its obligations under GDPR Article 28 and CCPA (Cal. Civ. Code §1798.100 et seq.) as a Processor/Service provider. Each party will comply with all laws applicable to it in the performance of this DPA.

Birch as Controller of its Own Data: The parties acknowledge that Birch may also process certain Personal Data as a controller for its own purposes (for example, Birch’s own website visitor data or account information for Customer’s contract with Birch). Such processing is outside the scope of this DPA. For details on such processing, Customer may refer to Birch’s Privacy Policy (available at https://bir.ch/legal/privacy/).

2. Categories and Types of Personal Data Processed

Covered Personal Data: This DPA covers the Personal Data that Birch processes on behalf of Customer through the Birch platform and related services. Such Personal Data may include, but is not limited to, the following categories and examples:

• Identifiers and Contact Details: name, email address, phone number, company name, job title, account username, social media handles, IP address.
• Account Credentials: login ID, password, and any authentication factors, including two-factor authentication details, used for accessing the Birch platform.
• Customer Account Data: information related to Customer’s use of Birch services, such as account IDs, settings, and configuration data for connected advertising accounts.
• Commercial and Financial Information: billing and payment information provided for Birch’s services, such as credit card numbers and billing addresses.sup class="c7 c32">[1]/sup>
• Professional/Employment Information: company or organization name, the Customer user’s role or job title, and related business contact information.
• Internet or Network Activity: usage and interaction data collected through the Birch website or platform, such as browser type, device information, pages visited, actions taken within the application, cookies, and similar tracking data, and logs of user activity (including IP address and general geolocation).
• Social Media and Marketing Data: data obtained from or related to integrated social-media and advertising platforms when the Customer links those to Birch, including  advertising metrics, campaign performance data, ad creative assets, social media account insights. This may include metrics like impressions, clicks, conversions, as well as audience information to the extent provided through those integrations, used to automate and optimize ad campaigns.
• Customer Communications: content and metadata of communications with Customer’s authorized users or representatives, such as support tickets, chat transcripts, email correspondence, and feedback submitted to Birch.
• Aggregated or Anonymized Data: Birch may also derive aggregated analytics data from the operation of the services. Such aggregated data, which does not identify individuals, is not considered Personal Data for purposes of this DPA and is used for Birch’s legitimate business purposes in accordance with applicable law, subject to any restrictions on the use of aggregated data set forth in the main service agreement.

Categories of Data Subjects: The Personal Data described above relates to the following categories of data subjects: (a) Customer’s end-users or prospects (for example, individuals whose information is collected via Customer’s marketing efforts or website forms managed through Birch, or whose data resides in Customer’s ad accounts that are connected to Birch); (b) Customer’s personnel or agents who are authorized to use the Birch platform (including account administrators, marketing team members inputting data); (c) Website visitors or individuals who interact with Birch’s platform or website (to the extent their data is processed on Customer’s behalf, such as via tracking tags for Customer’s marketing campaigns); and (d) any other individuals whose Personal Data is uploaded to or processed through the Birch services under Customer’s instructions (for example, individuals appearing in Customer’s support logs or campaign content). These data subjects may include residents of various jurisdictions, including the European Economic Area (EEA) and California, to whom GDPR or CCPA rights may apply.

3. Subject Matter and Purpose of Processing

Subject Matter: The subject matter of the processing is the Customer data entered into, collected by, or processed through Birch’s marketing and advertising software services. This includes Personal Data collected from the sources described above in Section 2, including website forms, integrated ad platforms, user interactions with the service, and any processing activities necessary to perform the Services that Birch provides to Customer.

Duration: Birch will process Personal Data for the duration of the Customer’s subscription or use of the Birch services and until deletion of all Personal Data as described in this DPA. The processing may be continuous for the term of the agreement, and upon termination, Birch will cease processing and delete or return the data as outlined in Section 8 (Retention and Deletion).

Nature of Processing: The processing operations include collection, storage, analysis, and transmission of Personal Data, as well as any other operation performed on Personal Data (such as organization, adaptation, retrieval, consultation, use, disclosure by transmission, or deletion) as required to provide the Birch services. Birch may process the data by automated means (through its software platform) and limited manual processing (e.g., for customer support or troubleshooting), always under Customer’s instructions.

Purpose of Processing: Birch shall process Personal Data solely for the following purposes and no other purpose except as required by law:

• Providing and Improving the Services: To operate and provide the SaaS platform functionality contracted by Customer, which includes creating and managing user accounts, authenticating users, and performing the automated marketing/advertising campaign management functions that the platform offers. This encompasses using Personal Data as needed to generate analytics, results, and reports for Customer, to integrate with third-party advertising networks on Customer’s behalf (for example, using authorized access to Customer’s Facebook or Google Ads accounts to manage campaigns), and to continually improve and develop Birch’s platform features (e.g. debugging, enhancing user experience based on usage patterns).
• Audience Matching and Conversion Measurement: At Customer’s instruction, to facilitate the transmission of Customer-provided audience identifiers (including hashed contact data, advertising IDs, and conversion signals) to third-party advertising platforms (such as Meta, Google, TikTok, and Snapchat) for audience matching, lookalike modeling, retargeting, and conversion measurement. Such platforms receive and process this data as independent third-party controllers under their own terms and privacy policies.
• Customer Support and Communications: To communicate with Customer and its users regarding the services, including sending service notifications, responding to support inquiries, providing training or helpdesk assistance, and other customer service interactions. Personal Data (like contact details and support message content) will be used to provide support and resolve issues.

• Payment Processing and Account Administration: To process billing transactions for the services (through secure payment processors) and to manage account-related matters such as invoicing, subscription renewals, or account changes. Financial Personal Data (billing contact information, payment method details) will be used only for charging fees and record-keeping.
• Marketing Communications (limited): If instructed by Customer or allowed under the main service agreement, Birch may use certain contact information (e.g. email addresses) to send product updates, newsletters, or marketing communications related to the services. Such communications will be in accordance with applicable consent requirements.
• Enforcing Rights and Compliance: To enforce Birch’s terms of service and policies, to ensure the security of the platform and prevent misuse, and to comply with any legal obligations that require processing of Personal Data (such as responding to lawful requests by authorities). For instance, Personal Data may be processed to detect fraud, security incidents, or other harmful activity, and to cooperate with law enforcement or regulatory inquiries as legally required.

Birch will not process the Personal Data for any purposes other than those set out above, except as authorized by Customer in writing or as required by applicable law (in which case Birch will inform Customer of that legal requirement before processing, unless law prohibits such notice). For the avoidance of doubt, Birch will not use Personal Data processed on behalf of Customer for Birch’s own independent marketing purposes. Notwithstanding any broader rights granted to Birch under the main service agreement with respect to data or content generally, Birch’s processing of Personal Data shall be limited to the purposes set forth in this Section 3. The subject matter, nature, purpose, and duration of processing are further documented in this DPA (and in Annex 2 with respect to sub-processor activities).

4. Data Subject Rights (GDPR and CCPA)

Assistance with Data Subject Requests: Birch shall, taking into account the nature of the processing, assist Customer in fulfilling obligations to respond to Data Subject requests under GDPR (Chapter III) and Consumer requests under CCPA (Cal. Civ. Code §1798.105, §1798.110, etc.). This includes assisting Customer in enabling individuals to exercise their rights of access, deletion, rectification, objection, opt-out, and other applicable rights.

• Under GDPR, individuals whose Personal Data is processed by Birch on Customer’s behalf have the right to request (through Customer as controller) access to their data, rectification of inaccurate data, erasure of data (“right to be forgotten”), restriction of processing, data portability, and the right to object to certain processing or to withdraw consent where consent was the legal basis. Birch will assist by providing the necessary information or tools to Customer so that Customer can meet these obligations. For example, Birch may enable Customer to retrieve, correct, or delete a data subject’s information stored on the platform.
• Under CCPA (as amended by CPRA), California residents have the right to know what Personal Information a business has collected about them, to request deletion of their Personal Information, to correct inaccurate Personal Information, to opt out of the sale or sharing of their Personal Information, and to not be discriminated against for exercising these rights. Birch acknowledges that it processes Personal Information on behalf of Customer and does not sell Personal Information to third parties. Birch will assist Customer by processing deletion or access requests forwarded to Birch by Customer and by providing available information to fulfill consumers’ “right to know” data reports. If Birch directly receives any verifiable consumer request under CCPA regarding Personal Information it processes on Customer’s behalf, Birch will promptly inform Customer and not respond to the request directly (unless legally compelled).

Exercise of Rights and Procedures: The Customer is responsible for verifying and responding to data subject or consumer requests. Birch shall provide reasonable cooperation and assistance to enable Customer to respond, insofar as such requests relate to Birch’s processing of the Personal Data. This assistance may include providing secure self-service tools within the platform, or handling specific queries from Customer about the data. The parties shall establish a process in which Birch, upon receiving a request from a data subject/consumer directly, will (i) notify Customer without undue delay (unless prohibited by law) and (ii) await Customer’s instructions for how to proceed with the request, to the extent the request pertains to Customer’s data. Birch will not independently honor data subject requests for access, correction, or deletion of data that it processes as a processor for Customer, except as necessary to comply with law or this DPA.

5. Sub-Processors

Authorized Sub-Processors: Customer provides general authorization for Birch to engage Sub-Processors (subcontractors that process Personal Data) as necessary to provide and support the services. Birch’s key sub-processors include third-party vendors providing cloud infrastructure, data analytics, customer support software, and other service functionalities. These sub-processors only process Personal Data for the purposes of assisting Birch in providing the services to Customer and are bound by obligations of confidentiality, data protection, and security equivalent to those Birch maintains under this DPA. A current list of Birch’s authorized Sub-Processors is attached to this DPA (see Annex 2), which includes the identities of sub-processor entities and their purposes (e.g. hosting, analytics).

For transparency, the sub-processors presently engaged by Birch include companies such as cloud hosting providers, analytics, and tracking tools, error monitoring services, communication, and support platforms, and similar vendors. For example, Birch utilizes Amazon Web Services, Inc. for cloud hosting of databases and servers (USA); Mixpanel, Inc. for product analytics to understand platform usage (USA); Sentry, LLC for error log monitoring (USA); Snowflake, Inc. for managed data warehousing (USA); Intercom, Inc. for customer support chat and messaging (USA); and PostHog, Inc. for product usage analytics (USA); and AppsFlyer Ltd. for mobile attribution and measurement (USA / EU). (See Annex 2 for the full sub-processor list.) Birch will update Annex 2 as needed to reflect any additions or replacements of sub-processors and will provide notice to Customer of any intended changes.

Sub-Processor Obligations: Birch shall remain liable to Customer for the performance of its sub-processors’ obligations under this DPA, subject to the limitations set forth in Section 11 and the main service agreement. Birch will (i) conduct due diligence on all sub-processors to ensure their ability to protect Personal Data in line with GDPR and this DPA; (ii) enter into a written agreement with each sub-processor imposing data protection terms that require at least the same level of protection for Personal Data as this DPA (including the requirements of Article 28(3) GDPR); and (iii) restrict each sub-processor’s access to Personal Data only to what is necessary to perform their specific services. If a sub-processor fails to fulfill its data protection obligations, Birch will promptly take appropriate steps to remedy the failure and will inform Customer if any data incident occurs involving the sub-processor.

Birch shall exercise commercially reasonable care in the selection and ongoing oversight of its sub-processors.

Sub-Processor Changes: Birch will maintain an up-to-date list of its sub-processors (Annex 2) and inform Customer of intended changes thereto (by email, notification within the platform, or publication on Birch’s website), giving Customer the opportunity to object on data protection grounds. If Customer objects in writing within 15 days of being informed, the objection is not resolved within 30 days, Customer may terminate the affected services as its sole remedy.

Third-Party Integrations: Customer may choose to integrate the Birch platform with third-party applications or platforms. Such integrations may result in Personal Data being transferred from Birch to the third-party or vice versa per Customer’s use of the features. The parties acknowledge that providers of these integrations are not Birch sub-processors, but rather separate controllers or processors engaged by the Customer directly. Where the terms of a specific third-party platform (for example, Meta Custom Audience Terms) designate a particular feature as joint controllership under Art. 26 GDPR, that arrangement is governed by the platform's own terms directly between Customer and the platform, and is outside the scope of this DPA. Customer is responsible for reviewing the privacy and data handling practices of any integration providers it uses.

6. Security Measures

Security Program: Birch will implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure, in accordance with Article 32 of the GDPR and applicable industry standards. Birch’s security controls are designed to ensure the confidentiality, integrity, and availability of Personal Data. These measures are described in detail in Annex 1 (Security Measures). In summary, Birch maintains a comprehensive written security program and internal policies addressing data protection, access control, encryption, network security, incident response, and other best practices as outlined in Annex 1.

Employee Training and Confidentiality: Birch ensures that all personnel authorized to process Personal Data are bound by a duty of confidentiality and are trained on their privacy and security responsibilities. Access to Personal Data by Birch staff is limited under a role-based access model (“least privilege” principle) to only those personnel who need such access to perform their job duties. All employees and contractors with access to Personal Data are required to sign confidentiality agreements and adhere to Birch’s security policies.

Protection of Data: Key protective measures implemented by Birch include, but are not limited to: encryption of Personal Data at rest and in transit (using strong industry-standard ciphers); network protections such as firewalls, intrusion detection systems, and DDoS mitigation; logical separation of Customer data to prevent co-mingling (multi-tenant data is segregated); and regular backups and redundancy to ensure data availability. Birch’s secure software development life cycle and change management processes ensure that security is taken into account in system updates. Birch also continuously monitors systems and logs activity to detect and respond to any security incidents promptly.

Security Documentation: Annex 1 of this DPA provides an overview of the technical and organizational measures in place. Additional details or documentation (such as security whitepapers, audit certifications, or penetration testing summaries) may be provided by Birch upon Customer’s written request, subject to reasonable confidentiality protections.

7. International Data Transfers

Cross-Border Data Transfers: Customer acknowledges that Birch is a U.S.-based company and that providing the services may involve the transfer of Personal Data to the United States and other jurisdictions where Birch or its sub-processors operate. Birch shall ensure that such transfers are made in compliance with applicable data transfer laws. In particular, for Personal Data subject to GDPR (e.g., data of individuals in the EEA, UK, or Switzerland) that is transferred out of those regions, Birch agrees to implement appropriate transfer safeguards.

Standard Contractual Clauses: The parties agree that, to the extent required by GDPR for transfers of Personal Data from the EEA/Switzerland/UK to countries which are not deemed to provide an adequate level of protection, they hereby enter into the European Commission’s Standard Contractual Clauses (“SCCs”) as applicable. The SCCs are deemed incorporated into this DPA by reference on the following modules as applicable to a given data flow: (a) Module Two (Controller-to-Processor) — for transfers from Customer (data exporter, controller) to Birch Team, Inc. (data importer, processor); this is the default module for the principal flow under this DPA; (b) Module Three (Processor-to-Processor) — for onward transfers from Birch Team, Inc. (data exporter, processor of Customer's data) to sub-processors located outside the EEA/UK/Switzerland; (c) Module Four (Processor-to-Controller) — for intra-group transfers from Revealbot S.L. (data exporter, processor acting on Birch Team, Inc.'s instructions) to Birch Team, Inc. (data importer, controller) in connection with Birch Team, Inc.'s controller-side processing of account, billing, and corporate operational data; Module Four governs the intra-group flow only and does not apply to Customer Personal Data, which is covered by Modules Two and Three. The party acting as data exporter and the party acting as data importer in any given transfer are identified by the role each plays in that transfer. The details of processing set forth in this DPA and its Annexes constitute Appendix/Schedule 1 of the SCCs for each applicable module. The parties will execute additional documents as necessary to give legal effect to SCCs or other required transfer mechanisms. Birch also agrees to abide by the terms of any additional transfer mechanism that may be required under applicable law, such as the UK International Data Transfer Addendum or the Swiss Addendum, as applicable, for transfers from those jurisdictions.

SCCs Option Elections: For the purposes of the SCCs incorporated by reference above: (i) Clause 7 (docking clause) does not apply; (ii) Clause 9(a) Option 2 (general written authorization) applies, with the sub-processor notification and objection process described in Section 5 of this DPA; (iii) Clause 11(a) (optional independent redress) does not apply; (iv) Clause 13 (competent supervisory authority): the data exporter’s competent supervisory authority, determined in accordance with the GDPR; (v) Clause 17 (governing law): the laws of Spain; (vi) Clause 18 (forum and jurisdiction): the courts of Spain. For Module Four, Clause 17 (governing law) and Clause 18 (forum and jurisdiction) remain the laws and courts of Spain, consistent with Revealbot S.L.'s establishment; Clause 13 does not apply to Module Four (no supervisory authority designation is required for processor-to-controller transfers).

Additional Transfer Safeguards: In addition to SCCs, Birch commits to implement any supplementary measures that may be necessary to ensure that Personal Data transferred internationally is afforded an equivalent level of protection as within the originating jurisdiction. Such measures may include encryption in transit and at rest, minimizing data storage in jurisdictions as directed by Customer, and transparent policies for handling government data access requests. Birch’s systems allow data to be stored in specific regional data centers where feasible to meet localization requirements. If at any time a data transfer mechanism relied upon (such as SCCs) is invalidated or requires modification, the parties will work together in good faith to promptly adopt an alternative lawful solution.

Disclosure Requests: If Birch receives any legally binding request from a public authority (e.g., law enforcement or national security agency) for access to Personal Data subject to GDPR or other international data protection laws, Birch will (to the extent permissible) notify Customer of the request and cooperate with Customer’s instructions for handling the request. Birch will not disclose Personal Data to any third-party (including government agencies) unless required by law, and will in all cases seek to ensure any disclosure is limited to the minimum necessary and is done in accordance with applicable legal procedures. Birch will maintain a record of any such disclosures and make it available to Customer upon request.

8. Retention and Deletion of Data

Data Retention: Birch will retain Personal Data only for as long as necessary to fulfill the purposes outlined in Section 3 (Subject Matter and Purpose) or as required by Customer’s instructions or applicable law. Birch’s policy is to avoid retaining Personal Data indefinitely or for longer than reasonably needed. Throughout the term of the service agreement, Birch may retain particular categories of data for varying periods depending on their utility (for example, log data might be kept for a short period for troubleshooting, whereas account information persists for the account’s life). However, Birch commits that when Personal Data is no longer needed for the permitted purposes, it will be deleted or anonymized in accordance with Birch’s data retention policies.

Customer may set certain preferences within the Birch platform (if functionality allows) for retention or deletion of data (e.g., ability to delete specific data via the interface). In the absence of specific instructions, Birch will follow its standard retention practices. Birch may retain aggregated, anonymized data (which is no longer Personal Data) for business and analytical purposes even after termination, as long as such data contains no identifiers of individuals or Customer.

Deletion or Return Upon Termination: Upon termination or expiration of Customer’s use of Birch services, Customer may request: (a) deletion or anonymization of all Personal Data processed on its behalf; or (b) return of Personal Data, to the extent Birch’s platform supports such functionality at the time of the request; provided that if return is not technically feasible, Birch will delete all Personal Data in accordance with option (a). Birch will complete any such request promptly, and in any event within ninety (90) days of receipt, subject to technical feasibility. Upon Customer’s request, Birch will provide written confirmation of deletion or anonymization via email.

Birch and its sub-processors will also delete any backups or archived copies containing Personal Data within a reasonable period following termination, subject to standard backup retention cycles. If applicable law requires Birch to retain certain data beyond termination (for example, for legal compliance such as financial record-keeping, or evidence preservation), Birch may retain such data strictly for the period and purposes required by law, and will continue to protect it in accordance with this DPA. During any retention period after termination where data is not yet deleted, Birch will not actively process the Personal Data except for storage and security purposes.

Customer’s Deletion Responsibilities: Customer, as controller, is responsible for making sure that any copies of Personal Data it has outside of Birch’s platform (for instance, data the Customer may have downloaded or synced) are properly handled or deleted when no longer needed. Birch has no responsibility for data once provided to Customer outside the Birch systems.

9. Audit Rights and Cooperation

Demonstrating Compliance: Birch shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and in Article 28 of GDPR. This includes maintaining records of processing activities and sub-processing, and upon request, providing summaries of relevant certifications or audit reports (e.g. third-party security audits, if available). Birch will, at Customer’s written request, provide responses to relevant questionnaires or other assurances of its security and privacy measures, insofar as such information is necessary to confirm Birch’s compliance with this DPA.

Audits: Customer (or its mandated auditor, which shall not be a competitor of Birch and shall be bound by appropriate confidentiality) has the right to perform an audit of Birch’s relevant systems, policies, and procedures no more than once per year (except in case of a specific indication of non-compliance, such as a security incident). Any such audit shall be conducted upon at least 30 days’ advance notice to Birch, during regular business hours, in a manner that does not unreasonably interfere with Birch’s operations. Before the commencement of any on-site audit, Customer and Birch will mutually agree upon the scope, timing, and duration of the audit. Birch may charge a reasonable fee (to be agreed in advance) for support provided in connection with Customer-initiated audits. Alternatively, Birch may, at its discretion, satisfy audit requests by providing a third-party certification or audit report covering the scope of the DPA, along with a right to have an independent auditor review certain relevant facilities or evidence, thereby meeting the audit requirements.

Cooperation and Assistance: Beyond audits, Birch agrees to cooperate with Customer and provide such assistance as Customer may reasonably request in order to ensure compliance with Customer’s obligations under data protection laws, including:

• Security and DPIAs: Assisting Customer in conducting data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, if required, by providing relevant information about Birch’s processing and security measures. Birch will provide comprehensive responses about its systems and help evaluate any high-risk processing.
• Regulatory Inquiries: Notifying Customer promptly if Birch receives an inquiry, audit, or investigation by a data protection authority relating to the Personal Data processed on Customer’s behalf, and assisting in responding to such inquiry. Birch will allow and contribute to any assessments or audits by supervisory authorities to the extent required by GDPR.
• Breach Notification: In the event Birch becomes aware of a Personal Data Breach, or becomes aware of a Security Incident that may involve Personal Data, (a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data) affecting Customer’s data, Birch will notify Customer without undue delay. Such notice will include all available relevant information about the breach, including its nature, the data compromised, known, or suspected causes, and measures taken or proposed by Birch to address and mitigate the breach. Birch will cooperate fully with Customer’s reasonable requests for further information and action regarding any data breach, including assisting Customer in communicating with affected data subjects or regulators as may be required. Birch will document all breaches and remedial actions.
• Law Enforcement Requests: If Birch receives a legally binding request from law enforcement or other authority for disclosure of Personal Data processed on behalf of Customer, Birch will (unless prohibited by law) inform Customer of the request and cooperate in Customer’s response. Birch will not disclose the Personal Data without Customer’s consent except as required by law.

Confidentiality of Audit Findings: Any audit or compliance information shared by Birch shall be considered Birch’s confidential information. Customer shall use the information only for the purposes of meeting its audit requirements and shall not disclose it to third parties except to its legal and compliance advisors or as required by law.

10. CCPA-Specific Provisions

The following provisions apply with respect to Personal Information (as defined in the CCPA) that Birch processes on behalf of Customer, to ensure compliance with CCPA requirements and to establish Birch’s status as a Service Provider:

• No Sale or Sharing of Personal Information: The parties acknowledge and agree that Customer is disclosing Personal Information to Birch solely for the purposes of Birch performing the services specified in the main agreement. Birch is prohibited from: (i) selling Personal Information (as “sell” is defined in CCPA) or sharing Personal Information with third parties for cross-context behavioral advertising; and (ii) using or disclosing the Personal Information for purposes other than those strictly necessary to perform the services for Customer, or as otherwise permitted by the CCPA and its regulations. Birch confirms that it does not and will not sell Customer’s Personal Information. This restriction applies to all Personal Information processed under this DPA, including any data that may be considered sensitive personal information under CCPA.
• Use of Personal Information: Birch shall not retain, use, or disclose Personal Information obtained in the course of providing services to Customer for any purpose (including any commercial purpose) other than the specific purposes of performing the services under the Agreement, or as otherwise permitted by CCPA §1798.145. Birch will not use Personal Information outside of the direct business relationship between Birch and Customer. In particular, Birch will not combine or augment the Personal Information received from Customer with personal data from other sources (except as instructed by Customer, or for a permissible purpose under the law, such as internal operations that align with the provision of the services). Any processing of Personal Information outside the scope of this DPA or the Customer’s instructions is strictly forbidden.
• Service Provider Certification: Birch certifies that it understands and will comply with the restrictions and prohibitions on using Personal Information set forth in this Section 10 and under CCPA. Birch certifies it shall not sell or share Personal Information, not retain, use, or disclose it outside of providing the services, and not attempt to re-identify any de-identified information, except as allowed by law. If Birch is ever deemed to be a “Contractor” under CPRA, Birch likewise agrees to the applicable requirements, including that it will not combine Personal Information received from Customer with Personal Information from other sources except as permitted by 11 CCR §7051.
• Consumer Requests and Transparency: As stated in Section 4, if Birch receives a request from a California consumer exercising CCPA rights in relation to Personal Information processed on behalf of Customer, Birch will forward the request to Customer and not respond directly. Birch will provide reasonable assistance so that Customer can meet its obligations under CCPA, such as by furnishing the necessary data for a “Right to Know” request or deleting an individual’s data upon verified request. Birch will notify Customer if it cannot comply with a Customer instruction regarding Personal Information (for example, if the instruction violates CCPA or other law), in which case Birch will explain the legal obligation that prevents compliance.
• No Further Disclosure: Birch shall ensure that any sub-processor it engages as a Service Provider to assist in processing Customer’s Personal Information (e.g., cloud storage provider) qualifies as a service provider or contractor under CCPA and is contractually bound by the same restrictions. Birch will enforce restrictions through its contracts with sub-processors, prohibiting them from selling or sharing Personal Information or using it for purposes other than supporting Birch’s services to Customer. If any government or law enforcement demand is received for Customer’s California Personal Information, Birch will handle it as described in Section 7 (International Transfers) and Section 9 (Cooperation), including notifying Customer where permitted.

No Legal Effect on Consumer as Third-Party Beneficiary: This DPA is between Customer and Birch. While it establishes obligations in handling Personal Information, it does not grant any third-party beneficiary rights to individuals, including California consumers; however, California consumers retain their rights against Customer as provided by law, and this DPA ensures that Birch’s handling of their Personal Information on Customer’s behalf is compliant with CCPA’s service provider requirements.

11. Limitation of Liability

Liability Cap: The parties agree that each party’s liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set forth in the main service agreement between Customer and Birch. No provision of this DPA is intended to waive or supersede any such agreed liability caps or exclusions. If the main agreement does not specify a liability cap or exclusion, then (to the maximum extent permitted by law) neither party shall be liable for any indirect, incidental, consequential, special, or punitive damages, or lost profits, arising from or related to this DPA, even if advised of the possibility of such damages. In any event, Birch’s total aggregate liability for all claims arising under or related to this DPA, whether in contract, tort, or any other theory of liability, shall not exceed the amount (if any) paid or payable by Customer for Birch’s services in the 12 months immediately preceding the event giving rise to the claim (or USD $100, if greater). This limitation is cumulative and not per incident. For the avoidance of doubt, liability arising under this DPA shall be included within (not in addition to) the limitations of liability set forth in the main service agreement.

Sub-Processor Liability: Birch’s liability for acts or omissions of its sub-processors is subject to the limitations and exclusions of liability set forth in the main service agreement and this Section 11. However, Birch is not liable for any processing performed by third-party integrations that Customer connects (as noted in Section 5), which are not Birch’s sub-processors.

Additional Liability Terms: Nothing in this DPA is intended to limit liability in violation of applicable law (for example, liability for unauthorized use or disclosure of Personal Data in a manner not permitted by this DPA may not be subject to certain contractual limits in some jurisdictions). Any exclusions or limitations in this Section shall not apply to the extent prohibited by law. The parties agree that the allocations of liability in this DPA reflect the agreed allocation of risk and are an essential part of the consideration between the parties.

12. Term and Termination

Term: This DPA becomes effective and binding upon the parties from the moment Customer agrees to it (either by signing it or by electronically accepting it, or by continuing to use Birch’s services after being provided with this DPA). The DPA shall continue in effect as long as Birch processes Personal Data on behalf of Customer, i.e., for the duration of the contractual relationship under the main services agreement. This DPA will automatically terminate upon deletion of all Personal Data by Birch after the end of the service agreement, except for any provisions that are intended to survive termination.

Suspension of Processing: In the event that Customer materially breaches its obligations under this DPA or applicable data protection law (for example, by using the services in violation of law or by failing to provide necessary privacy notices to data subjects), Birch may suspend processing of Personal Data until the breach is remedied, if such suspension is necessary to prevent ongoing violation of law or data misuse. Birch will promptly notify Customer of any such suspension and work with Customer to resolve the issue.

Termination: Either party may terminate this DPA for cause if the other party is in material breach of this DPA and fails to cure the breach within 30 days after written notice. Termination of the DPA without terminating the main services agreement is generally not feasible, as the DPA is required for lawful processing of Personal Data. Therefore, if Customer objects to any new sub-processor per Section 5 and Birch cannot reasonably accommodate Customer’s objection, Customer’s sole remedy may be to terminate the service agreement (and thus this DPA) with respect to the affected services.

Upon termination or expiration of the main service agreement, this DPA shall automatically terminate concurrently, except that Sections 8 (Retention and Deletion) (to the extent data remains in Birch’s possession), 9 (Audit Rights and Cooperation), 11 (Limitation of Liability), and any other provision of this DPA that by its nature should survive, shall survive termination until all Personal Data is deleted or returned to Customer and for the duration of any applicable statute of limitations. In particular, Birch’s obligations to ensure the confidentiality and security of Personal Data will continue until the data is deleted, and the deletion/return obligations themselves will survive until fulfilled

Entire Agreement and Integration: This DPA is incorporated into and forms part of the overall agreement between Birch and Customer concerning the services. The order of precedence among the documents comprising the agreement is set forth in the main service agreement. If the main service agreement does not specify an order of precedence, this DPA shall prevail over the main service agreement with respect to any processing of Personal Data. This DPA may be updated by Birch from time to time as required by changes in applicable data protection law, upon at least 30 days’ advance notice to Customer. If Customer objects to any update within 30 days of notice, the objection is not resolved within 30 days, Customer may terminate the agreement upon written notice. Continued use of the services after the objection period constitutes acceptance of the updated DPA. The foregoing constitutes the sole mechanism for amendments to this DPA and supersedes any general amendment provisions in the main service agreement. Any content or intellectual property license granted by Customer under the main service agreement does not authorize Birch to process Personal Data beyond the purposes and duration set forth in this DPA.

Annex 1: Security Measures

Birch maintains the following technical and organizational security measures to protect Personal Data, as of the effective date of this DPA. These measures are subject to improvement and updates from time to time, in line with technological developments and Birch’s security policies, provided that no such change will reduce the overall level of protection:

• Organizational Security Policies: Birch has a written information security program and internal policies addressing data protection, access control, acceptable use, incident response, change management, third-party risk management, and other relevant security domains. These policies are approved by management, communicated to all employees, and regularly reviewed.
• Access Control & Identity Management: Birch employs strict access controls to ensure only authorized personnel can access Personal Data. User access is granted on a least privilege basis, with role-based access control (RBAC) determining data and system permissions. All individuals with access must use unique user IDs and strong passwords; multi-factor authentication (MFA) is required for all Birch personnel accounts and is enforced organization-wide on Google Workspace and Slack; Customer-side user MFA is available where the Service supports SSO integration. Birch enforces automatic session time-outs and login attempt throttling to prevent unauthorized session hijacking. Procedures are in place for prompt provisioning and de-provisioning of access: when an employee or contractor leaves or changes role, their access to systems is removed or adjusted immediately. Regular access reviews are conducted to certify that permissions remain appropriate.
• Physical Security: Birch’s production systems are hosted on secure cloud infrastructure (currently Amazon Web Services (AWS)) with robust physical security controls. AWS data centers employ 24/7 monitoring, guard patrols, access badges, biometric scanners, cameras, and other measures to prevent unauthorized physical access. Birch does not maintain on-premise data centers for customer data; all data is in facilities with industry-standard physical security and environmental controls (fire suppression, redundant power, climate control, etc.). Birch’s office locations (if any data is stored or accessed there) are secured by access controls (e.g., keycard entry) and visitor policies.
• Encryption: Birch enforces encryption to protect Personal Data in transit and at rest. All network communications containing Personal Data are encrypted using TLS/SSL protocols (HTTPS) to prevent eavesdropping during transmission. For data at rest (databases, storage volumes, backups), Birch uses strong encryption algorithms (AES-256 or equivalent). Encryption keys are managed using secure key management services (e.g., AWS KMS) with limited personnel access and key rotation at least annually, in line with AWS KMS managed-key defaults. Endpoint devices used by Birch (e.g., employee laptops) are required to use disk encryption and are password-protected.
• Network Security & System Monitoring: Birch’s cloud environment is designed with network segmentation and firewalling. Internal systems are partitioned into separate network segments (e.g., separating development, staging, and production environments) to limit lateral movement. Firewalls/VPC security groups are configured to default deny and only allow necessary traffic to known services/ports. Birch employs intrusion detection and prevention systems (IDS/IPS) to monitor network traffic and server host activity for suspicious behavior. Updated threat intelligence feeds and automated security tools help detect anomalies or potential attacks. Anti-malware and endpoint protection software are utilized on servers and workstations as appropriate. Birch also leverages DDoS protection services (such as AWS Shield or equivalent) to guard against denial-of-service attacks.
• System Hardening and Updates:static analysis to catch security issues early. Internal vulnerability scans and code reviews are conducted on a regular basis. External penetration testing is planned and will be implemented; the schedule is reviewed periodically by Birch's security function.
• Change Management: Birch follows a formal change control process for system and software changes. All changes to production environments (code deployments, infrastructure changes) are logged and reviewed. Changes are tested in non-production environments (development/staging) and subject to approval by authorized personnel prior to deployment. Emergency changes, including urgent security patches, are documented retrospectively and reviewed in post-mortems. Version control and automated deployment pipelines are used to manage code changes, with the ability to rollback if an issue is detected.
• High Availability and Disaster Recovery: Birch’s architecture is built with redundancy and fault tolerance in mind. Critical systems are deployed across multiple availability zones or data centers to ensure high availability. Data is backed up regularly (with at least daily backups for databases) and backups are encrypted and stored in geo-redundant locations. Birch has documented disaster recovery plans and procedures. Disaster recovery tests are performed periodically to verify that backups can be restored and systems can be rebuilt from scratch in a timely manner. The objective is to minimize downtime and data loss in the event of a catastrophic incident, with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
• Monitoring and Logging: Birch maintains extensive logging of system and application events. Security-relevant events (logins, administrative actions, data exports, etc.) and system events (errors, resource utilization) are logged with timestamps and user or process identifiers. Logs are centrally aggregated and protected from tampering or deletion. Automated monitoring systems and alerting are in place: Birch’s operations team is alerted to potential issues such as unusual network patterns, system errors, or security events. These alerts are investigated following predefined incident response playbooks. Logging and monitoring ensure that Birch can detect and trace actions on systems, which is crucial for forensic analysis and compliance.
• Incident Response: Birch has a detailed Incident Response Plan for security incidents. This plan defines the roles and communication channels in case of an incident (e.g., a security breach). If a potential incident is detected, Birch’s incident response team will promptly investigate, contain, and remediate the issue. Birch documents all incidents and, where a Personal Data Breach is confirmed, Birch will notify Customer without undue delay, providing relevant details as required by GDPR (Art. 33). The incident response plan is tested and updated periodically to ensure effectiveness. Birch also has procedures to notify any affected individuals or authorities if required by law, but in a processor role Birch will typically provide information to Customer to facilitate Customer’s notifications.
• Business Continuity: In addition to disaster recovery, Birch maintains a Business Continuity Plan to handle other operational disruptions. This includes arrangements for critical staff to have remote access if office facilities are unavailable (important for continuity of support and operations), and ensuring that support services can continue during incidents. Regular drills or tabletop exercises are conducted to prepare the team for various scenarios, including major outages and / or pandemic response.
• Employee Training and Awareness: All employees undergo privacy and security training at the time of hire and periodically thereafter. Training covers topics such as data protection principles, recognizing, and reporting security incidents, phishing awareness, and proper use of Birch’s systems.
• Vendor Management: When Birch engages sub-processors or third-party vendors that may have access to Personal Data, Birch conducts security and privacy due diligence on those vendors. Birch keeps an updated list of sub-processors (as reflected in Annex 2) and monitors their compliance.
• Data Protection by Design and Default: Birch adheres to the principles of privacy by design and default in its product development and business processes. This means Birch strives to minimize the Personal Data it collects and processes to only what is necessary (data minimization), and where feasible, uses techniques like pseudonymization or aggregation to reduce the identifiability of data.

Annex 1 is an integral part of the DPA, illustrating Birch’s commitment to robust security. Birch will maintain these measures and will not materially decrease the overall security of the services during the term of the Agreement.

Annex 2: Authorized Sub-Processors

Below is a list of Birch’s current Sub-Processors that are authorized to process Personal Data on behalf of Customer in connection with the services. This list includes the name of each sub-processor, the purpose for which they are engaged, and their primary location. Birch will update this Annex 2 as needed to reflect any changes (additions or removals) as per Section 5 of the DPA. Revealbot S.L. (Barcelona, Spain) is Birch Team, Inc.'s EU establishment under Art. 3(1) GDPR and is engaged as an intra-group sub-processor providing platform operations, customer support, and ad-platform integrations under a separate intra-group data processing agreement. The applicable transfer mechanism is SCCs Module 3 (Processor-to-Sub-processor) for Customer Personal Data flows and SCCs Module 4 (Processor-to-Controller) for intra-group flows concerning Birch's own controller-side  data, as applicable.

‍

Additional Notes:

• Certain third-party platforms that Customer may connect through the Services act as independent controllers or joint controllers with respect to Personal Data they receive. These platforms are not sub-processors under this DPA. Their processing is governed by their own terms and privacy policies. Birch ensures that data passed to these integrations is limited to what is necessary for the intended purpose and that such integrations are activated only per Customer’s use of the features.
• Birch also uses various service providers for its own business operations which may handle Personal Data (for example, Google LLC for business email and file storage, Stripe, Inc. for billing transactions, etc. as referenced in Birch’s documentation). Those are not listed above because they either process Birch’s own corporate data (not Customer-provided Personal Data) or act as separate controllers. A full list of such vendors is available in Birch’s Privacy Policy or upon request, but they are outside the scope of “sub-processors” processing Customer’s data under this DPA. Note: AppsFlyer Ltd. (USA / EU) is engaged as a sub-processor for mobile attribution and measurement on behalf of customers who enable the AppsFlyer integration. AppsFlyer may also exercise independent controller rights for certain aggregated analytics per its DPA schedule.
• If Customer has questions or requires more detail about any sub-processor or service provider, Birch will provide additional information. Birch will also assist in facilitating any required agreements (such as the Standard Contractual Clauses) with sub-processors if Customer’s regulatory requirements demand it.

By signing or accepting this DPA, Customer provides general authorization to Birch to engage the above sub-processors and others in the same categories as necessary, pursuant to Section 5 of the DPA. Birch will ensure all sub-processors comply with the obligations of this DPA and applicable law.

‍