Data Processing Agreement

Enter your company details below. Your personalised DPA populates in real time — download or print a signed-ready PDF in seconds.

Your Company Details

The document updates live as you type.

Data Controller
Data Protection Officer (optional)
Signatory

Fill all required fields (*) to enable download

Live PreviewComplete required fields to enable download

Data Processing Agreement

Pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR)

Data Controller [Company Name] [Street Address], [Postal Code] [City], [Country]
and
Data Processor React Motion Technologies SAS Paris, France — SIREN 952 765 756

Effective: [Effective Date]

Recitals

(A) The Controller uses the Caramel platform (the "Services") provided by the Processor under a separate subscription or service agreement (the "Principal Agreement").

(B) In the course of providing the Services, the Processor processes Personal Data on behalf of the Controller, acting as a Data Processor within the meaning of Article 4(8) GDPR.

(C) The parties wish to set out in writing the terms on which the Processor will process Personal Data on behalf of the Controller, as required by Article 28(3) GDPR.

(D) This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Principal Agreement. In the event of conflict, this DPA prevails.

Article 1 — Definitions

In this DPA, the following terms have the meanings set out below. Capitalised terms not defined here have the same meaning as in the GDPR or the Principal Agreement.

"Agreement"
This DPA and its Annexes, as amended from time to time.
"Company Personal Data"
Any Personal Data provided to or Processed by the Processor on behalf of the Controller in connection with the Services.
"Data Protection Laws"
All applicable laws and regulations relating to the processing of Personal Data and privacy, including: (i) Regulation (EU) 2016/679 (GDPR); (ii) the French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 modifiée, "Loi Informatique et Libertés"); (iii) the UK GDPR and Data Protection Act 2018; (iv) the Swiss Federal Act on Data Protection (FADP); and any implementing, supplementary, or successor legislation.
"GDPR"
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
"Personal Data Breach"
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Company Personal Data.
"Protected Area"
(i) For EU Personal Data: the EU/EEA and countries with an Article 45 GDPR adequacy decision; (ii) for UK Personal Data: the United Kingdom and countries with a UK adequacy decision; (iii) for Swiss Personal Data: Switzerland and countries recognised as adequate by the FDPIC.
"Services"
The Caramel B2C CRM, marketing automation, loyalty programme management, multi-channel communication (email, SMS, WhatsApp, push notifications, digital wallet), and associated analytics services described in the Principal Agreement.
"Standard Contractual Clauses" / "SCCs"
The EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller-to-Processor), as amended or replaced.
"Sub-processor"
Any person appointed by the Processor to Process Company Personal Data on behalf of the Controller.

The terms "Controller", "Data Subject", "Member State", "Personal Data", "Processing", and "Supervisory Authority" bear the same meanings as in Article 4 GDPR.

Article 2 — Processing of Company Personal Data

2.1 Controller obligations

2.1.1 The Controller shall, in its use of the Services, comply with all applicable Data Protection Laws in respect of the collection, lawful basis, transfer, and use of Company Personal Data, including obtaining all necessary consents from Data Subjects (including marketing and WhatsApp opt-ins under the ePrivacy Directive 2002/58/EC and applicable national laws).

2.1.2 The Controller is solely responsible for the accuracy, quality, and legality of Company Personal Data and the means by which the Controller acquired it.

2.1.3 The Controller instructs the Processor to Process Company Personal Data as necessary to provide the Services, in accordance with the terms of this DPA and the Principal Agreement.

2.2 Processor obligations

2.2.1 The Processor shall Process Company Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by applicable law; in which case the Processor shall inform the Controller of that legal requirement before processing, unless such law prohibits this on grounds of public interest.

2.2.2 The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable Data Protection Laws. The Processor is not obliged to perform additional legal analysis beyond its reasonable knowledge.

2.2.3 De-identification carve-out: The Controller acknowledges that the Processor may aggregate, anonymise, or pseudonymise data derived from the Controller's use of the Services for the purposes of: (i) product improvement; (ii) performance benchmarking; (iii) development of new features. Any such output shall not identify any individual Data Subject and shall not be shared with third parties in a form attributable to the Controller.

Article 3 — Confidentiality of Processing

3.1 The Processor shall ensure that persons authorised to process Company Personal Data are subject to appropriate confidentiality obligations (whether contractual or statutory) and have received appropriate data protection training.

3.2 The Processor shall not disclose Company Personal Data to any third party except: (i) as authorised by the Controller; (ii) as required by applicable law; or (iii) to authorised Sub-processors in accordance with Article 5.

Article 4 — Security

4.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further detailed in Annex II.

4.2 Such measures include, as appropriate:

  • Pseudonymisation and encryption of Personal Data (AES-256 at rest; TLS 1.2+ in transit);
  • Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing;
  • Role-based access control and least-privilege access principles;
  • Multi-factor authentication for access to production infrastructure;
  • Audit logging of access to Personal Data.

4.3 In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

Article 5 — Sub-processing

5.1 The Controller provides the Processor with general written authorisation to engage Sub-processors. The list of authorised Sub-processors as at the Effective Date is set out in Annex III.

5.2 The Processor shall: (i) impose data protection obligations on each Sub-processor equivalent to those in this DPA; (ii) remain fully liable to the Controller for the performance of each Sub-processor's obligations; and (iii) enter into a written agreement with each Sub-processor that satisfies the requirements of Article 28(4) GDPR.

5.3 The Processor shall notify the Controller of any intended changes to the Sub-processor list (addition or replacement) at least 14 calendar days in advance by updating Annex III and notifying the Controller at the email address on record.

5.4 The Controller may object to a new or replacement Sub-processor within 7 calendar days of receipt of the notification by providing written reasons. In that event, the Processor shall use reasonable efforts to: (a) make the affected Service available without that Sub-processor; or (b) take corrective steps satisfactory to the Controller. If no resolution is reached within 30 calendar days, the Controller may terminate the affected Service on reasonable written notice, without penalty.

Article 6 — Data Subject Rights

6.1 The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Controller's obligations to respond to requests from Data Subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection).

6.2 The Processor shall: (i) promptly notify the Controller if it receives a Data Subject request under any Data Protection Law; and (ii) not respond to that request except on the documented instructions of the Controller or as required by applicable law.

6.3 The Processor shall provide all reasonably requested information and assistance to enable the Controller to: (i) conduct data protection impact assessments (DPIAs) under Article 35 GDPR; (ii) undertake prior consultations with Supervisory Authorities under Article 36 GDPR; and (iii) demonstrate compliance with its Article 32 obligations.

6.4 Assistance that goes materially beyond the standard scope of the Services may be subject to a reasonable fee, except where such assistance is required due to the Processor's acts or omissions, in which case it shall be provided at no additional cost.

Article 7 — Personal Data Breach Notification

7.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any Personal Data Breach affecting Company Personal Data, providing the Controller with sufficient information to allow it to meet its obligations under Articles 33 and 34 GDPR, including (to the extent then known):

  • a description of the nature of the breach (categories and approximate number of Data Subjects and records concerned);
  • the name and contact details of the Processor's data protection contact point;
  • a description of the likely consequences of the breach;
  • a description of the measures taken or proposed to address the breach.

7.2 The Processor shall cooperate with the Controller and take such reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

7.3 Breach notifications shall be sent to: privacy@joincaramel.com (Processor internal contact) and to the Controller's DPO or data protection contact on record.

Article 8 — Audit Rights

8.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 GDPR.

8.2 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable advance written notice of not less than 30 calendar days, at the Controller's expense, and subject to confidentiality obligations. The Processor may require that any third-party auditor execute a confidentiality undertaking before granting access.

8.3 The parties agree that the Controller's audit rights may be satisfied by the Processor providing relevant third-party security certifications (e.g., ISO 27001, SOC 2 Type II) or audit reports, to the extent these sufficiently demonstrate compliance with the relevant obligations.

Article 9 — Data Protection Impact Assessment

9.1 Where the Controller is required to carry out a DPIA pursuant to Article 35 GDPR that relates to the Processing activities described in Annex I, the Processor shall provide all reasonable assistance, including by providing the information set out in this DPA and Annex II.

9.2 Any assistance beyond what is reasonably required to support a DPIA for the standard Services shall be subject to a reasonable fee agreed in advance.

Article 10 — International Data Transfers

10.1 The Controller acknowledges that certain Sub-processors used by the Processor are located outside the Protected Area (including in the United States), and that in providing the Services the Processor may transfer Company Personal Data to such Sub-processors.

10.2 Where Company Personal Data is transferred to a country outside the Protected Area, the parties shall comply with the EU Standard Contractual Clauses (Module Two: Controller-to-Processor), incorporated herein by reference, with: the Controller as "data exporter" and the Processor as "data importer". The Annexes to the SCCs correspond to Annex I and Annex II of this DPA. Execution of this DPA constitutes execution of the SCCs.

10.3 SCCs election: (i) Clause 9 Option 2 (general written authorisation for Sub-processors) applies, with the notice period set out in Article 5.3 of this DPA; (ii) Governing law: French law; (iii) Jurisdiction: courts of Paris, France; (iv) Clause 13 Supervisory Authority: CNIL (Commission Nationale de l'Informatique et des Libertés).

10.4 For transfers of UK Personal Data, the parties shall comply with the UK International Data Transfer Addendum (IDTA) issued by the ICO, appended as a supplementary schedule where required.

10.5 For transfers of Swiss Personal Data, the EU SCCs shall apply with references to GDPR interpreted as references to the FADP, and the competent supervisory authority being the FDPIC.

10.6 If the SCCs are invalidated, amended, or replaced by applicable law or a Supervisory Authority, the parties shall implement an alternative transfer mechanism with reasonable promptness.

10.7 Sub-processors located outside the Protected Area shall be subject to appropriate transfer mechanisms (including SCCs or binding corporate rules) as listed in Annex III.

Article 11 — Retention and Deletion of Data

11.1 Upon termination or expiry of the Principal Agreement, or upon written request from the Controller, the Processor shall, within 30 calendar days:

  • Return all Company Personal Data to the Controller in a machine-readable format (CSV or JSON); and
  • Securely delete or destroy all copies of Company Personal Data in its possession and in the possession of its Sub-processors, unless applicable law requires continued retention.

11.2 The Processor shall provide written confirmation of deletion to the Controller upon request.

11.3 Aggregated, anonymised data that cannot be re-identified as relating to any Data Subject or the Controller is not subject to this obligation.

Article 12 — General Terms

12.1 Governing law. This DPA is governed by the laws of France. Any dispute shall be subject to the exclusive jurisdiction of the courts of Paris, France.

12.2 Order of precedence. In the event of conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to its subject matter. In the event of conflict between this DPA and the SCCs, the SCCs shall prevail.

12.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force.

12.4 Entire agreement. This DPA, together with its Annexes and the Principal Agreement, constitutes the entire agreement between the parties with respect to the subject matter hereof, and supersedes all prior agreements, representations, and understandings.

12.5 Amendments. The Processor may update this DPA from time to time to reflect changes in Data Protection Laws, operational changes, or changes to the Sub-processor list. The Processor shall provide not less than 30 days' notice of material changes via the email address registered by the Controller in the Caramel platform. Continued use of the Services after such notice constitutes acceptance.

12.6 Notices. All notices shall be in writing and sent to the parties' registered addresses or email addresses as set out in this DPA or as otherwise notified in writing.

Annex I — Description of Processing Activities

A. Subject Matter and Nature of Processing

The Processor provides a B2C CRM and marketing automation platform ("Caramel") that enables the Controller to: capture and unify first-party customer data; manage loyalty programmes; send marketing and transactional communications via email, SMS, WhatsApp Business API, Apple/Google Push Notifications, and digital wallet passes (Apple Wallet / Google Wallet); perform customer segmentation and analytics; and deploy autonomous AI-driven engagement campaigns.

B. Purpose of Processing

  • Customer identity resolution and profile unification;
  • Loyalty programme management (points accrual, tier progression, rewards redemption);
  • Multi-channel marketing campaign creation, scheduling, and delivery;
  • Transactional and operational messaging (order confirmations, booking reminders, receipts);
  • Customer behavioural analytics and segmentation;
  • AI-driven engagement automation and churn prediction;
  • Digital wallet pass issuance and management;
  • Customer support interaction logging;
  • Product improvement and platform analytics (pseudonymised).

C. Duration of Processing

For the duration of the Principal Agreement, and for the 30-day period following termination (for data return/deletion purposes under Article 11), unless applicable law requires longer retention.

D. Categories of Data Subjects

  • The Controller's end customers (consumers);
  • Prospective customers who have opted in to the Controller's marketing;
  • Loyalty programme members;
  • Visitors to the Controller's digital properties (website, app) where Caramel tracking is deployed;
  • The Controller's employees (to the extent their data is processed in connection with the Services).

E. Categories of Personal Data Processed

CategoryExamples
IdentityFirst name, last name, username, date of birth
ContactEmail address, telephone number (mobile/SMS), WhatsApp number
Device & technicalIP address, device identifiers (IDFA/GAID), push notification tokens, browser fingerprint, Apple/Google Wallet pass IDs
LocationCountry, region, city (derived from IP or POS transaction)
TransactionalPurchase history, order value, product categories purchased, POS terminal ID, payment reference (no full card data)
LoyaltyPoints balance, tier status, rewards redeemed, referral codes
BehaviouralEmail opens/clicks, SMS delivery status, WhatsApp read receipts, push notification engagement, session data, page views, feature flag assignments
Communication preferencesChannel opt-ins/opt-outs (email, SMS, WhatsApp, push), consent timestamps and sources, unsubscribe status
ProfileCustomer segments, AI-derived engagement scores, predicted churn probability, RFM (Recency, Frequency, Monetary) scores

F. Special Categories of Personal Data

The Processor does not intentionally process special categories of Personal Data (as defined in Article 9 GDPR) on behalf of the Controller. The Controller shall not upload or cause to be processed any special categories of Personal Data through the Services without prior written agreement from the Processor and implementation of appropriate additional safeguards.

G. List of Parties (SCCs Annex I.B)

Data Exporter (Controller): [Company Name], [Legal Form] [Street Address], [Postal Code] [City], [Country] Registration: [Registration No.] DPO: N/A — N/A Signatory: [Signatory Name], [Signatory Title] Role: Controller
Data Importer (Processor): React Motion Technologies SAS Paris, France — SIREN 952 765 756 Contact: privacy@joincaramel.com Signatory: Aymen Sakka, Chief Executive Officer Role: Processor

H. Description of Transfer (SCCs Annex I.C)

Personal Data is transferred on a continuous basis, whenever the Controller uses the Caramel platform to import customer data, send communications, or retrieve analytics. Transfers to Sub-processors outside the Protected Area occur as necessary for the provision of the Services as detailed in Annex III. The frequency, nature, and purpose of the transfer correspond to Section A–E of this Annex I.

Annex II — Technical and Organisational Security Measures

The Processor implements and maintains the following technical and organisational measures to protect Company Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access.

1. Encryption

  • At rest: AES-256 encryption for all database storage and object storage (Hetzner, AWS S3, Supabase).
  • In transit: TLS 1.2 or higher enforced on all data transmission paths, including API endpoints, webhooks, and internal service communication.
  • Wallet passes: PassKit-generated digital wallet passes are signed with Apple/Google-certified cryptographic keys.

2. Access Control

  • Role-based access control (RBAC) with least-privilege principles applied to all internal systems and production environments.
  • Multi-factor authentication (MFA) mandatory for all personnel accessing production infrastructure.
  • SSH key-based access to servers; password-based SSH access disabled.
  • Contractor and third-party access scoped to specific tasks with time-limited credentials.
  • Privileged access management (PAM) for database access; direct production database access restricted to authorised engineers only.

3. Infrastructure and Availability

  • Primary infrastructure hosted on Hetzner (EU datacentres, Germany/Finland) and Google Cloud with geographic redundancy.
  • Automated daily backups of all databases with point-in-time recovery capability.
  • Backup storage encrypted and geographically separated from primary storage.
  • 99.9% uptime SLA with health monitoring and automated failover.
  • Cloudflare deployed for DDoS protection, WAF, and CDN.

4. Pseudonymisation and Minimisation

  • Internal user identifiers (UUIDs) used in place of direct identifiers in analytics pipelines.
  • Data minimisation applied to analytics: PostHog and Sentry receive pseudonymised identifiers; full PII not passed to monitoring sub-processors except where strictly necessary.
  • Logs automatically purged after 90 days; error traces in Sentry stripped of payment data.

5. Organisational Measures

  • All personnel with access to Personal Data are subject to contractual confidentiality obligations.
  • Annual data protection training for all staff processing Personal Data.
  • Documented incident response plan with defined escalation paths and breach notification procedure (target: 48-hour Controller notification).
  • Vendor security assessment process for new Sub-processors.
  • Periodic internal security reviews and penetration testing.

6. Application Security

  • OWASP Top 10 mitigations applied in development lifecycle.
  • Dependency vulnerability scanning in CI/CD pipeline (automated alerts for CVEs).
  • Error monitoring via Sentry with PII scrubbing rules applied before log transmission.
  • Separate staging and production environments; no production Personal Data in staging.

7. Physical Security

Physical infrastructure is hosted in Hetzner data centres (ISO 27001 certified) and Google Cloud facilities, which maintain physical access controls, CCTV, and environmental controls. The Processor does not operate its own data centre facilities.

Annex III — Authorised Sub-processors

The following Sub-processors are authorised as at [Effective Date]. The Controller will be notified of any additions or changes with at least 14 calendar days' notice in accordance with Article 5.3.

Sub-processor Country Purpose Data Types Transfer Mechanism
Hetzner Online GmbH
Industriestr. 25, 91710 Gunzenhausen, Germany		 Germany (EU) Primary cloud hosting and dedicated server infrastructure; primary EU data residency All Company Personal Data (all categories in Annex I.E) No transfer outside EU — EU data residency
Supabase, Inc.
San Francisco, CA, USA		 USA (EU region deployed) Database-as-a-service (PostgreSQL); real-time subscriptions; authentication services All Company Personal Data stored in Caramel's application database EU-hosted region (Frankfurt); SCCs for US company
Google Cloud EMEA Ltd / Google LLC
Gordon House, Barrow Street, Dublin 4, Ireland		 Ireland (EU) / USA Cloud infrastructure; AI/ML model serving; object storage; background job processing All categories; AI inference may process pseudonymised behavioural data EU-hosted region; Google Cloud DPA + SCCs
Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy, L-1855 Luxembourg		 Luxembourg (EU) / USA SES: Transactional and marketing email delivery infrastructure
SNS: SMS delivery routing and push notification delivery		 Email address, name (SES); phone number, device push token (SNS) EU region deployed; AWS DPA + SCCs
Apple Inc.
One Apple Park Way, Cupertino, CA 95014, USA		 USA Apple Push Notification Service (APNs) for iOS push notifications; Apple Wallet pass delivery and display Device push token (APNs); Apple Wallet pass ID, loyalty balance, name SCCs; Apple DPA for developers
PassKit Ltd
United Kingdom		 United Kingdom Digital wallet pass creation, management, and delivery (Apple Wallet and Google Wallet loyalty and membership cards) Name, email, loyalty programme data (tier, points), pass metadata UK adequacy decision; PassKit DPA
PostHog, Inc.
2261 Market St #4008, San Francisco, CA 94114, USA		 USA (EU Cloud deployed) Product analytics, session recording, feature flags, funnel analysis for Caramel platform improvement Pseudonymised identifiers, IP address, device data, behavioural data (platform usage only — not Controller's end-customer PII) EU Cloud region; PostHog DPA + SCCs
Functional Software, Inc. (Sentry)
45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA		 USA Application error monitoring, crash reporting, and performance tracing Pseudonymised user ID, IP address (masked), error context; PII scrubbing rules applied — no sensitive Personal Data transmitted SCCs; Sentry DPA
Cloudflare, Inc.
101 Townsend Street, San Francisco, CA 94107, USA		 USA (EU PoPs) Content delivery network (CDN), DDoS mitigation, Web Application Firewall (WAF), DNS, SSL termination IP address, HTTP request metadata (headers, URLs); transient data only — no persistent storage SCCs; Cloudflare DPA
Adopt (UserLeap / Sprig)
USA		 USA In-app user onboarding, product tours, contextual user guidance within the Caramel platform Pseudonymised user ID, session data, feature interaction events (Caramel platform operators only — not Controller's end customers) SCCs; Adopt DPA
Stripe, Inc. / Stripe Payments Europe, Ltd.
185 Berry Street, Suite 550, San Francisco, CA 94107 / 1 Grand Canal Street Lower, Dublin 2, Ireland		 USA / Ireland (EU) Payment processing for Caramel platform subscriptions; billing and invoicing Name, email, billing address, payment method (tokenised); Controller's end-customer payment data is NOT processed by Stripe via Caramel Stripe DPA; EU entity for EU transactions; SCCs for US transfers
Google LLC (Google Workspace)
1600 Amphitheatre Parkway, Mountain View, CA 94043, USA		 USA Email hosting, calendar, document collaboration for Caramel internal operations; custom domain email sending (Controller's verified domain) Email content and metadata; contact data in connection with Controller's Workspace email integration Google Workspace DPA + SCCs
Microsoft Corporation (Outlook / Microsoft 365)
One Microsoft Way, Redmond, WA 98052, USA		 USA (EU datacentres available) Email sending via Controller's Microsoft 365 / Outlook verified domain; optional calendar integration Email address, display name, email content headers Microsoft DPA + SCCs; EU datacentre option available
YouForm
Online form builder service		 EU / International Lead capture and contact forms embedded on joincaramel.com; demo request form submissions Name, email, company name, message content submitted via forms YouForm DPA; GDPR-compliant processing
Bitrix24 (1C-Bitrix)
900 N. Michigan Ave., Suite 1600, Chicago, IL 60611, USA		 USA / EU (cloud region) Internal sales CRM pipeline management; tracking of Caramel's prospective and existing customer accounts Contact data (name, email, company, phone) of Controller's own personnel and procurement contacts — not Controller's end-customer data Bitrix24 DPA + SCCs; EU cloud region available
Intercom, Inc. Pending confirmation
55 2nd Street, 4th Floor, San Francisco, CA 94105, USA		 USA Customer support chat and helpdesk (deployment under evaluation — not yet live in production) Name, email, support conversation content; account metadata Intercom DPA + SCCs (to be activated upon deployment)

Sub-processors marked "Pending confirmation" are under evaluation and have not been deployed in production. The Controller will be notified prior to activation in accordance with Article 5.3.

Note on Apple/iCloud/Phone integration: Where Controllers use the Caramel WhatsApp Business API integration or Apple Wallet features, communications pass through Meta Platforms Ireland Ltd (WhatsApp Business API) and Apple Inc. (Wallet / APNs) respectively, as noted above. Caramel does not access the content of iCloud data and does not integrate with iCloud as a storage system.

Signatures

The parties have caused this Data Processing Agreement to be executed by their duly authorised representatives as of the Effective Date stated below.

For the Data Controller

[Signatory Name]

[Signatory Title]

[Company Name]

[Street Address], [City], [Country]

Registration: [Registration No.]

Date: [Effective Date]

For the Data Processor

Aymen Sakka

Chief Executive Officer

React Motion Technologies SAS

Paris, France — SIREN 952 765 756

privacy@joincaramel.com

Date: [Effective Date]