Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

Talenthaus Teknoloji Limited Şirketi, doing business as Pinn, a company registered in Turkey at Barbaros Mahallesi Nida Kule, No: 1, Istanbul, Ataşehir 34750 ("Processor", "we", "us"); and

The customer entity that has agreed to our Terms and Conditions ("Controller", "Customer", "you").

Together referred to as the "Parties".

This DPA forms part of, and is incorporated by reference into, the Terms and Conditions between the Parties (the "Agreement"). It applies to the extent that the Processor processes Personal Data on behalf of the Controller in connection with the Services.

By using the Services, the Customer is deemed to have entered into this DPA. Customers requiring a counter-signed DPA may request one by contacting support@usepinn.com.

Last updated: April 25, 2026 — Version: 1.0

For the purposes of this DPA:

"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), the Personal Information Protection and Electronic Documents Act of Canada ("PIPEDA"), and any other equivalent laws.

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Subprocessor", "Personal Data Breach", and "Supervisory Authority" have the meanings given to them under the GDPR.

"Customer Personal Data" means Personal Data processed by the Processor on behalf of the Controller in connection with the Services.

"Services" means the Pinn reputation intelligence platform and any related services provided by the Processor under the Agreement.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner’s Office.

"Subprocessor List" means the list of authorized subprocessors maintained by the Processor and attached as Annex III to this DPA.

2.1 Customer as Controller

The Controller acts as the data controller in respect of Customer Personal Data processed under this DPA. The Controller is responsible for ensuring that:

• It has all necessary legal bases under Applicable Data Protection Law to instruct the Processor to process Customer Personal Data;
• The instructions it provides to the Processor comply with Applicable Data Protection Law;
• All notices, consents, and authorizations required from data subjects have been obtained.

2.2 Pinn as Processor

The Processor processes Customer Personal Data only on behalf of and in accordance with the Controller’s documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject.

2.3 Public Review Data

The Parties acknowledge that the Services involve the processing of publicly available reviews and competitor business data sourced from third-party platforms (such as Google Business Profile). To the extent such data contains Personal Data of third-party data subjects (e.g., individuals who authored public reviews), the Parties acknowledge:

• The Processor processes this data on the basis of legitimate interests under Article 6(1)(f) GDPR for the purpose of providing reputation intelligence services;
• The Controller is responsible for ensuring its use of competitor monitoring features complies with Applicable Data Protection Law and the terms of service of source platforms.

The details of the processing operations performed under this DPA are set forth in Annex I (Description of Processing).

4.1 Documented Instructions

The Processor shall process Customer Personal Data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by Union or Member State law. The Agreement (including this DPA), together with the Controller’s use of the Services, constitute the Controller’s documented instructions to the Processor.

4.2 Confidentiality

The Processor shall ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. Such measures are described in Annex II (Technical and Organizational Measures).

4.4 Subprocessors

The Controller provides general authorization for the Processor to engage subprocessors listed in Annex III (Subprocessor List). The Processor shall:

• Inform the Controller of any intended changes to subprocessors at least thirty (30) days in advance, by updating the Subprocessor List published at https://usepinn.com/dpa and, where the Customer has subscribed to subprocessor change notifications, by email;
• Give the Controller the opportunity to object to such changes within fifteen (15) days of notification. If the Controller objects on reasonable data protection grounds, the Parties shall work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the Agreement by providing written notice;
• Ensure that any subprocessor engaged is bound by data protection obligations no less protective than those in this DPA;
• Remain fully liable to the Controller for the performance of its subprocessors’ obligations.

4.5 Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller, by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

If a data subject submits a request directly to the Processor, the Processor shall promptly forward such request to the Controller and shall not respond to the data subject directly without the Controller’s authorization.

4.6 Assistance with Compliance Obligations

The Processor shall assist the Controller in ensuring compliance with the Controller’s obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

• Security of processing (Article 32);
• Personal Data Breach notifications (Articles 33 and 34);
• Data Protection Impact Assessments (Article 35);
• Prior consultation with Supervisory Authorities (Article 36).

4.7 Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification shall include, to the extent reasonably available:

• The nature of the Personal Data Breach, including the categories and approximate number of data subjects and Personal Data records concerned;
• The likely consequences of the Personal Data Breach;
• The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects;
• The name and contact details of a contact point where more information can be obtained.

4.8 Deletion or Return of Data

Upon termination of the Agreement, the Processor shall, at the choice of the Controller:

• Delete all Customer Personal Data; or
• Return all Customer Personal Data to the Controller and delete existing copies,

unless Union or Member State law requires storage of the Personal Data. Deletion shall occur within ninety (90) days following termination, except for backups which will be deleted in accordance with the Processor’s standard backup retention cycles (not exceeding twelve months).

4.9 Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

For practical reasons:

• The Controller may exercise its audit right by submitting a written request to support@usepinn.com, providing reasonable advance notice of at least thirty (30) days (except in cases of suspected breach);
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor’s business operations;
• The Processor may satisfy audit requirements by providing recent third-party audit reports, certifications, or attestations (e.g., SOC 2, ISO 27001), where available;
• The Controller shall bear its own costs of any audit unless the audit reveals material non-compliance by the Processor.

5.1 Storage Location

The Processor stores Customer Personal Data on servers located in Germany (European Union), hosted by Amazon Web Services.

5.2 Transfers Outside the EEA, UK, and Switzerland

To the extent that processing of Customer Personal Data involves transfers of Personal Data outside the European Economic Area, the United Kingdom, or Switzerland to a country not subject to an adequacy decision, the Parties agree:

EU SCCs

The Parties incorporate by reference the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914, Module Two (Controller-to-Processor), with the following selections:

• Clause 7 (Docking clause): Optional clause not applied
• Clause 9 (Use of subprocessors): Option 2 (general written authorization), with the notification period set to thirty (30) days
• Clause 11 (Redress): Independent dispute resolution body option not applied
• Clause 17 (Governing law): Law of the EU Member State of the data exporter (Controller)
• Clause 18 (Choice of forum and jurisdiction): Courts of the EU Member State of the data exporter
• Annex I.A (Parties): As identified in this DPA
• Annex I.B (Description of transfer): As set forth in Annex I of this DPA
• Annex I.C (Competent supervisory authority): As determined under Clause 13 SCCs
• Annex II (Technical and organizational measures): As set forth in Annex II of this DPA
• Annex III (List of subprocessors): As set forth in Annex III of this DPA

UK Addendum

For transfers from the United Kingdom, the Parties incorporate the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, with the EU SCCs as the approved EU SCCs and Tables 1-4 of the UK Addendum populated by reference to this DPA.

Swiss Transfers

For transfers subject to the Swiss FADP, references in the EU SCCs to "GDPR" shall be read as references to the FADP, references to "EU Member State" shall be read to include Switzerland, and the supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.

5.3 Onward Transfers

Where the Processor onward-transfers Customer Personal Data to subprocessors located outside the EEA, UK, or Switzerland, the Processor shall ensure that such onward transfers are governed by appropriate safeguards, including the Standard Contractual Clauses or other valid transfer mechanisms.

5.4 Government Access Requests

If the Processor receives a legally binding request from a public authority (including judicial authorities) for access to Customer Personal Data, the Processor shall, where legally permitted:

• Notify the Controller of the request without undue delay;
• Challenge such request if there are reasonable grounds to consider that the request is unlawful;
• Provide the minimum amount of information permissible when responding to the request.

6.1 No Use of Customer Personal Data for AI Training

The Processor shall not use Customer Personal Data to train, fine-tune, or otherwise improve any artificial intelligence or machine learning models, whether developed by the Processor or by third-party AI providers. This commitment is contractually enforced with the Processor’s AI subprocessors (including OpenAI and Anthropic) under their enterprise data processing terms.

6.2 AI Subprocessor Safeguards

When Customer Personal Data is processed by AI subprocessors for the purpose of providing the Services (such as theme extraction, draft response generation, or analytics), such processing is governed by:

• The data processing terms of the relevant AI subprocessor (referenced in Annex III);
• Contractual prohibitions on training, retention beyond processing windows, and unauthorized use;
• Encryption in transit;
• Data minimization principles (only data necessary for the AI task is transmitted).

To the extent the Processor processes Personal Information (as defined under CCPA/CPRA) of California residents on behalf of the Controller, the Processor acts as a "Service Provider" under the CCPA/CPRA. The Processor shall:

• Not sell or share Personal Information;
• Not retain, use, or disclose Personal Information for any purpose other than the specific business purpose of providing the Services or as otherwise permitted by CCPA/CPRA;
• Not retain, use, or disclose Personal Information outside the direct business relationship with the Controller;
• Not combine Personal Information received from the Controller with Personal Information received from other sources, except as permitted by CCPA/CPRA;
• Comply with applicable obligations under CCPA/CPRA and provide the same level of privacy protection as required of businesses under CCPA/CPRA;
• Notify the Controller if it determines it can no longer meet its obligations under CCPA/CPRA;
• Allow the Controller to take reasonable and appropriate steps to ensure that the Processor uses Personal Information consistent with the Controller’s obligations under CCPA/CPRA.

The liability of each Party under this DPA shall be subject to the limitations of liability set forth in the Agreement, except where required otherwise by Applicable Data Protection Law (including Article 82 GDPR).

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination of the Agreement, except for those obligations that survive by their nature (including but not limited to deletion or return of data, audit cooperation, and confidentiality).

10.1 Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the subject matter hereof. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.

10.2 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

10.3 Governing Law

This DPA is governed by the laws specified in the Agreement, except to the extent that Applicable Data Protection Law (including the SCCs) requires otherwise.

10.4 Updates

The Processor may update this DPA from time to time to reflect changes in Applicable Data Protection Law, subprocessor changes, or operational changes. Material changes will be communicated to Customers in advance through the Services or by email. The current version is always available at https://usepinn.com/dpa.

10.5 Contact

Questions regarding this DPA, including requests for a counter-signed copy, should be directed to:

Talenthaus Teknoloji Limited Şirketi Email: support@usepinn.com Website: https://usepinn.com

A. List of Parties

Data Exporter (Controller): The Customer entity that has agreed to the Pinn Terms and Conditions and uses the Services. Contact details are as provided in the Customer’s account.

Data Importer (Processor):

• Name: Talenthaus Teknoloji Limited Şirketi (DBA Pinn)
• Address: Barbaros Mahallesi Nida Kule, No: 1, Istanbul, Ataşehir 34750, Turkey
• Contact: support@usepinn.com
• Activities relevant to data transferred: Provision of the Pinn reputation intelligence platform.

B. Description of Transfer

Categories of Data Subjects

• Authorized Users of the Customer (e.g., business owners, employees, location managers accessing the Services on behalf of the Customer);
• End Customers of the Customer whose reviews and feedback are publicly available on platforms such as Google Business Profile, where such reviews are processed in connection with the Services.

Categories of Personal Data

• Account Data: name, email address, username, password (hashed), business name, role/title;
• Authentication Data: session tokens, IP address, login timestamps;
• Usage Data: pages visited, features used, interaction events, browser and device information;
• Public Review Data: publicly available customer review content, ratings, reviewer names (as published), review timestamps — sourced from Google Business Profile and similar platforms;
• Competitor Public Data: publicly available business information of competitors selected by the Customer (business names, ratings, public reviews);
• Communication Data: email correspondence, support tickets;
• Inferred Data: AI-generated themes, voice profiles for draft replies, usage scoring (e.g., for tier upgrade triggers).

Sensitive Data

The Services are not designed to process special category data under Article 9 GDPR or sensitive personal information under CCPA/CPRA. The Customer is contractually prohibited from uploading Protected Health Information (PHI), attorney-client privileged communications, or other regulated category data through the Services.

Frequency of Transfer

Continuous, for the duration of the Customer’s use of the Services.

Nature of Processing

• Hosting and storage of Personal Data on EU-based servers;
• Authentication and account management;
• Ingestion and analysis of public review data via Google Business Profile API;
• AI-based processing for theme extraction, draft response generation, and intelligence reporting;
• Generation of weekly intelligence briefings, action recommendations, and competitor analyses;
• Customer support and communication.

Purpose of Processing

To provide the Pinn reputation intelligence Services to the Customer in accordance with the Agreement.

Duration of Processing

For the duration of the Agreement, plus a maximum of three (3) months following termination (or longer where required by law).

Subprocessor Transfers

See Annex III.

C. Competent Supervisory Authority

For Customers established in the EU, the competent supervisory authority shall be the data protection authority of the EU Member State where the Customer is established. For UK Customers, the supervisory authority is the UK Information Commissioner’s Office (ICO).

The Processor implements the following technical and organizational security measures to protect Customer Personal Data:

1. Confidentiality (Article 32(1)(b) GDPR)

1.1 Access Control

• Role-based access control (RBAC) for all internal systems;
• Multi-factor authentication (MFA) required for administrative access;
• Principle of least privilege applied to employee access rights;
• Access reviews performed periodically;
• Immediate revocation of access upon employee termination.

1.2 Authentication

• Strong password requirements for user accounts;
• Password hashing using industry-standard algorithms (bcrypt or equivalent);
• Session management with secure token handling;
• Brute-force protection on authentication endpoints.

1.3 Encryption

• In transit: TLS 1.2 or higher for all data transmissions;
• At rest: AES-256 encryption for stored Personal Data on AWS-managed infrastructure;
• Encrypted backups.

2. Integrity (Article 32(1)(b) GDPR)

• Input validation and output encoding to prevent injection attacks;
• Audit logging of administrative actions and access to Customer Personal Data;
• Change management procedures for production systems;
• Code review processes for changes affecting data handling.

3. Availability and Resilience (Article 32(1)(b) GDPR)

• AWS infrastructure with high availability configurations;
• Automated daily backups with retention policies;
• Disaster recovery procedures and periodic testing;
• Monitoring and alerting on system health.

4. Regular Testing, Assessing and Evaluating (Article 32(1)(d) GDPR)

• Periodic security reviews;
• Vulnerability scanning;
• Dependency monitoring for known vulnerabilities;
• Incident response procedures.

5. Organizational Measures

• Confidentiality obligations imposed on all employees and contractors with access to Customer Personal Data;
• Data protection training for personnel involved in processing;
• Documented information security policies;
• Vendor due diligence for subprocessors;
• Incident response plan covering Personal Data Breach notification.

6. Data Minimization and Purpose Limitation

• Personal Data is collected and processed only as necessary to provide the Services;
• AI subprocessors receive only the minimum data necessary for each AI task;
• Customer Personal Data is not used for AI model training (contractually enforced with AI subprocessors).

7. Hosting Infrastructure

• Primary hosting: Amazon Web Services (AWS), Frankfurt region (eu-central-1), Germany;
• AWS provides physical security, environmental controls, and infrastructure-level certifications (ISO 27001, SOC 2, etc.);
• Network security via VPC, security groups, and WAF where applicable.

The Processor engages the following subprocessors to assist in providing the Services. The Processor maintains the current list at https://usepinn.com/dpa and notifies Customers of changes in accordance with Section 4.4 of this DPA.

Infrastructure and Hosting

AI Service Providers

Payment Processing

Third-Party Data Sources

Analytics and Product Insights

Communications

Customer Support

Internal Access

Notes on the Subprocessor List

The list above reflects the Processor’s current subprocessors as of the date of this DPA. The list may change over time. Customers will be notified of changes in accordance with Section 4.4.

Some subprocessors may engage their own subprocessors (sub-subprocessors). The primary subprocessors listed above are responsible for ensuring such sub-subprocessors are bound by equivalent data protection obligations.

The Processor enters into appropriate data processing agreements with each subprocessor, including the EU SCCs and UK IDTA where international transfers are involved.

For an up-to-date version of this Subprocessor List, including any new subprocessors added since the last update, please visit https://usepinn.com/dpa.

This Data Processing Agreement (including all Annexes) was last updated on April 25, 2026.