TrailSpark Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Terms") between Trailspark, LLC ("TrailSpark," "Processor") and the entity agreeing to the Terms ("Customer," "Controller"), and governs TrailSpark's processing of Personal Data on Customer's behalf in connection with the Service.

By using the Service, Customer agrees to this DPA. If there is a conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA will control.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Terms. In addition:

• 1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including (as applicable) the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and any other applicable data protection or privacy legislation.
• 1.2 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• 1.3 "Personal Data" means any information relating to a Data Subject that is included in Customer Data and is protected under Applicable Data Protection Law. For purposes of the CCPA, Personal Data includes "personal information" as defined thereunder.
• 1.4 "Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
• 1.5 "Security Incident" has the meaning given in Section 6.3 of the Terms.
• 1.6 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission (currently Commission Implementing Decision (EU) 2021/914), as may be amended, superseded, or replaced from time to time.
• 1.7 "Sub-Processor" means any third party engaged by TrailSpark to Process Personal Data on behalf of Customer.

2. Scope, Roles, and Processing Details

2.1 Roles. Customer is the Controller of Personal Data and determines the purposes and means of Processing. TrailSpark is the Processor and Processes Personal Data only on behalf of and in accordance with Customer's documented instructions. For purposes of the CCPA, Customer is the "business" and TrailSpark is the "service provider."

2.2 Scope. This DPA applies to all Personal Data that TrailSpark Processes in connection with providing the Service to Customer under the Terms.

2.3 Processing Details. The following details of Processing are documented as required under Article 28(3) GDPR and equivalent provisions:

Subject matter and duration: Processing of Personal Data as necessary to provide the Service under the Terms, for the duration of the Terms plus any post-termination retention period described in Section 10.

Nature and purpose of Processing: TrailSpark Processes Personal Data to:

• Ingest behavioral, product usage, engagement, and marketing signals transmitted by Customer through integrations, APIs, webhooks, or manual uploads;
• Perform identity resolution, including storing signals associated with anonymous or unidentified users and later associating those signals with identified individuals or accounts when a matching identifier becomes available;
• Enrich lead and account records with data pulled from Customer's connected CRM;
• Evaluate leads and accounts using third-party artificial intelligence large language model ("LLM") providers. Before transmitting data to LLM providers, TrailSpark applies a privacy-by-design anonymization layer: all direct personal identifiers (such as names, email addresses, phone numbers, and other contact information) are stripped and replaced with internal identifiers. The data transmitted to LLM providers for evaluation consists of anonymized lead identifiers, role-level demographic indicators (e.g., seniority level, department category), company name, behavioral signal summaries, and product usage data. No personally identifiable information ("PII") is sent to LLM providers. LLM providers are used solely for inference and do not use data received from TrailSpark to train or improve their models, subject to the LLM provider's applicable API data processing terms. The LLM provider used for evaluation is selected and controlled globally by TrailSpark at the platform administration level and is identified in Annex D;
• Deliver scores, reasoning, and related outputs back to Customer's connected systems (CRM, webhooks, and other configured destinations); and
• Provide Customer with access to dashboards, reports, and feedback mechanisms within the Service.

Types of Personal Data Processed:

• Contact and identity information (names, email addresses, job titles, company names)
• Professional and firmographic information (company size, industry, role, seniority)
• Behavioral and product usage data (feature usage events, session activity, collaboration signals, milestone completions, timestamps)
• Marketing engagement data (form submissions, email interactions, webinar attendance, content downloads, webpage visits)
• CRM record data (account fields, contact fields, opportunity data, lifecycle stages, ownership)
• Device and technical data (IP addresses, browser information, device identifiers, referral sources)
• Any other categories of Personal Data that Customer transmits to the Service via signal payloads or integrations

Note: The types of Personal Data listed above describe what Customer may transmit to the Service and what TrailSpark stores and processes internally. As described above, Personal Data is anonymized before transmission to LLM providers. LLM providers receive only anonymized identifiers, role-level indicators, company name, and behavioral/usage summaries.

Categories of Data Subjects:

• Customer's end users and product users (including free-tier and trial users)
• Customer's prospects, leads, and contacts
• Customer's employees and authorized users of the Service
• Any other individuals whose Personal Data is included in Customer Data

3. Customer's Obligations

3.1 Lawful Basis. Customer is responsible for ensuring that its collection and sharing of Personal Data with TrailSpark is lawful under Applicable Data Protection Law, including by establishing and maintaining a valid legal basis for Processing (such as consent, legitimate interest, or contractual necessity).

3.2 Notices and Consents. Customer is responsible for providing all required privacy notices to Data Subjects and obtaining all required consents, including notice that: (a) behavioral and product usage data may be transmitted to and processed by third-party service providers such as TrailSpark for lead scoring and evaluation purposes; (b) anonymous signals may be stored and later associated with identified individuals when a matching identifier becomes available; and (c) anonymized lead and account data (with direct personal identifiers removed) may be processed by third-party artificial intelligence providers for the purpose of generating scores and evaluations.

3.3 Instructions. Customer's instructions to TrailSpark regarding the Processing of Personal Data are documented in this DPA and the Terms. Customer may provide additional reasonable written instructions consistent with the Terms, provided that TrailSpark is not required to comply with instructions that would violate Applicable Data Protection Law or require material changes to the Service. If TrailSpark believes an instruction violates Applicable Data Protection Law, it will promptly notify Customer.

3.4 Data Accuracy. Customer is responsible for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired it.

4. TrailSpark's Obligations

4.1 Processing on Instructions. TrailSpark will Process Personal Data only on Customer's documented instructions as set forth in this DPA and the Terms, unless required to do otherwise by applicable law. If TrailSpark is required by applicable law to Process Personal Data for a purpose other than as instructed by Customer, TrailSpark will inform Customer of that legal requirement before Processing, unless prohibited by law.

4.2 Confidentiality. TrailSpark will ensure that all personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

4.3 CCPA-Specific Obligations. To the extent the CCPA applies, TrailSpark will not:

• Sell or share (as defined under the CCPA) Personal Data received from Customer;
• Retain, use, or disclose Personal Data for any purpose other than providing the Service as specified in the Terms and this DPA, or as otherwise permitted by the CCPA for service providers;
• Retain, use, or disclose Personal Data outside of the direct business relationship between TrailSpark and Customer; or
• Combine Personal Data received from Customer with personal information received from other sources or collected from TrailSpark's own interactions with individuals, except as expressly permitted by the CCPA for service providers.

TrailSpark certifies that it understands and will comply with the obligations set forth in this Section 4.3.

5. Security

5.1 Security Measures. TrailSpark will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures will be appropriate to the risk and will include, at a minimum:

• Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest;
• Access controls and authentication mechanisms, including role-based access and multi-factor authentication for TrailSpark personnel accessing production systems;
• Regular security testing and vulnerability assessments;
• Logging and monitoring of access to systems that Process Personal Data;
• Incident response procedures;
• Employee security awareness training;
• Physical security controls for data center facilities (provided by third-party infrastructure providers); and
• Anonymization of Personal Data prior to transmission to LLM providers, as described in Section 2.3.

5.2 Updates. TrailSpark may update its security measures from time to time, provided that updates do not materially decrease the overall level of protection.

6. Security Incidents

6.1 Notification. TrailSpark will notify Customer without unreasonable delay, and in any event within 72 hours, of becoming aware of a confirmed Security Incident, consistent with Section 6.3 of the Terms.

6.2 Notification Contents. The notification will include, to the extent reasonably available:

• A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected;
• The name and contact details of a TrailSpark contact from whom further information can be obtained;
• A description of the likely consequences of the Security Incident; and
• A description of the measures taken or proposed to address the Security Incident, including measures to mitigate possible adverse effects.

6.3 Cooperation. TrailSpark will cooperate reasonably with Customer's investigation of the Security Incident and any legally required notifications to Data Subjects or supervisory authorities. TrailSpark will take reasonable steps to contain, investigate, and remediate the Security Incident.

6.4 No Acknowledgment of Fault. Notification of a Security Incident is not an acknowledgment of fault or liability by TrailSpark.

7. Sub-Processors

7.1 Authorization. Customer provides general written authorization for TrailSpark to engage Sub-Processors to Process Personal Data in connection with the Service, subject to the requirements of this Section 7.

7.2 Current Sub-Processors. A current list of Sub-Processors is set forth in Annex D of this DPA. Customer acknowledges and approves the Sub-Processors listed as of the date Customer agrees to this DPA.

7.3 New Sub-Processors. TrailSpark will provide at least 30 days' prior written notice before engaging a new Sub-Processor that will Process Personal Data, via email to Customer's account contact or by updating Annex D of this DPA. The notice will identify the new Sub-Processor, describe the Processing it will perform, and identify its location.

7.4 Objection Right. If Customer has a reasonable, good-faith objection to a new Sub-Processor based on data protection grounds, Customer must notify TrailSpark in writing within 15 days of receiving notice. The parties will work in good faith to resolve the concern, which may include TrailSpark providing additional information, implementing supplementary safeguards, or offering an alternative configuration that avoids use of the objected-to Sub-Processor. If no resolution is reached within 30 days, Customer may terminate the affected Subscription upon written notice, and TrailSpark will provide a pro-rata refund of any prepaid, unused fees for the remainder of the then-current term.

7.5 Sub-Processor Obligations. TrailSpark will:

• Enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those in this DPA;
• Remain liable to Customer for the acts and omissions of its Sub-Processors in accordance with, and subject to, the limitations of liability set forth in the Terms and this DPA. TrailSpark's liability for Sub-Processor acts and omissions is limited to failures by TrailSpark to meet its due diligence and oversight obligations under this Section 7; and
• Conduct appropriate due diligence on Sub-Processors before engagement, including reviewing their security practices and data processing commitments, and monitor compliance on an ongoing basis.

7.6 LLM Providers. LLM providers listed in Annex D occupy a distinct role in the processing chain because they do not receive Personal Data. As described in Section 2.3, all direct personal identifiers are stripped before data is transmitted to LLM providers, and LLM providers receive only anonymized lead identifiers, role-level demographic indicators, company name, and behavioral/usage summaries. LLM providers are listed in Annex D for transparency, but TrailSpark's selection and engagement of LLM providers is managed at the platform administration level by TrailSpark, not configured on a per-Customer basis. To the extent a supervisory authority or applicable law determines that the anonymized data transmitted to LLM providers does not constitute Personal Data, the Sub-Processor obligations in this Section 7 will not apply to such transmissions; however, TrailSpark will continue to maintain the anonymization measures described in Section 2.3 and list LLM providers in Annex D.

8. Data Subject Rights

8.1 Assistance. Taking into account the nature of the Processing, TrailSpark will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

8.2 Direct Requests. If TrailSpark receives a request from a Data Subject directly regarding Customer's Personal Data, TrailSpark will promptly redirect the Data Subject to Customer, unless legally required to respond directly. TrailSpark will notify Customer of the request unless prohibited by law.

8.3 Costs. If compliance with a Data Subject request requires effort beyond what is reasonably necessary to maintain the Service, TrailSpark may charge Customer reasonable fees for such assistance, provided TrailSpark notifies Customer of the anticipated fees in advance.

9. Data Protection Impact Assessments and Consultations

Upon Customer's reasonable written request, TrailSpark will provide reasonable assistance and information necessary for Customer to conduct data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law and to the extent such assistance relates to TrailSpark's Processing of Personal Data under this DPA.

10. Data Retention and Deletion

10.1 During the Term. TrailSpark will retain Personal Data for the duration of the Terms and will Process it only in accordance with this DPA and Customer's documented instructions.

10.2 Upon Termination. Following termination or expiration of the Terms:

• TrailSpark will make Customer Data (including Personal Data) available for export during the 30-day Export Period described in Section 11.4 of the Terms.
• After the Export Period, TrailSpark will delete or anonymize all Personal Data in its possession or control within 90 days, except to the extent that applicable law requires further retention of specific data. Where retention is legally required, TrailSpark will isolate and protect such data and limit Processing to the purpose required by law.

10.3 Sub-Processor Data. TrailSpark will ensure that its Sub-Processors delete or return Personal Data in accordance with this Section 10, subject to the Sub-Processor's own legal retention obligations.

10.4 LLM Provider Data. Because LLM providers receive only anonymized data for inference and do not store input data beyond the duration of the API request (subject to the LLM provider's applicable API data processing terms), no separate deletion action is required for LLM providers upon termination.

10.5 Certification. Upon Customer's written request, TrailSpark will provide written confirmation that it has complied with its deletion obligations under this Section 10.

11. International Data Transfers

11.1 General. Customer acknowledges that TrailSpark may Process Personal Data in the United States and in other jurisdictions where TrailSpark or its Sub-Processors operate. TrailSpark will not transfer Personal Data to a jurisdiction outside the country of origin unless appropriate safeguards are in place as required by Applicable Data Protection Law.

11.2 Transfers from the EEA, UK, and Switzerland. To the extent that Customer's use of the Service involves the transfer of Personal Data from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection:

• The parties agree that such transfers will be governed by the Standard Contractual Clauses, which are incorporated by reference into this DPA. The applicable SCCs and the parties' elections are set forth in Annex C of this DPA.
• For transfers from the UK, the Standard Contractual Clauses will be deemed amended as required by the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum"), which is incorporated by reference.
• For transfers from Switzerland, the Standard Contractual Clauses will be deemed amended as necessary to comply with the FADP, including that the Swiss Federal Data Protection and Information Commissioner will serve as the competent supervisory authority.

11.3 Supplementary Measures. TrailSpark will implement appropriate supplementary technical and organizational measures (such as encryption, access controls, and pseudonymization) as necessary to ensure that transferred Personal Data receives a level of protection essentially equivalent to that guaranteed within the EEA, UK, or Switzerland.

11.4 Alternative Transfer Mechanisms. If a transfer mechanism relied upon under this Section 11 is invalidated or superseded, the parties will cooperate in good faith to implement a replacement mechanism that provides adequate safeguards under Applicable Data Protection Law.

12. Audits

12.1 Information and Audit Rights. TrailSpark will make available to Customer, upon reasonable written request and no more than once per 12-month period, information reasonably necessary to demonstrate compliance with this DPA.

12.2 Third-Party Audits and Certifications. TrailSpark may satisfy audit requests by providing:

• Copies of relevant third-party audit reports or certifications (such as SOC 2 Type II, ISO 27001, or equivalent), subject to reasonable confidentiality obligations; and
• Written responses to Customer's reasonable written questions regarding TrailSpark's data processing practices and security measures.

12.3 On-Site Audits. If the information provided under Section 12.2 is not reasonably sufficient to demonstrate compliance, or if an on-site audit is required by a supervisory authority, Customer may conduct or commission a qualified, independent third-party auditor (subject to reasonable confidentiality obligations) to conduct an on-site audit of TrailSpark's facilities and practices relevant to the Processing of Personal Data, subject to the following:

• Customer must provide at least 30 days' prior written notice;
• The audit will be conducted during normal business hours and will not unreasonably interfere with TrailSpark's operations;
• Customer will bear its own costs of the audit, unless the audit reveals a material breach of this DPA by TrailSpark; and
• Customer will promptly share any audit findings with TrailSpark and allow TrailSpark a reasonable period to remediate any identified issues.

13. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in Section 13 of the Terms. For the avoidance of doubt, TrailSpark's total aggregate liability under both the Terms and this DPA combined will not exceed the cap set forth in the Terms.

14. General

14.1 Term. This DPA will remain in effect for the duration of the Terms and will automatically terminate when TrailSpark no longer Processes Personal Data on Customer's behalf.

14.2 Governing Law. This DPA is governed by the laws specified in the Terms, except that the Standard Contractual Clauses (where applicable) will be governed by the law of the EU Member State in which the data exporter is established, or (if the data exporter is not established in an EU Member State) the laws of Ireland.

14.3 Conflicts. In the event of a conflict between this DPA and the Terms, this DPA will control with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will control.

14.4 Amendments. TrailSpark may update this DPA from time to time to reflect changes in Applicable Data Protection Law or TrailSpark's processing practices, provided that updates do not materially reduce the level of data protection. Material changes will be communicated with at least 30 days' prior notice.

Annex A: Technical and Organizational Security Measures

TrailSpark maintains the following categories of security measures. Specific implementation details may be updated from time to time and are available upon request.

Access Control

• Role-based access controls with least-privilege principles
• Multi-factor authentication required for all personnel accessing production systems
• Regular access reviews and prompt de-provisioning upon personnel changes
• Unique user accounts (no shared credentials)
• Account lockout mechanisms after repeated failed authentication attempts

Encryption

• Encryption in transit using TLS 1.2 or higher for all data communications
• Application-level encryption using AES-256-GCM for sensitive identifiers, including email addresses and integration credentials, with unique initialization vectors per encryption operation
• Infrastructure-level encryption at rest for all stored Customer Data, provided by database and hosting infrastructure providers (see Annex D)
• Encryption key management with appropriate access controls

Network Security

• Firewalls and network segmentation provided by infrastructure providers
• Secure configuration management and hardening of systems
• DDoS mitigation provided by infrastructure and hosting providers

Application Security

• Secure software development lifecycle practices
• Code review and security testing prior to deployment
• Input validation and output encoding to protect against common vulnerabilities (including CSRF, XSS, and injection attacks)
• Regular patching and updates
• Append-only audit logging with cryptographic hash-chain integrity verification for tamper detection

Data Management

• Logical separation of Customer Data between tenants via organization-scoped access controls
• Data backup and recovery procedures
• Secure data deletion procedures upon termination
• Pseudonymization of email addresses via SHA-256 hashing for internal lookups
• Anonymization of Personal Data prior to transmission to LLM providers (direct identifiers stripped, leads referenced by internal ID only)

Personnel Security

• Background checks for personnel with access to production systems (where legally permitted)
• Security awareness training upon hiring and periodically thereafter
• Confidentiality obligations for all personnel

Incident Response

• Documented incident response plan with defined roles and escalation procedures
• Post-incident review and remediation tracking

Physical Security

• Production infrastructure hosted in third-party data center facilities with industry-standard physical security controls (access badges, surveillance, environmental controls)
• Physical security of data center facilities is managed by Sub-Processors and subject to their security certifications

Business Continuity

• Infrastructure-provider-managed redundancy and failover capabilities
• Regular backup procedures managed by database infrastructure provider

Annex B: Description of Processing

Annex C: Standard Contractual Clauses and International Transfer Mechanisms

For transfers from the EEA:

The parties agree to the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows:

• Module Two (Controller to Processor) applies where Customer (as Controller/data exporter) transfers Personal Data to TrailSpark (as Processor/data importer).
• Clause 7 (Docking Clause): Included. Third parties may accede to these clauses with the consent of the existing parties.
• Clause 9(a) (Sub-Processor Authorization): Option 2 (General written authorization) applies. TrailSpark will inform Customer of any intended changes to Sub-Processors with at least 30 days' prior notice, providing Customer with the opportunity to object as described in Section 7.4 of this DPA.
• Clause 11 (Redress): The optional language permitting complaints to an independent dispute resolution body is not included.
• Clause 13(a) (Supervision): The competent supervisory authority will be determined in accordance with Clause 13(a) based on the EU Member State in which the data exporter is established. If the data exporter is not established in an EU Member State, the Irish Data Protection Commission will serve as the competent supervisory authority.
• Clause 17 (Governing Law): Option 1 applies. The SCCs will be governed by the law of the EU Member State in which the data exporter is established, or (if not established in an EU Member State) the laws of Ireland.
• Clause 18(b) (Forum): Disputes will be resolved before the courts of the EU Member State in which the data exporter is established, or (if not established in an EU Member State) the courts of Ireland.
• Annex I, II, and III of the SCCs are completed by reference to the corresponding Annexes of this DPA (Annex B for processing details, Annex A for technical and organizational measures, and Annex D for the Sub-Processor list).

For transfers from the United Kingdom:

The UK Addendum to the EU Commission Standard Contractual Clauses (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated and applies to transfers subject to the UK GDPR. Tables 1 through 4 of the UK Addendum are completed by reference to the SCCs and Annexes of this DPA.

For transfers from Switzerland:

The SCCs apply as amended to comply with the FADP:

• References to "Regulation (EU) 2016/679" are deemed to include the FADP as applicable.
• References to "EU," "Union," and "Member State" are deemed to include Switzerland as applicable.
• The Swiss Federal Data Protection and Information Commissioner serves as the competent supervisory authority for transfers subject to the FADP.
• The term "member state" will not be interpreted to exclude Data Subjects in Switzerland from the ability to exercise their rights in their place of habitual residence.

Annex D: Sub-Processor List

The following Sub-Processors are authorized to Process data on behalf of Customer as of the date of this DPA. This list may be updated in accordance with Section 7 of this DPA.

Infrastructure and Data Storage Sub-Processors

These Sub-Processors receive and process Customer Data, including Personal Data.

LLM Providers (Anonymized Data Only)

The following providers are used for AI-powered lead and account evaluation. As described in Section 2.3, TrailSpark applies an anonymization layer before transmitting data to LLM providers. No personally identifiable information is sent to LLM providers. LLM providers receive only: anonymized lead identifiers (internal IDs), role-level demographic indicators (e.g., seniority level, department category), company name, behavioral signal summaries, and product usage data. LLM providers are used solely for real-time inference and do not retain input data beyond the duration of the API request, subject to each provider's applicable API data processing terms.

The active LLM provider is selected and managed globally by TrailSpark at the platform administration level. Only the active provider receives data for evaluation at any given time.

Notes:

• LLM providers are listed in this Annex for transparency. Because they receive only anonymized data with no direct personal identifiers, their classification as Sub-Processors of Personal Data is subject to determination under applicable law (see Section 7.6 of this DPA).
• If TrailSpark changes the active LLM provider, Customer will be notified in accordance with Section 7.3. A change in active LLM provider does not alter the data transmitted or the anonymization measures applied.
• Sub-Processor locations refer to the primary data processing region. Sub-Processors may maintain additional infrastructure in other regions subject to their own data processing agreements.