Data Processing Agreement

The Customer is the Controller of all Personal Data uploaded to or processed through the ForgeSend service. Studio Launch Ltd is the Processor. As Processor, Studio Launch Ltd processes Personal Data only on the documented instructions of the Controller and for no other purpose. Where Studio Launch Ltd is required by applicable law to process Personal Data beyond those instructions, it will inform the Controller before doing so unless prohibited by law.

In the course of providing the ForgeSend service, the Processor handles the following categories of Personal Data on behalf of the Controller:

• —Names and job titles of contacts uploaded by the Customer
• —Email addresses of contacts uploaded by the Customer
• —Company names and organisational identifiers
• —Campaign data including message content and send history
• —Any additional contact data uploaded or imported by the Customer

The Processor shall process Personal Data solely to deliver the ForgeSend service as contracted. The Processor will not:

• —Sell, rent, license, or share Personal Data with any third party for commercial purposes
• —Use Personal Data to train, fine-tune, or improve AI or machine learning models
• —Process Personal Data for any purpose other than providing the contracted service
• —Retain Personal Data beyond the periods set out in Section 9 of this Agreement

The Processor's primary infrastructure is located on servers physically situated in London, United Kingdom. Personal Data will not be transferred to, or processed in, any jurisdiction outside the United Kingdom without explicit written instruction from the Controller. Where a sub-processor is located outside the UK (see Section 7), appropriate transfer safeguards — including Standard Contractual Clauses where required — are in place.

The Processor implements and maintains the following technical and organisational measures to protect Personal Data:

• —AES-256-GCM encryption for all Personal Data and credentials stored at rest
• —TLS 1.3 encryption for all data in transit between clients and the ForgeSend service
• —Workspace-level data isolation enforced at the database and service layer
• —Role-based access controls limiting staff access to Personal Data
• —Daily encrypted backups stored across two geographically separate offsite locations with a 30-day retention window
• —Automatic session expiry for inactive authenticated sessions

The Controller grants general authorisation for the Processor to engage the sub-processors listed below. The Processor will notify the Controller of any intended changes to this list and provide an opportunity to object before the change takes effect.

The Processor will assist the Controller in meeting its obligations to respond to data subject requests under UK GDPR, including rights of access, rectification, erasure, restriction, and portability. The Processor will notify the Controller of any data subject request received directly within 5 business days and will not respond to any such request without the Controller's authorisation. The Processor will provide such assistance within the timeframes required by applicable law.

Following termination or expiry of the Customer's subscription, the Controller has 30 days to export their data from the ForgeSend service. After that period, the Processor will begin permanent deletion of all Personal Data from active systems. All Personal Data — including copies held in backups — will be permanently and irreversibly deleted within 90 days of the termination date. The Processor will provide written confirmation of deletion upon request.

In the event of a personal data breach as defined under UK GDPR Article 4(12), the Processor will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records affected, the likely consequences of the breach, and measures taken or proposed to address the breach.

The Controller may request written confirmation from the Processor that this Agreement is being complied with, once per calendar year. The Processor will respond to such requests within 30 days. Where a Controller requires more extensive audit evidence, this may be agreed in writing at reasonable cost. The Processor will maintain records of processing activities as required by UK GDPR Article 30.

This Agreement is governed by and construed in accordance with the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales in relation to any dispute arising under or in connection with this Agreement.