Sumble Data Processing Agreement
Last Revised on 18 June 2026

This Data Processing Agreement ("DPA") is incorporated into and forms part of (and if applicable, amends the current version of) the Agreement between Customer ("Customer") and Sumble, Inc. ("Sumble"), performing the Services on Customer's behalf, as identified in the Agreement (as defined below), each a "Party" and collectively the "Parties." This DPA applies to and takes precedence over the agreement between the Parties and any associated contractual document between the Parties, such as an order form, statement of work, or data processing agreement thereunder (collectively, the "Agreement"), to the extent of any conflict. Capitalized terms not defined herein are defined as in applicable Data Protection Laws.

1. DEFINITIONS

For purposes of this DPA:

  1. "Data Protection Laws" means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"); the United Kingdom Data Protection Act of 2018; the Swiss Federal Act on Data Protection ("FADP"); the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and including its regulations ("CCPA"); and other similar U.S. state and federal laws. For the avoidance of doubt, the Parties' respective rights and obligations under this DPA shall apply only to the extent that the relevant Processing activities are subject to the applicable Data Protection Laws. No provision of this DPA shall be construed to impose obligations arising under a Data Protection Law that is not applicable to the relevant Processing activities.
  2. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates, and is deemed to also refer to "consumer" as defined in Data Protection Laws.
  3. "EU SCCs" means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.
  4. "Personal Data" includes "personal data," "personal information," "personally identifiable information," and analogous terms, as defined by applicable Data Protection Laws, that Sumble Processes to provide the Services.
  5. "Process" and its cognates "Processing," "Processed," etc. mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  6. "Security Incident" means any breach of security that results in the accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  7. "Services" means the services that Sumble performs on behalf of Customer pursuant to the Agreement.
  8. "Subprocessor" means any third party or Sumble affiliate that Sumble engages to Process Personal Data to provide the Services.
  9. "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and completed as set forth herein.
  10. The terms "Business," "Controller," "Processor," and "Service Provider" are defined as in Data Protection Laws. "Controller" is deemed to also refer to "Business," and "Processor" is deemed to also refer to "Service Provider."

2. ROLES OF THE PARTIES; SCOPE AND PURPOSES OF PROCESSING

  1. Roles of the Parties. To the extent that Customer is the Controller of Personal Data, Sumble is its Processor. To the extent that Customer is a Processor of Personal Data, Sumble is its Subprocessor. The details of Sumble's Processing of Customer Personal Data are described in Schedule 1 to this DPA.
  2. Scope and Purposes of Processing. This DPA applies to all Personal Data that Sumble Processes to provide the Services under the Agreement. Sumble will Process Personal Data solely (i) in compliance with Data Protection Laws, (ii) on Customer's behalf, and (iii) to fulfill its obligations to Customer under the Agreement, including this DPA. For the avoidance of doubt, Sumble will Process Personal Data solely to provide the Services to Customer under the Agreement for the specific business purposes enumerated in the Agreement.
  3. Customer Obligations. Customer will Process Personal Data in compliance with Data Protection Laws, including providing Data Subjects with all required notices and consents necessary for Sumble to Process Personal Data in accordance with providing the Services. Customer represents and warrants that: (a) the Data Protection Laws applicable to Customer do not prevent Sumble from fulfilling the instructions received from Customer and performing Sumble's obligations under this DPA; and (b) Customer has a lawful basis for disclosing the Personal Data to Sumble and in enabling Sumble to Process the Personal Data as set out in this DPA. Customer shall notify Sumble without undue delay if Customer makes a determination that the processing of Personal Data under the Agreement does not or will not comply with applicable Data Protection Laws, in which case, Sumble shall not be required to continue processing such Personal Data.
  4. Customer Rights. Customer retains the right, upon 30 days' prior written notice to Sumble, to take reasonable and appropriate steps to (i) ensure that Sumble Processes Personal Data in a manner consistent with Data Protection Laws, and (ii) upon notice, stop and remediate unauthorized Processing of Personal Data, including any use of Personal Data not expressly authorized in this DPA.

3. PERSONAL DATA PROCESSING REQUIREMENTS

  1. Restrictions on Processing. Sumble will:
    1. not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Sumble, or for any purpose (including any commercial purpose) not set forth in this DPA or the Agreement;
    2. not "sell" or "share" any Personal Data, or use Personal Data for purposes of "targeted advertising," as such terms are defined in Data Protection Laws; and
    3. comply with any applicable restrictions under the CCPA on combining Personal Data with personal data that Sumble receives from, or on behalf of, another person or persons, or that Sumble collects from any interaction between Sumble and any individual.
  2. Confidentiality. Sumble will ensure that the persons Sumble authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Assistance. To the extent required by Data Protection Laws, Sumble will provide Customer with reasonable assistance:
    1. by implementing appropriate technical and organizational measures for the fulfilment of Customer's obligation to respond to requests for exercising Data Subjects' rights ("Requests") as set forth in Data Protection Laws, taking into account the nature of the Processing. If Sumble receives any Requests during the Term of the Agreement, Sumble will advise the Data Subject to submit the request directly to Customer and then will provide Customer with reasonable assistance in responding to the Request, where appropriate and requested by Customer;
    2. in performing any required data protection impact assessment of Processing or proposed Processing of Personal Data; and
    3. in consulting with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including any applicable obligation upon Sumble to consult with a regulatory authority in relation to Sumble's Processing or proposed Processing of Personal Data; and
    4. as necessary for the fulfilment of Customer's obligations under Data Protection Laws to maintain the security of Personal Data.
  4. Notice Regarding Compliance and Instructions. Sumble will promptly notify Customer if Sumble determines that (i) it can no longer meet its obligations under this DPA or Data Protection Laws; or (ii) in Sumble's opinion, an instruction from Customer violates Data Protection Laws, and Sumble is not deemed to be in breach of this DPA if it declines to Process Personal Data in a way that Sumble reasonably and in good faith believes would cause Sumble to violate Data Protection Laws.

4. DATA SECURITY

Sumble will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Exhibit B. Sumble will provide the level of protection for Personal Data that is required under Data Protection Laws applicable to Customer. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risk.

5. SECURITY INCIDENT

  1. Notice. Sumble will notify Customer of any Security Incident without undue delay or within the time period required under Data Protections Law. To the extent available, this notification will include Sumble's then-current assessment of the following: (i) the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences of the Security Incident; and (iii) measures taken or proposed to be taken by Sumble to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects. Sumble will provide timely and periodic updates to Customer as additional information regarding the Security Incident becomes available. Customer acknowledges that any updates may be based on incomplete information.
  2. Responsibilities of the Parties. Sumble will comply with the Security Incident-related obligations applicable to it under Data Protection Laws and will assist Customer in Customer's compliance with its Security Incident-related obligations. Customer is solely responsible for complying with Security Incident notification requirements applicable to Customer. Customer may request that Sumble reasonably assist Customer's efforts to notify Security Incidents to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. Sumble's notice of or response to a Security Incident under this Section 5 will not be an acknowledgement or admission by Sumble of any fault or liability with respect to the Security Incident.

6. SUBPROCESSORS

  1. Authorization to Engage Subprocessors. Customer agrees that Sumble may, and provides general authorization for Sumble to, engage Subprocessors to Process the Personal Data to assist in providing the Services. A list of Sumble's Subprocessors is available at https://trust.sumble.com/subprocessors (or such other URL as Sumble may provide from time to time) ("Subprocessors List"). Customer may subscribe via that webpage to receive notifications of changes to the Subprocessor list by email. Sumble will impose contractual obligations on any Subprocessor it appoints requiring it to protect Personal Data to standards that are no less protective than those set forth under this DPA. Sumble shall remain liable to Customer for the performance of the Subprocessor's obligations under Data Protection Law.
  2. Subprocessor Notice and Objections. Sumble will provide reasonable advance notice of new Subprocessors that it appoints during the term of the Agreement by updating the list and notifying subscribed Customers. Customer has fourteen (14) calendar days from receiving such notice to make an objection on reasonable grounds relating to the protection of the Personal Data under Data Protection Laws by notifying Sumble at support@sumble.com. In the event Customer objects to a new Subprocessor, Sumble will use commercially reasonable efforts to make available to Customer a change in the Services or Customer's configuration or use of the Services to avoid processing of Customer Personal Data by the objected-to new Subprocessor. If Sumble is unable to make available such a reasonable change within a reasonable period of time, which will not exceed thirty (30) days, either Party may upon written notice terminate without penalty the applicable Agreement.

7. DATA TRANSFERS

  1. Authorization to Transfer Personal Data. Customer authorizes Sumble and its Subprocessors to make international transfers of Personal Data in accordance with this DPA and Data Protection Laws.
  2. Order of Precedence. The Parties acknowledge that Data Protection Laws may require the Parties to implement certain safeguards (a "Transfer Mechanism") for Customer to transfer Personal Data to Sumble. In the event a transfer of Personal Data is covered by more than one Transfer Mechanism, the transfer will be subject to a single Transfer Mechanism, in accordance with the following order of precedence: (i) the EU SCCs and/or UK Addendum as set forth in Sections 7(c)-(e), as applicable; and (ii) if neither of the preceding is applicable, the Parties will cooperate in good faith to enter into an alternative Transfer Mechanism to the extent required by Data Protection Laws.
  3. To the extent legally required, by entering into this DPA, Customer and Sumble are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Sections 7(e) and (f) below) are deemed completed as follows:
    1. Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to Sumble (as a Processor), and Module 3 of the EU SCCs applies to transfers of Personal Data from Customer (as a Processor) to Sumble (as a Subprocessor);
    2. Clause 7 (the optional docking clause) is not included;
    3. Clause 9 (Use of sub-processors): Option 2 (General written authorization) will apply and the time period for prior notice of Subprocessor changes is set forth in Section 6 of this DPA;
    4. Clause 11 (Redress): The optional language will not apply;
    5. Clause 17 (Governing law): The Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights) and select the law of Ireland;
    6. Clause 18 (Choice of forum and jurisdiction): The Parties select the courts of Ireland;
    7. Annexes I (List of Parties) and II (Technical and organizational measures) are completed as set forth in Exhibits A and B of this DPA, respectively; and
    8. Annex III (List of subprocessors) is not applicable because the Parties have chosen General Authorization under Clause 9, but details regarding Sumble's Subprocessors can be found in Section 6 above.
  4. UK Addendum. To the extent legally required, by entering into this DPA, the Parties are deemed to be signing the UK Addendum, which forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK Addendum. The Tables within the UK Addendum are deemed completed as follows:
    1. Table 1: The Parties' details shall be the Parties to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts indicated in the Exhibit A below.
    2. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties and completed in Section 7(b) of this DPA.
    3. Table 3: Annexes I and II are set forth in Exhibits A and B below, respectively. Annex III is inapplicable.
    4. Table 4: Customer may end this DPA as set out in Section 19 of the UK Addendum.
  5. Transfers of Swiss Personal Data. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in Section 7(b) of this DPA, but with the following differences to the extent required by the FADP: (i) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (ii) the term "member state" in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iii) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
  6. Order of Precedence. In the event of inconsistencies between the DPA and the EU SCCs, as completed in subsections (c)-(e) of this Section 7, the SCCs will prevail.

8. AUDITS

  1. Standard Audit Process. Sumble will make available to Customer documentation, data, certifications, reports, and records ("Records") relating to its Processing of Personal Data to demonstrate compliance with this DPA (an "Audit") provided the Agreement remains in effect and such audit is at Customer's sole expense. Customer may request an Audit upon fourteen (14) days' prior written notice to Sumble, no more than once annually, except, in the event of a Security Incident occurring on Sumble systems, in which case Customer may request an Audit within a reasonable period of time following such Security Incident.
  2. Written Requests and Inspections. If Customer has a reasonable objection that the Records provided are not sufficient to demonstrate Sumble's compliance with this DPA, Customer may, as reasonably necessary: (i) request additional information from Sumble in writing, and Sumble will respond to such written requests within a reasonable period of time ("Written Requests"); and (ii) only where Sumble's responses to such Written Requests do not provide the necessary level of information required by Customer, request access to Sumble premises, systems and staff, upon twenty one (21) days prior written notice to Sumble (an "Inspection") subject to the parties having mutually agreed upon (a) the scope, timing, and duration of the Inspection, (b) the use of an auditor to conduct the Inspection, (c) the Inspection being carried out only during regular business hours, with minimal disruption to Sumble business operations, and (d) all costs associated with the Inspection being borne by Customer. Inspections will be permitted no more than once annually, except in the event of a Security Incident.
  3. Audit Process. To request an Audit, make Written Requests, or engage in an Inspection, Customer must notify Sumble pursuant to the instructions above at support@sumble.com.
  4. Duty of Confidentiality and EU SCC compliance. Nothing in this Section 8 shall require Sumble to breach any duties of confidentiality to any third parties. The Parties agree that the audits described in the EU SCCs, if applicable, shall be performed in accordance with this Section 8.

9. RETURN OR DESTRUCTION OF PERSONAL DATA

Except to the extent required otherwise by Data Protection Laws, Sumble will, at the choice of Customer and upon Customer's written request return to Customer and/or securely destroy all Personal Data within 90 days of such request, unless Data Protection Laws require Sumble to retain Personal Data. The Parties agree that the certification of deletion described in the EU SCCs, if applicable, shall be provided only upon Customer's written request.

10. INDEMNIFICATION AND LIMITATION OF LIABILITY

Each party's liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.

11. SURVIVAL; AMENDMENTS

The provisions of this DPA survive the termination or expiration of the Agreement for so long as Sumble or its Subprocessors Process Personal Data. Sumble may amend this DPA in order to comply with Data Protection Laws and will notify Customer of such changes. By continuing to use the Services after the DPA has been updated, Customer is deemed to have agreed to the updated DPA.

EXHIBIT A

ANNEX I TO THE EU SCCS

A. LIST OF PARTIES

Data exporter(s):

  • Name: Customer, as identified in the DPA.
  • Address: As provided in the Agreement.
  • Contact person's name, position, and contact details: As provided in the Agreement.
  • Activities relevant to the data transferred under these Clauses: The data exporter receives the data importer's Services pursuant to their underlying Agreement.
  • Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.
  • Role: Controller.

Data importer(s):

  • Name: Sumble, as identified in the DPA.
  • Address: As provided in the Agreement.
  • Contact person's name, position, and contact details: As provided in the Agreement.
  • Activities relevant to the data transferred under these Clauses: The data importer provides Services to the data exporter pursuant to their underlying Agreement.
  • Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these EU SCCs by both parties.
  • Role: Processor.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

  • Customer employees and representatives - Individuals employed by or acting on behalf of the Customer who access or use the Services (e.g., account administrators, sales personnel, managers).
  • Authorized users of the SaaS application – individuals whom the Customer authorizes to create accounts and log into the Sumble platform.
  • Customer's business contacts and leads - Individuals identified by the Customer as relevant for sales, marketing, or business development purposes, including employees of the Customer's own clients, prospects, or other professional contacts.
  • Support and communication participants - Individuals who communicate with Sumble support or customer success teams (e.g., via email or ticketing system) where such communications include personal data.

Categories of personal data transferred: The Personal Data transferred concern the following categories of data:

  • Customer employee data: name, business email address, job title/role, sales territory (if applicable).
  • Customer contact and lead data: name, job title/role, current company/organization, business email address, and other professional contact information (e.g., phone number, LinkedIn profile URL if provided by Customer).
  • SaaS account and authentication data: login identifier (typically email), hashed password, multi-factor authentication tokens (if enabled), account role/permissions, and user preferences/settings.
  • Usage and activity data: search terms entered, pages or features accessed, timestamps of logins, IP address, device/browser information, and other technical identifiers or log data generated through use of the SaaS application.
  • Support/communication data: content of help tickets, emails, or in-app messages exchanged with Sumble support, where such communications include personal data.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous for the duration of the Agreement.

Nature of the processing: Sumble's Processing activities shall be limited to those discussed in the Agreement and the DPA.

Purpose(s) of the data transfer and further processing: The purpose of the transfer to and further Processing of Personal Data by Sumble is for Sumble to provide the Services to Customer as set forth in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for the period of time necessary for Sumble to provide the Services to Customer under the Agreement and/or in accordance with applicable legal requirements.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Same as above to the extent that Personal Data is provided to Subprocessors for purposes of providing the Services.

C. COMPETENT SUPERVISORY AUTHORITY

To the extent legally permitted, the competent supervisory authority is the Irish Data Protection Commission.

EXHIBIT B

SUMBLE DATA SECURITY MEASURES

Sumble will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

Sumble's Information Security Program includes specific security requirements for its personnel and all Subprocessors or agents who have access to Personal Data ("Data Personnel"). Sumble's security requirements cover the following areas:

  1. Information Security Policies and Standards. Sumble will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
  2. Physical Security. Sumble will maintain commercially reasonable security systems at all Sumble sites at which an information system that uses or stores Personal Data is located ("Processing Locations") that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
  3. Organizational Security. Sumble will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
  4. Network Security. Sumble maintains commercially reasonable information security policies and procedures addressing network security.
  5. Access Control. Sumble agrees that: (1) only authorized Sumble staff can grant, modify, or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
  6. Virus and Malware Controls. Sumble protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
  7. Personnel. Sumble has implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
  8. Business Continuity. Sumble implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Sumble also adjusts its Information Security Program in light of new laws and circumstances, including as Sumble's business and Processing change.