DATA PROCESSING AGREEMENT (DPA)

Effective Date: March 27, 2026

Last Updated: March 27, 2026

1. Parties

Data Controller: Magnat Professional LLC

Controller Address: Prospect V. O. 88 Saint-Petersburg, Saint-Petersburg 199226 Russia

Data Processor: Magnat Professional LLC

Processor Address: Prospect V. O. 88 Saint-Petersburg, Saint-Petersburg 199226 Russia

2. Background

This Data Processing Agreement ("DPA") forms part of the agreement between the Data Controller and the Data Processor for the provision of services that involve the processing of personal data.

The purpose of this DPA is to ensure that both parties comply with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR).

3. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person ('data subject').
• "Processing" means any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data and privacy, including where applicable, the GDPR, the UK GDPR, and the data protection laws of any other relevant jurisdiction.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
• "Supervisory Authority" means an independent public authority established pursuant to Data Protection Laws.

4. Scope and Nature of Processing

4.1 Categories of Data Subjects

Website Visitors

4.2 Types of Personal Data

Names, Email addresses

4.3 Purposes of Processing

Customer support

4.4 Duration of Processing

The personal data will be processed until the Data Controller instructs the Data Processor to stop processing.

5. Obligations of the Data Processor

The Data Processor shall:

• Process the personal data only on documented instructions from the Data Controller, including with regard to transfers to a third country or an international organization.
• Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Respect the conditions for engaging another processor (sub-processor) as set out in this DPA.
• Assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
• At the choice of the Data Controller, delete or return all the personal data to the Data Controller after the end of the provision of services, and delete existing copies unless storage is required by law.
• Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

6. Security Measures

The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data during transmission and at rest
• Access controls and authentication mechanisms to ensure that only authorized personnel can access personal data
• Regular security assessments, vulnerability scanning, and penetration testing
• Regular backup procedures to ensure data availability and resilience
• Documented incident response and data breach notification procedures
• Regular staff training on data protection and security awareness

7. Sub-processors

The Data Processor shall not engage any sub-processors for the processing of personal data under this DPA.

8. Data Subject Rights

The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising the data subject's rights under applicable Data Protection Laws.

If the Data Processor receives a request from a Data Subject in relation to their Personal Data, the Data Processor shall:

• Promptly notify the Data Controller of the request
• Not respond to the request except on the documented instructions of the Data Controller or as required by applicable laws
• Provide the Data Controller with all reasonable cooperation and assistance in relation to the request

9. Data Breach Notification

In the event of a personal data breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of the breach.

The notification shall at least:

• Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
• Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained
• Describe the likely consequences of the personal data breach
• Describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

10. Audit Rights

The Data Controller may conduct audits of the Data Processor's data processing facilities and practices on an annual basis with reasonable notice.

11. International Data Transfers

The Data Processor shall not transfer personal data to a third country or an international organization unless required to do so by law or with the prior written consent of the Data Controller. Any such transfer must be conducted in accordance with Chapter V of the GDPR.

12. Termination

Upon termination of the data processing services, the Data Processor shall, at the choice of the Data Controller, delete or return all the personal data to the Data Controller, and delete existing copies unless applicable law requires storage of the personal data.

13. Liability

The Data Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Data Controller.

16. Miscellaneous

This DPA shall take precedence over any conflicting provisions in the main agreement between the parties with respect to the processing of personal data.

Any amendments to this DPA must be in writing and signed by both parties.

This data processing agreement was generated on March 27, 2026 and should be reviewed by a legal professional to ensure compliance with applicable laws in your jurisdiction.