Data Processing Agreement

Introduction

About TrackBN

We are Asset Lino LLC, Entity No. C1586340, mailing address: 1001 S MAIN STREET, STE 500, Kalispell, MT 59901, United States. We provide a SaaS system that is used to structure, monitor, analyze and manage data for affiliate and partner marketing purposes, which is called "TrackBN". More information on how TrackBN works is available on our website https://trackbn.com.

Definitions

Definitions. To make the text easier to read, we have prepared definitions of the terms we use in this DPA. If you encounter other terms in this DPA which are not specified below, such terms then have a meaning defined in our Terms.

• The "Controller" is your company that uses TrackBN, based on the applicable Terms.
• The "GDPR" refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• The "DPA" refers to this Data Processing Agreement.
• The "Processor" is our company, Asset Lino LLC, Entity No. C1586340, 1001 S MAIN STREET, STE 500, Kalispell, MT 59901, United States. We are the entity which processes Personal Data on behalf of the Controller under this DPA.
• The "Terms" are the terms that govern use of TrackBN or other form of written agreement on the basis of which we provide TrackBN to you. Different Terms may apply depending on which version of TrackBN you use.

1. Reasons for entering into this DPA

1.1 Main Agreement

The Processor and the Controller cooperate on the basis of a contractual relationship which is based in particular on the applicable Terms (the "Main Agreement"). The Processor provides the Controller with TrackBN and possibly other Services. Within the framework of this cooperation, personal data are or may be transferred by the Controller to the Processor. A purpose of processing and the funds for such processing are determined and provided by the Controller, and the Processor further processes the personal data for the Controller within the limits of this DPA and applicable legal regulations (mainly the GDPR).

1.2 Processing

This DPA defines the rights and obligations of the Parties with regards to the processing of personal data.

1.3 Terms

Unless otherwise provided for in this DPA, the terms used therein shall have the same meaning as in the Main Agreement, especially as in the applicable Terms.

2. Personal data processing

2.1 Categories of data subjects

The Processor is authorized to process the personal data of the Affiliates, Enquirers, customers, potential customers and/or employees of the Controller. However, the Processor may process the personal data of anyone, if the Controller or its employees give the Processor access to such personal data to be processed in TrackBN or for any other reason as stipulated in this DPA or agreed between us.

2.2 Personal Data

The Processor shall be entitled to process the following personal data on behalf of the Controller:

• Identification data (e.g., name and surname, titles, company names);
• Contact details (e.g., residential address, telephone number, and e-mail);
• Technical data (e.g., IP addresses of computers and mobile devices, geolocation information);
• Business data (e.g. commission plans, business information);
• Transaction data (e.g. clicks, registrations);
• Other information about the data subjects (in particular information relating to the contract they enter into with the Controller and communication between the Controller and the customers).

(collectively the "Personal Data").

2.3 Special categories

The Processor will not process any special categories of personal data as these are described in the GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships; processing of genetic data, biometric data or data concerning health or sex life or sexual orientation of a data subject). If any such special categories of personal data could be available to the Processor, the Controller agrees to inform the Processor about this.

2.4 By the Controller

The processing will be carried out by the Controller providing the Processor with access to the Personal Data.

2.5 Purpose of processing

The Processor will process any Personal Data solely for the purpose of providing TrackBN and its Services as per the Main Agreement. The Processor will never use or transfer the Personal Data for its own benefit or for a benefit of a third party.

2.6 Instructions for processing

The Controller may provide the Processor with instructions regarding the processing of Personal Data. The main instruction for the processing is this DPA. The Controller is authorized to extend the purpose of processing in accordance with the law or give additional instructions, whereby instructions for further processing can only be communicated to the Processor in writing. For this DPA, e-mail communications between the Parties addressed to the authorized persons shall also be deemed to be in writing.

2.7 Methods of processing

Processing of the Personal Data by the Processor will consist of collection, recording, sorting, transmission, and storage, as well as other activities necessary for the performance of the Main Agreement. The Processor may process the Personal Data by automated and, where applicable, manual means, so that this activity corresponds to the purpose of the processing of the Personal Data as per this DPA.

3. Rights and obligations of the parties

3.1 Measures

The Processor undertakes to take technical, organizational, and other measures that shall prevent unauthorized or accidental access to the Personal Data, their change, destruction, loss, or other unauthorized treatment of the Personal Data. The Processor undertakes in particular:

• To use secured access to computers and other devices where Personal Data could be processed, where access information is known only to the Processor and its employees;
• To use secured access to TrackBN or another database of the Personal Data, so that the Personal Data are not made available to a third party;
• To use only software and services that comply with standard requirements for data security for the purpose of Personal Data processing;
• Not to make copies of the database of the Personal Data without the prior consent of the Controller;
• Use suitable methods of security, e.g., encryption or other convenient and necessary means always depending on particular act and Personal Data being processed;
• Not to allow access to the Personal Data to any third parties, unless such access is approved in writing by the Controller or unless it arises from the DPA;
• To maintain confidentiality regarding the Personal Data.

3.2 Other obligations

The Processor also undertakes:

• To process the Personal Data only in such a form in which they were transferred to him by the Controller;
• To process the Personal Data only for the purpose defined by the DPA and solely to the extent necessary for the fulfillment of such purpose;
• Not to merge Personal Data obtained for different purposes or from different controllers;
• To keep the Personal Data only for the period specified in the information obligation or end-user consent. Unless otherwise agreed between the Processor and the Controller, the Controller is obliged to inform the Processor of the expiry of this period. On the basis of such notification, the Processor shall cease to process the Personal Data.

3.3 Restricted processing

The Processor is obliged to ensure that employees and other persons authorized by the Processor to process the Personal Data only do so to the extent and for the purposes of this DPA and the GDPR.

3.4 Compliance

Both the Processor and the Controller undertake to comply with the obligations set out in the GDPR and other generally binding legal regulations relating to this activity when processing the Personal Data based on this DPA.

3.5 Correctness

The Processor undertakes to correct, update, delete or transfer the Personal Data as instructed by the Controller without undue delay after such request.

3.6 Requests of data subjects

When a data subject exercises a right as per the GDPR or any applicable legal regulation, the Controller agrees to deal with such a request as per the applicable regulation. When required, the Controller shall delete the affected Personal Data from TrackBN itself (e.g., request for a deletion, objection to processing based on a legitimate interest of the Controller etc.). If such an action cannot be made by the Controller itself, the Processor undertakes to make such an action without undue delay after the written notice of the Controller. E-mail communication of the Parties shall be also considered as written form. When the Processor receives a request from a data subject, it agrees to provide such a request to the Controller without undue delay.

3.7 Professional care

When fulfilling the obligations under the DPA, the Processor shall be obliged to proceed with professional care, observe the Controller's instructions and act in the interests of the Controller.

3.8 Sub-processors

The Processor shall be entitled to involve other processors (the "Sub-processor") in the processing of the Personal Data, in particular storage and cloud solution providers, operators of other software necessary and currently available on the market for the purpose of services that meet the standards set by the European Union, and other service providers necessary to fulfill the purpose of this DPA and the Main Agreement, without any additional explicit specific permission from the Controller. The Processor must enter into a written DPA with each Sub-processor imposing data protection terms of the standard required by this DPA. The Processor remains liable to the Controller if a Sub-processor fails to fulfill its data protection obligations. Current list of Sub-processors is attached hereto as Appendix 1.

3.9 Notice of new Sub-processors

The Processor maintains an up-to-date list of its Sub-processors in Appendix 1 of this DPA. The Controller is obliged to review the list itself. The Controller is entitled to raise objections against the involvement of any new Sub-processor and may do so within 30 days of the date when the information about the new Sub-processor was made available by the Processor. The Controller only agrees to raise an objection for a valid reason which it agrees to disclose to the Processor, as an unfounded objection could influence the provision of the Services by the Processor.

3.10 Audit

The Processor undertakes to provide the Controller with any information necessary for proving that the duties stipulated by this DPA or by the GDPR relating to the Personal Data were fulfilled and to allow the Controller or a third party to carry out an audit to a reasonable extent. The intention to carry out the audit shall be notified by the Controller to the Processor by e-mail. After this notification, the Parties shall agree on the date of the audit, which shall occur no later than 30 days after the receipt of this notification. If the Parties do not agree on the audit date, it shall be determined by the Processor. The audit shall not unduly interfere with the activities of the Processor. The costs of the audit are covered by the Controller. The Controller shall maintain the confidentiality of any information discovered during the audit concerning the Processor, in particular its security policies and standards. The Controller shall oblige third parties authorized by him to carry out the audit to the same extent.

3.11 Cooperation

Upon the Controller's reasonable request, and considering the nature of the processing, the Processor will provide reasonable assistance to the Controller in fulfilling the Controller's obligations under applicable data protection laws (including data protection impact assessments and consultations with regulatory authorities), provided that the Controller cannot reasonably fulfill such obligations independently. The Processor is entitled to request additional compensation for such cooperation.

3.12 Notification obligation

Processor shall notify Controller within twenty-four (24) hours of discovering any actual or suspected security breach affecting personal data. Such notice shall include: (i) nature and extent of the breach; (ii) categories and approximate number of data records concerned; (iii) likely consequences of the breach; (iv) measures taken or proposed to address the breach.

4. Duration of the DPA

4.1 Effectiveness

This DPA shall be effective for the duration of the Main Agreement (see Paragraph 1.1 of the DPA).

4.2 Termination

In the event of any termination of the DPA or termination of the Personal Data processing, the Processor shall be obliged to destroy immediately the Personal Data provided to him or any copies thereof, unless otherwise provided by this DPA and/or the Main Agreement, in particular if there is another legal reason for their processing or if the Parties agree that the Personal Data will be returned to the Controller.

5. Confidentiality

5.1 Confidentiality

The Processor undertakes to maintain the confidentiality of the Personal Data processed, in particular, the Processor shall not publish them, spread them, or transfer them to other persons except for the persons in an employment relationship with the Processor or other authorized persons entrusted with the processing of the Personal Data. The Processor shall be obliged to ensure that also his employees and other authorized persons comply with the duty of confidentiality. This obligation of the Processor continues even after the termination of this contractual relationship.

5.2 Safety measures

The Processor undertakes to maintain confidentiality concerning the safety measures taken to secure the Personal Data protection, even after the termination of this contractual relationship. The Parties expressly agree that the Processor is entitled to disclose its general security standards, which it undertakes to follow, and such disclosure shall not breach this obligation of confidentiality.

6. Liability

6.1 Liability

If the Processor breaches its obligations under this DPA or the GDPR, it shall be liable for damages resulting from such violation. However, the Processor is not liable for any unauthorized processing of the Personal Data by the Controller.

7. Final provisions

7.1 Appendix

This DPA is a binding and inseparable appendix to the Main Agreement.

7.2 Changes

Any change or amendment hereto shall be in writing and signed by both Parties.

7.3 Assistance

The Parties undertake to provide each other with all the necessary assistance and data to secure effective implementation hereof, in particular in the case of dealing with data protection authorities or other public authorities.

7.4 Governing law

In the case that the contractual relationship established hereby contains an international element, the Parties agree that this DPA shall be governed by the laws of the United States and the State of Montana, without regard to conflict of law principles.

7.5 Jurisdiction

In the event of disputes arising from this DPA, the Parties agree that any disputes will be resolved by the courts of the United States. The Parties agree to the exclusive jurisdiction of the courts of the United States.

7.6 Effectiveness

This DPA is effective as of July 17, 2025.

Appendix 1 to Data Processing Agreement

List of Sub-Processors

For a complete and current list of sub-processors, see /processors or contact support@trackbn.com.