URL: https://www.productpathpro.com/dpa Effective date: 5 September 2025 Parties: (1) Customer (controller) and (2) PE Artem Syzonenko, trading as ProductPathPro (processor). Contact (processor): [email protected] 1. Scope & roles 1.1 This DPA applies to ProductPathPro’s processing of Customer Data (as defined in the Terms of Use) that includes personal data subject to Applicable Data Protection Laws (e.g., GDPR, UK GDPR, CCPA/CPRA). 1.2 For such personal data, Customer is the controller, and ProductPathPro is the processor (EU/UK) and service provider (California). 1.3 The Terms of Use (the “Agreement”) remain in force. This DPA prevails over conflicting terms solely for processing of personal data. 2. Customer instructions 2.1 ProductPathPro will process personal data only on documented instructions from Customer: (a) to provide, secure, and support the Service; (b) as configured or initiated by Customer via the Service; and (c) as required by law. 2.2 If an instruction violates applicable law, ProductPathPro will notify Customer (unless legally prohibited). 2.3 Sanctions carve-out. Notwithstanding any instruction, ProductPathPro may decline or suspend processing that would reasonably cause a violation of EU/UK/U.S./UN/Ukraine sanctions or export-control laws, and will notify Customer where legally permitted.

3. Confidentiality ProductPathPro ensures personnel with access to personal data are bound by confidentiality obligations. 4. Security measures ProductPathPro maintains reasonable technical and organizational measures appropriate to risk, including: encryption in transit (TLS), access control/least privilege, authentication (including MFA for administrative access), network segmentation, logging and monitoring, vulnerability management, secure development practices and reviews, backups and recovery procedures, and incident response processes. Details appear in Annex II. 5. Personal data breaches Upon becoming aware of a personal data breach affecting Customer Data, ProductPathPro will notify Customer without undue delay and in any event within 72 hours, and provide information reasonably available to assist Customer in meeting its obligations. 6. Subprocessors 6.1 Customer authorizes ProductPathPro to engage subprocessors to deliver the Service, subject to written contracts imposing data-protection obligations no less protective than this DPA. Current core subprocessors are listed in Annex III. 6.2 ProductPathPro will provide 30 days’ prior notice before adding a materially new subprocessor. If Customer reasonably objects, Customer may terminate the affected Service before the change takes effect. 7. International transfers 7.1 EU/EEA: Where ProductPathPro processes personal data subject to GDPR on behalf of Customer and a restricted transfer occurs, the EU Standard Contractual Clauses (SCCs) — Controller→Processor, Module 2 — are incorporated by reference between Customer (data exporter) and ProductPathPro (data importer). Annex I/II/III of the SCCs are completed by the Annexes to this DPA. 7.2 UK: For UK GDPR, the UK Addendum to the EU SCCs is incorporated with tables completed in Annex I-UK. 7.3 If another transfer mechanism becomes applicable, the parties may adopt it. 8. Assistance ProductPathPro will provide reasonable assistance (taking into account the nature of processing and information available) with: (a) data subject requests; (b) security, breach notifications; (c) data-protection impact assessments and prior consultations, to the extent required by law and proportionate to the Service. 9. Audits & information Upon written request (no more than annually and subject to confidentiality), ProductPathPro will provide information reasonably necessary to demonstrate compliance (e.g., policy summaries). On-site audits occur only where required by law, upon reasonable notice, limited to relevant controls, and at Customer’s expense. 10. Return & deletion At termination of the Agreement (or upon Customer’s written request), ProductPathPro will delete personal data within the timelines in the Agreement and this DPA. Self-service export is not currently provided. Backups are deleted per standard cycles. 11. California (CPRA) service provider terms For California “personal information,” ProductPathPro: (a) acts as a service provider; (b) processes solely to provide and improve the Service for Customer, not for any other purpose; (c) does not sell or share personal information; (d) will not combine personal information with data from other sources except as permitted by CPRA; (e) will assist Customer with consumer requests as required; (f) will notify Customer if it can no longer meet its obligations; and (g) grants Customer the right to take reasonable and appropriate steps, including requesting information or audits, to ensure ProductPathPro’s CPRA compliance. 12. Liability & precedence The parties’ respective liability and limitations are governed by the Agreement. In the event of conflict, this DPA controls for processing of personal data. 13. Customer responsibilities (summary reminder) Customer is solely responsible for notices/consents, lawful basis, and correct configuration of masking, suppression, and exclusions to avoid capturing prohibited or sensitive data (e.g., special categories, credentials, government IDs, financial data, health/PHI, precise geolocation of minors). The Service is not intended to record children absent verifiable consent and full compliance with applicable law. 14. Term This DPA becomes effective on the Effective date above and remains in force for as long as ProductPathPro processes personal data for Customer under the Agreement. Annex I — Description of processing (SCCs Annex I, Sec. A & B) A. Parties Exporter (controller): Customer (contact: as provided in Customer’s account) Importer (processor): PE Artem Syzonenko (ProductPathPro), 149/100 Kalynova Str., Dnipro, Ukraine; contact: [email protected] B. Description Subject matter: Provision of session/screen recording and analytics services for Customer’s websites/apps. Duration: Term of the Agreement; standard retention 30 days for recordings/events; backups per cycles. Nature & Purpose: Collection and processing of web/app interaction data (events, session/recording frames), diagnostics, metrics, and derived analytics to provide, maintain, secure, and improve the Service. Categories of data subjects: End users of Customer’s sites/apps; Customer’s staff/authorized users. Categories of personal data: Interaction events (clicks, scrolls, keystroke metadata), page URLs/titles, timestamps, device/browser metadata, IP-address-derived data, session identifiers, Customer-provided identifiers or user attributes, audio/video frame data if enabled. Not intended to collect special-category or other prohibited data; Customer must configure masking/suppression accordingly. Sensitive data: Not intended / contractually prohibited. Frequency: Continuous as initiated by Customer’s integration/configuration. Retention/erasure: As per Section 10 and Agreement (default 30 days). Competent Supervisory Authority (EU): Exporter’s lead supervisory authority where applicable. C. Authorized subprocessors: See Annex III. Annex II — Technical & organizational measures (SCCs Annex II) Information security program: Governance & risk: Documented security policies; periodic risk assessment; least-privilege access model. Access control: Unique accounts; MFA for administrative access; role-based permissions; session timeouts; logging of privileged actions. Physical & network: Provider data centers (Linode/Cloudflare); network segmentation; DDoS protections via CDN; firewalls; secure remote access. Encryption: TLS for data in transit; encryption at rest where supported by underlying services; key management per provider capabilities. Application security: Secure SDLC, code review, dependency scanning, vulnerability management and patching. Monitoring & logging: Centralized logs, anomaly detection, alerting. Backup & recovery: Regular backups; restore testing; geo-redundancy per provider services. Incident response: Documented plan; investigation, containment, eradication, recovery; post-incident review. Personnel: Background/eligibility checks where lawful, confidentiality agreements, security training. Data minimization & masking: Controls for field suppression/masking; configuration guidance to prevent capture of sensitive fields. Supplier management: Subprocessor due diligence and contractual controls. Business continuity: Redundancy and recovery procedures proportionate to scale. Annex III — Subprocessors Linode (Akamai) — US: hosting/compute/storage Cloudflare, Inc. — Global: CDN, WAF, DDoS mitigation, proxy caching Postmark (ActiveCampaign, LLC) — US: transactional email delivery Annex I-UK — UK Addendum tables (summary) Table 1 (Parties): Exporter = Customer; Importer = PE Artem Syzonenko (ProductPathPro), contact [email protected] Table 2 (Selected SCCs): EU SCCs (Controller→Processor, Module 2) Table 3 (Annexes): Annex I/II/III as above Table 4 (Ending): Neither party may vary the Addendum beyond permitted formatting; governing law for SCCs = Ireland (for interpretation of EU SCCs) Acceptance & countersignature Click-through acceptance: This DPA applies automatically under the Terms. Countersigned PDF: If needed, email [email protected] for a signable PDF (Customer → Company name, signatory, title, date; ProductPathPro → PE Artem Syzonenko, proprietor).