Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Terms of Service and applies whenever Finnect, LLC, operating the Piplead service ("Finnect", "Piplead"), processes personal data on behalf of the Customer ("Customer") in its capacity as processor under GDPR / UK GDPR or equivalent local law.

For the trader records that Piplead sources from its own platform and resells to the Customer, Piplead acts as an independent controller at the point of sourcing, and the Customer becomes an independent controller upon receipt. Where Piplead processes Customer-side data inside the workspace (e.g., suppression lists uploaded by the Customer), Piplead acts as processor.

Subject matter: provision of the Service. Duration: for as long as Piplead processes personal data on behalf of the Customer under the Terms. Nature and purpose: delivery of consent-based trader signal and operation of the Customer's workspace.

Data subjects: traders who consented on the Piplead Trade Automation Platform; the Customer's own staff using the workspace.

Categories of data: identifiers, contact data, country, broker / platform / volume / recency metadata, derived intent score, workspace activity logs.

Special-category data: none.

• Process personal data only on documented instructions from the Customer (the Terms, the workspace configuration, and written instructions sent to legal@piplead.com).
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational measures (see Annex II below).
• Engage sub-processors only as listed at /legal/sub-processors and notify the Customer of additions with a right to object.
• Assist the Customer with data-subject requests, DPIAs, and prior consultations to the extent reasonable.
• Notify the Customer without undue delay, and within 72 hours of becoming aware, of any confirmed personal-data breach affecting the Customer's workspace.
• On termination, return or delete personal data, at the Customer's choice, unless retention is required by law.
• Make available all information necessary to demonstrate compliance with this DPA, and allow audits in line with section 7.

The current list of sub-processors is published at /legal/sub-processors and is incorporated by reference. The Customer can subscribe to change notifications by emailing privacy@piplead.com. Material additions are notified at least 30 days in advance, and the Customer may object on reasonable data-protection grounds.

Where personal data is transferred outside the EEA / UK to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module Two for controller-to-processor transfers, Module Three for processor-to-processor transfers, as applicable), and the UK International Data Transfer Addendum where the UK GDPR applies. The SCCs are incorporated by reference and prevail in case of conflict with this DPA.

Once per year, on at least 30 days' written notice, the Customer (or an independent auditor bound by confidentiality) may audit Piplead's compliance with this DPA. Audits are performed during business hours, must not unreasonably interfere with the Service, and are at the Customer's cost unless they reveal a material breach by Piplead.

Categories of data subjects: traders consenting on the Piplead Trade Automation Platform; Customer staff.

Categories of personal data: identifiers, contact data, country, trading platform metadata, derived intent score, workspace activity logs.

Frequency of transfer: continuous, in real time.

Nature of processing: hosting, transmission, storage, scoring, deduplication, suppression management.

Purpose: delivery of the Service.

Retention: as set out in the Privacy Policy.

• Encryption in transit (TLS 1.2+) and at rest via the cloud database provider.
• Role-based access control with least-privilege defaults.
• Audit logging of administrative actions.
• Multi-factor authentication for staff access to production.
• Backup and recovery procedures with rotation within 90 days.
• Vulnerability management with regular dependency upgrades.
• Incident response runbook with 72-hour external notification target.
• Employee confidentiality agreements and access reviews on offboarding.