Data Processing Agreement

Preamble

This Data Processing Agreement ("DPA") forms part of the EchoClip Terms of Service entered into between Atlas Ridge Holdings and Developments, Co., trading as EchoClip.ai ("Processor", "EchoClip"), and the customer accepting the Terms ("Controller", "Customer", "you"). Where this DPA conflicts with the main Terms of Service in respect of personal data processing, this DPA prevails.

1. Definitions

Capitalised terms used in this DPA carry the meaning given to them in Article 4 of Regulation (EU) 2016/679 ("GDPR"), in the UK Data Protection Act 2018, in the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), and in any other applicable data protection law (collectively, "Data Protection Law"). In particular:

• "Controller", "Processor", "Personal Data", "Processing", "Data Subject", "Special Categories of Personal Data" — as defined in GDPR Article 4. • "Subprocessor" — any third party engaged by EchoClip to process Personal Data on behalf of the Controller. • "Services" — the EchoClip platform and APIs as described at echoclip.ai. • "Standard Contractual Clauses" or "SCCs" — the standard contractual clauses for the transfer of personal data to third countries set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Scope, subject matter, and roles

EchoClip processes Personal Data on behalf of the Customer for the purpose of providing the Services. The Customer is the Controller in respect of all Personal Data processed via the Services unless otherwise agreed in writing. EchoClip acts as Processor and undertakes to process Personal Data only on the Controller's documented instructions (which include the act of using the Services in accordance with the Terms of Service).

The subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of Data Subjects are described in Schedule 1 of this DPA.

3. EchoClip's obligations

EchoClip shall:

(a) process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by applicable law (in which case EchoClip will inform the Controller of that legal requirement before processing, unless prohibited by law);

(b) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) implement the technical and organisational security measures described in Schedule 2 to protect the Personal Data;

(d) respect the conditions for engaging Subprocessors set out in Section 4 below;

(e) taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising Data Subjects' rights;

(f) assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security, breach notification, impact assessments, prior consultation), taking into account the nature of processing and the information available to EchoClip;

(g) at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless retention is required by applicable law;

(h) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable confidentiality undertakings and operational constraints.

4. Subprocessors

The Controller hereby grants EchoClip general authorisation to engage Subprocessors for the provision of the Services. The current list of Subprocessors is published and maintained at echoclip.ai/privacy (Section 4) and includes, at the date of this DPA:

• Supabase Inc. — database, authentication, file storage (US / EU) • Stripe, Inc. — payment processing (US) • Railway Corp. — backend compute and hosting (US) • Vercel Inc. — marketing site and frontend hosting (US) • fal.ai (Features and Labels, Inc.) — AI generation (US) • OpenAI, L.L.C. — text generation / captioning where applicable (US) • Resend, Inc. — transactional email delivery (US) • Cloudflare, Inc. — CDN, DNS, DDoS protection (Global)

EchoClip will provide the Controller with at least 14 days' prior notice (by email or in-product notification) of the addition or replacement of any Subprocessor. The Controller may object on reasonable grounds (legitimate concerns regarding data protection, security, confidentiality) within that notice period; the parties will then discuss in good faith a mutually acceptable resolution. If no resolution can be reached, the Controller's sole and exclusive remedy is to terminate the affected Service with pro-rated refund of pre-paid fees for the unused period.

EchoClip remains fully liable for the acts and omissions of its Subprocessors as if they were its own.

5. International data transfers

Where the provision of the Services requires the transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a third country that has not received an adequacy decision from the European Commission (or equivalent body), the parties agree that such transfer shall be governed by:

(a) the Standard Contractual Clauses for the transfer of personal data to third countries, Module 2 (Controller-to-Processor) where the Customer is the data exporter and EchoClip the data importer, hereby incorporated into this DPA by reference; and

(b) the UK Addendum to the SCCs issued by the Information Commissioner's Office under section 119A(1) of the UK Data Protection Act 2018, where the transfer is from the UK.

The parties agree that in case of conflict between the SCCs and this DPA, the SCCs shall prevail.

6. Personal data breach

EchoClip shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. The notification will, at minimum:

• describe the nature of the breach (categories and approximate number of Data Subjects and records affected); • communicate the name and contact details of a point of contact at EchoClip where further information can be obtained; • describe the likely consequences of the breach; and • describe the measures taken or proposed to address the breach.

Where not all information is available at the time of the initial notification, EchoClip will provide updates in phases without further undue delay.

7. Assistance with Data Subject rights

Taking into account the nature of the processing and the information available to it, EchoClip will provide reasonable assistance to the Controller in responding to requests from Data Subjects to exercise their rights under Data Protection Law. EchoClip provides self-service tooling for Data Subject Access Requests and Erasure Requests directly inside the EchoClip product (Settings → Privacy & data → Export / Delete). Where a Controller needs to action a request on behalf of one of its own end users, EchoClip will respond to a written request from the Controller (sent to privacy@echoclip.ai) within ten business days.

8. Security measures

EchoClip implements the technical and organisational measures described in Schedule 2, including but not limited to: encryption of data in transit (TLS 1.2+) and at rest, role-based access controls, least-privilege service accounts, audit logging of administrative actions, regular vulnerability scanning, secure software development practices, and incident response procedures.

9. Return or deletion at termination

On termination of the Services for any reason, EchoClip shall, at the Controller's choice expressed within 30 days of termination, either return all Personal Data to the Controller in a structured, commonly-used and machine-readable format, or delete all Personal Data and certify such deletion in writing. EchoClip may retain Personal Data only to the extent (and for the duration) required by applicable law. Anonymised aggregate data may be retained indefinitely for service-improvement purposes.

Schedule 1 — Description of processing

Subject matter: provision of the EchoClip platform, including video generation, AI clipping, captioning, social media publishing, and related analytics features.

Duration: for the duration of the Customer's subscription, plus the retention periods set out in EchoClip's Privacy Policy.

Nature and purpose: storage, transmission, transformation, analysis, and AI-based generation of content uploaded or created by Data Subjects in the course of the Customer's use of the Services.

Categories of Personal Data: • Identification and contact data (name, email address, password hash). • Account and billing data (subscription tier, billing address, payment method metadata). • User-generated content (videos, images, prompts, captions, generated outputs). • Usage and technical data (IP address, browser, device identifiers, server logs). • Connected social account tokens and metadata (where the Customer chooses to connect social profiles).

Special Categories of Personal Data: not intentionally processed. The Customer must not upload Special Categories of Personal Data unless and until a written addendum to this DPA addressing such categories has been signed by both parties.

Categories of Data Subjects: the Customer's end users, the Customer's representatives, and individuals appearing in user-uploaded content.

Schedule 2 — Security measures

Confidentiality and integrity of processing: • TLS 1.2+ for all data in transit between Data Subjects, EchoClip, and Subprocessors. • Encryption at rest for Personal Data stored in Postgres (Supabase) and object storage. • Bcrypt-equivalent password hashing for authentication credentials; no plain-text storage. • Multi-factor authentication available on the EchoClip and Supabase administrative consoles.

Availability and resilience: • Daily encrypted backups of the Postgres database with point-in-time recovery for the rolling 7-day window. • Hosting on Railway and Vercel with documented uptime SLAs. • Periodic restore tests.

Access control: • Role-based access control to administrative consoles. • Least-privilege service accounts for backend-to-Subprocessor connections (Stripe, fal.ai, Resend, etc.). • Centralised secret management; secrets rotated on personnel turnover.

Audit and accountability: • Audit logging of administrative actions and privacy-related events (data exports, account deletions). • Application-level rate limiting and abuse detection. • Documented incident response procedure with on-call escalation.

Vendor management: • Subprocessor list maintained and published at echoclip.ai/privacy. • Subprocessor contracts include data protection commitments not less protective than this DPA. • Annual review of Subprocessor security posture (SOC 2 / ISO 27001 / equivalent attestations where available).

Execution

This DPA is offered as a standard, non-negotiable agreement for self-service EchoClip customers. Acceptance of the EchoClip Terms of Service constitutes acceptance of this DPA where Data Protection Law applies to the Customer's use of the Services. Enterprise customers requiring a counter-signed version of this DPA should contact legal@echoclip.ai with the legal name of the contracting entity, the jurisdiction of incorporation, and the role(s) of any joint controllers.