Data Processing Addendum

This Data Processing Addendum (this "DPA") forms part of, and is incorporated by reference into, the Terms of Service / Master Subscription Agreement available at https://axelapp.ai/terms (the "Terms") between rolln, Inc., a Delaware corporation ("rolln", "we", "us", or "our"), and the customer that has agreed to the Terms (the "Customer", "you", or "your"), in connection with the Customer's use of the Axel platform and service ("Axel" or the "Service").

This DPA reflects the parties' agreement on the processing of Personal Data (defined below) by rolln on the Customer's behalf when the Customer uses the Service. Capitalized terms not defined in this DPA have the meanings given to them in the Terms.

1. Parties, Incorporation, Precedence, and Duration

1.1 Parties and incorporation

This DPA is entered into between rolln and the Customer and is incorporated into and subject to the Terms. By accepting the Terms, or by accessing or using the Service, the Customer accepts this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates (defined below) that use the Service.

1.2 Authority to enter into this DPA

The individual accepting this DPA represents and warrants that they have authority to bind the Customer (and its Authorized Affiliates, where applicable) to this DPA. If the individual does not have such authority, they must not accept this DPA and must not use the Service.

1.3 Order of precedence

In the event of any conflict or inconsistency among the following documents, the order of precedence is: (a) the Standard Contractual Clauses, the UK Addendum, and any Swiss amendments described in Section 8 (collectively, the "Transfer Mechanisms"), to the extent they apply; then (b) the body of this DPA and its Annexes; then (c) the Terms; then (d) any other agreement between the parties relating to the subject matter, unless expressly stated otherwise. Nothing in this DPA is intended to vary or supersede the Transfer Mechanisms except where this DPA's terms are more protective of data subjects.

1.4 Duration

This DPA takes effect on the effective date of the Terms (or, if later, the date the Customer first uses the Service) and remains in force for the duration of the Terms. It survives termination or expiry of the Terms for so long as rolln (or any Sub-processor) processes Personal Data on the Customer's behalf, and the obligations in Sections 12 (Deletion and Return) and 10 (Audits) survive as stated in those Sections.

1.5 Authorized Affiliates

"Authorized Affiliate" means any entity that controls, is controlled by, or is under common control with the Customer, that is permitted to use the Service under the Terms, and on whose behalf the Customer is authorized to enter into this DPA. Where an Authorized Affiliate uses the Service, the Customer remains responsible for the acts and omissions of, and for coordinating all communications with rolln by, its Authorized Affiliates under this DPA. The Customer represents that it has authority to bind each Authorized Affiliate (and, where Section 3.5 applies, the relevant third-party controller) to this DPA, and the Customer remains rolln's sole point of contact regardless of any affiliate or controller relationship. The Customer is responsible for, and (in accordance with the indemnification provisions of the Terms (Section 14 of the Terms)) will indemnify rolln against, losses arising from the Customer's lack of such authority. rolln's reliance on the Customer's acceptance and the assent record maintained under the Terms (rolln records each acceptance with the accepting user's identity, a timestamp, the source IP address and user-agent, and the version of each document accepted, so that assent is provable) is sufficient for rolln to treat the DPA as binding on the Customer and its Authorized Affiliates.

2. Definitions

For purposes of this DPA:

• "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations.
• "Controller" means the natural or legal person that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For Personal Data processed under this DPA, the Customer is the Controller (or a processor acting on behalf of a third-party controller, as described in Section 3.5).
• "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including, as applicable: the EU General Data Protection Regulation 2016/679 ("EU GDPR"); the EU GDPR as incorporated into the law of the United Kingdom by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018 ("UK GDPR"); the Swiss Federal Act on Data Protection ("Swiss FADP"); the CCPA; and other applicable U.S. state privacy laws.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information within Customer Data that relates to an identified or identifiable natural person and that is processed by rolln on the Customer's behalf under this DPA. Personal Data is a subset of Customer Data and includes "personal data" under the EU/UK GDPR and "personal information" under the CCPA.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by rolln or a Sub-processor. It does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, such as pings, port scans, unsuccessful log-in attempts, denial-of-service attacks, or other network-level activity that does not result in access to Personal Data.
• "Processing" (and "process", "processes", "processed") means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, transmission, disclosure, erasure, or destruction.
• "Processor" means a natural or legal person that processes Personal Data on behalf of the Controller. For Personal Data processed under this DPA, rolln is the Processor.
• "Restricted Transfer" means a transfer of Personal Data to, or onward transfer of Personal Data within, a country or territory that is not subject to an adequacy decision (or recognized adequacy regulations) under the applicable Data Protection Laws, where such transfer would be prohibited absent a Transfer Mechanism.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, approved by the European Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021.
• "Sub-processor" means any third party engaged by rolln (or by another Sub-processor) to process Personal Data on the Customer's behalf in connection with the Service, as described in Section 5 and Annex III.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of Data Protection Laws.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 ("UK IDTA Addendum").

Other capitalized terms used and not defined in this DPA — including "Axel", "Service", "Authorized User", "End User", "Customer Data", and "Workspace" — have the meanings given in the Terms.

3. Roles, Scope, and Customer Instructions

3.1 Roles of the parties

With respect to Personal Data processed under this DPA, the Customer is the Controller and rolln is the Processor. rolln will process Personal Data only as a Processor acting on the Customer's behalf. rolln separately acts as a Controller in respect of certain limited data described in Section 3.4.

3.2 Scope and subject matter

The subject matter, nature and purpose of the Processing, the categories of Data Subjects, and the types of Personal Data are described in Annex I. In summary, rolln processes Personal Data to provide the Service: receiving inbound webhook payloads at the edge; storing raw payloads for replay; queuing events; evaluating routes and filters; running the Customer's configured filter/transform logic in a sandbox; and fanning out deliveries to the Customer's chosen destinations, together with related logging, analytics, support, security, and billing functions.

3.3 Customer instructions

rolln will process Personal Data only on documented instructions from the Customer, including with regard to Restricted Transfers, unless required to process Personal Data by applicable law to which rolln is subject. In that case, rolln will inform the Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest. The Customer's documented instructions consist of: (a) this DPA and the Terms; (b) the Customer's configuration and use of the Service (for example, the sources, routes, filters, transforms, destinations, retention settings, and erasure/data-reset actions the Customer configures through the Service or its APIs); and (c) any other written instructions the Customer gives that the parties agree are consistent with the Service. The Customer is responsible for ensuring its instructions comply with Data Protection Laws.

3.4 rolln as Controller for limited data

rolln acts as an independent Controller, and not as a Processor, with respect to: (a) account registration, identity, and contact data of Authorized Users; (b) billing and payment-related contact information; (c) Service usage, telemetry, security, and audit data that rolln generates to operate, secure, bill for, and improve the Service; and (d) data rolln processes to comply with its own legal obligations. rolln's processing of such data as a Controller is governed by the Privacy Policy (https://axelapp.ai/privacy), not by this DPA. To the extent Personal Data within webhook payloads or Customer-configured Customer Data is incidentally present in (c) or (d) above, that Personal Data remains subject to this DPA.

3.5 Customer as processor for a third party

If the Customer is itself a Processor acting on behalf of a third-party controller, the Customer represents that its use of the Service and its instructions to rolln have been authorized by the relevant controller, and that the Customer has the authority to grant the general authorization for sub-processing in Section 5 on behalf of that controller. In that case, references to "Controller" in this DPA and in the SCCs (Module Three) are construed accordingly, and the Customer remains rolln's sole point of contact.

3.6 Unlawful instructions

rolln will inform the Customer if, in rolln's reasonable opinion, an instruction infringes Data Protection Laws. In such case, rolln may suspend performance of the affected instruction (without liability) until the Customer confirms, modifies, or withdraws it. rolln is not obligated to, and does not undertake to, conduct a legal review of the lawfulness of the Customer's instructions generally.

3.7 Customer responsibilities

The Customer is responsible for: (a) the accuracy, quality, and legality of Customer Data and the means by which the Customer acquired it; (b) establishing and maintaining a lawful basis for the Processing, and for providing all required notices to and obtaining all required consents from Data Subjects; (c) configuring its sources, routes, transforms, destinations, signing keys, and retention settings appropriately; and (d) complying with the Acceptable Use Policy (https://axelapp.ai/acceptable-use), including the restrictions on sensitive data described in Section 4.6.

4. Processor Obligations

4.1 Compliance

rolln will comply with the obligations applicable to it as a Processor under Data Protection Laws and will provide the Service in a manner consistent with this DPA.

4.2 Confidentiality of personnel

rolln will ensure that personnel authorized to process Personal Data are subject to confidentiality obligations (whether contractual or statutory), have been informed of the confidential nature of the Personal Data, and process Personal Data only as necessary to perform their duties and provide and support the Service. rolln limits access to Personal Data to personnel who need such access for those purposes.

4.3 Security measures

rolln will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against a Personal Data Breach and to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to Data Subjects, in accordance with Article 32 of the EU GDPR. Those measures are described in Annex II. The measures described in Annex II are the measures rolln implements; they describe rolln's security practices and are not warranties or guarantees of a specific result or outcome, and are subject to the warranty disclaimers and limitations of liability in the Terms (Terms Sections 12 (including the AS-IS disclaimer in Terms Section 12.2) and 13). The Customer acknowledges that security is a shared responsibility and that the Customer's own configuration choices (for example, destination URLs, HMAC signing keys, retention windows, and access controls within its Workspace) materially affect the security of Personal Data.

4.4 Assistance with Data Subject requests

Taking into account the nature of the Processing, rolln will assist the Customer, by appropriate technical and organizational measures and insofar as reasonably possible, in fulfilling the Customer's obligations to respond to requests by Data Subjects to exercise their rights (including rights of access, rectification, erasure, restriction, portability, and objection). rolln makes available self-service tooling within the Service — including data-subject erasure subjects/requests, in-dashboard data reset, and configurable retention controls — that the Customer can use to action many such requests directly. Where the Customer cannot address a request through that tooling, rolln will provide reasonable assistance on the Customer's documented request. Further detail is set out in Section 7.

4.5 Assistance with DPIAs and consultations

Taking into account the nature of the Processing and the information available to rolln, rolln will provide reasonable assistance to the Customer with: (a) data protection impact assessments under Article 35 of the EU GDPR; and (b) prior consultations with Supervisory Authorities under Article 36, in each case where such assessment or consultation relates to the Customer's use of the Service. This assistance is primarily provided through this DPA, the security descriptions in Annex II, the Sub-processors page (https://axelapp.ai/subprocessors), and rolln's published security documentation.

4.6 Sensitive and prohibited data

The Service is a general-purpose webhook and event pipeline and is not designed to receive special categories of Personal Data (Article 9 EU GDPR), data relating to criminal convictions and offenses (Article 10), payment cardholder data subject to PCI DSS (e.g., full primary account numbers), or protected health information subject to HIPAA, unless the parties have agreed otherwise in writing. The Customer is responsible for ensuring that the Customer Data it sends through the Service is consistent with this Section and with the Acceptable Use Policy. To the extent the Customer nonetheless transmits special-category or other sensitive data through the Service, the Customer does so as Controller and at its own risk, and confirms it has a valid legal basis and has implemented any additional safeguards required by Data Protection Laws. If rolln reasonably believes the Customer is transmitting special-category data (Article 9), criminal-offense data (Article 10), PCI cardholder data, or HIPAA-regulated data through the Service without a written agreement permitting it, rolln may, consistent with Section 3.6 and the Acceptable Use Policy and the suspension rights in the Terms, suspend or limit the affected Processing (in whole or in part) without liability, and will notify the Customer.

4.7 Cooperation

rolln will reasonably cooperate with the Customer to enable the Customer to comply with its obligations under Data Protection Laws in relation to the Processing carried out by rolln under this DPA, including in connection with Personal Data Breaches (Section 9) and audits (Section 10).

5. Sub-processing

5.1 General authorization

The Customer grants rolln a general authorization to engage Sub-processors to process Personal Data in connection with the provision of the Service. The Sub-processors engaged by rolln as of the effective date of this DPA are listed on the Sub-processors page at https://axelapp.ai/subprocessors and restated in Annex III. The Sub-processors page is the authoritative, maintained list.

5.2 Sub-processor terms

Before a Sub-processor processes Personal Data, rolln will enter into a written agreement with that Sub-processor that imposes data-protection obligations that are, in substance, no less protective of Personal Data than those in this DPA, to the extent applicable to the nature of the services provided by that Sub-processor (including, where a Restricted Transfer is involved, appropriate Transfer Mechanisms). rolln remains responsible to the Customer for the performance of each Sub-processor's data-protection obligations under such agreement, to the same extent rolln would be responsible if performing those services directly.

5.3 Notice of changes and right to object

rolln will give the Customer notice of any intended addition or replacement of a Sub-processor at least 30 days before that Sub-processor begins processing Personal Data (i.e., on a pre-engagement basis), by updating the Sub-processors page and, where the Customer has subscribed to notifications, by the notification mechanism rolln makes available (for example, an email or in-product notice). The Customer may subscribe to such notifications via the Sub-processors page. The Customer may object to a new or replacement Sub-processor on reasonable, documented data-protection grounds by notifying rolln in writing at privacy@axelapp.ai within 30 days of the notice.

5.4 Objection resolution and remedy

If the Customer objects under Section 5.3, the parties will discuss the objection in good faith and rolln will use commercially reasonable efforts to make available a change in the Service, or recommend a commercially reasonable configuration or alternative, that avoids processing of Personal Data by the objected-to Sub-processor without unreasonably burdening the Customer. If rolln is unable to make such a change available within a reasonable period not to exceed 30 days from rolln's receipt of the objection, the Customer may, as its sole and exclusive remedy, terminate the affected Service (or the portion of it that cannot be provided without the objected-to Sub-processor) by giving written notice to rolln, and rolln will refund any prepaid fees for the terminated portion covering the period after the effective date of termination. Absent a timely objection, the Customer is deemed to have approved the new or replacement Sub-processor.

6. (Reserved)

This Section number is intentionally reserved.

7. Data Subject Rights

7.1 Routing of requests

If rolln receives a request directly from a Data Subject relating to Personal Data processed on the Customer's behalf, rolln will, to the extent legally permitted, promptly notify the Customer and will not respond to the request itself except on the Customer's documented instructions or as required by applicable law. rolln will advise the Data Subject to submit the request to the Customer.

7.2 How rolln assists

rolln assists the Customer with Data Subject rights as described in Section 4.4, primarily by enabling the Customer to locate, export, correct, restrict, and delete Personal Data through the Service. In particular:

• Erasure / "right to be forgotten": the Customer can use the in-product erasure tooling (erasure subjects and erasure requests) and the in-dashboard data-reset controls to delete Personal Data associated with identified Data Subjects or Workspaces.
• Retention / restriction: the Customer can shorten or, within the applicable caps, extend retention windows for raw payloads, delivery/event logs, dead-letter records, and replay job records, as available on the Customer's plan tier.
• Access / portability: the Customer can retrieve Customer Data and delivery records through the dashboard and APIs.

Where these capabilities are insufficient to action a particular request, rolln will provide additional reasonable assistance on the Customer's documented request, and may charge a reasonable fee for assistance that is unusual in scope or frequency, as permitted by Data Protection Laws.

8. International Transfers

8.1 Processing location

As of the effective date of this DPA, rolln's routing, delivery, control-database, and analytics processing and storage occur in the United States. rolln's edge ingest layer operates on Cloudflare's global edge network; the Customer acknowledges that inbound webhook payloads (which carry the most sensitive Customer Data) may be received, queued, and transiently stored at Cloudflare edge locations globally before being routed to rolln's U.S.-based processing and storage. Our Cloudflare R2 storage and Cloudflare Queues are configured so that payload storage and processing occur in the United States. rolln will not materially change the regions in which Personal Data is stored at rest without updating its documentation and, where required, providing an appropriate Transfer Mechanism.

8.2 EU Standard Contractual Clauses

To the extent the Processing involves a Restricted Transfer subject to the EU GDPR, the SCCs are incorporated into this DPA by reference and apply as follows:

• Module Two (Controller to Processor) applies where the Customer is a Controller and rolln is a Processor.
• Module Three (Processor to Processor) applies where the Customer is itself a Processor acting on behalf of a third-party controller (see Section 3.5) and rolln is a Sub-processor.

For the purposes of the SCCs:

• (a) the Customer is the "data exporter" and rolln is the "data importer";
• (b) the optional docking clause in Clause 7 included applies;
• (c) in Clause 9, Option 2 (general written authorization) applies, and the time period for prior notice of Sub-processor changes is as set out in Section 5.3 of this DPA;
• (d) in Clause 11, the optional independent dispute-resolution body language excluded (the optional language does not apply) does not apply unless stated here;
• (e) in Clause 17, the SCCs are governed by the law of Ireland;
• (f) in Clause 18, disputes are resolved before the courts of Ireland;
• (g) Annex I to the SCCs is populated by Annex I to this DPA; Annex II to the SCCs is populated by Annex II to this DPA; and the list of Sub-processors for Clause 9 is set out in Annex III to this DPA and on the Sub-processors page.

Where there is any conflict between the SCCs and this DPA, the SCCs prevail with respect to Restricted Transfers governed by the EU GDPR.

8.3 UK transfers

To the extent the Processing involves a Restricted Transfer subject to the UK GDPR, the UK IDTA Addendum is incorporated into this DPA and applies to that transfer. The SCCs as described in Section 8.2 form the "Approved EU SCCs" to which the UK IDTA Addendum is appended. For purposes of the UK IDTA Addendum: Table 1 (parties) is completed using Annex I to this DPA; Table 2 identifies the Approved EU SCCs and selected modules as set out in Section 8.2; Table 3 (appendix information) is completed using Annexes I, II, and III to this DPA; and in Table 4, the party that may end the UK IDTA Addendum if the Approved Addendum changes is the data importer.

8.4 Swiss transfers

To the extent the Processing involves a Restricted Transfer subject to the Swiss FADP, the SCCs apply with the following amendments: (a) references to the EU GDPR are understood as references to the Swiss FADP insofar as the transfer is governed by it; (b) the term "Member State" must not be interpreted to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence; (c) the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner with respect to transfers governed by the Swiss FADP; and (d) the SCCs also protect the personal data of legal entities until the entry into force of the revised Swiss FADP removes such protection.

8.5 Alternative transfer mechanisms

If rolln adopts an alternative recognized transfer mechanism for the lawful transfer of Personal Data (such as a successor framework, binding corporate rules, or a certification or adequacy decision), that mechanism will apply instead of the Transfer Mechanisms described above to the transfers to which it applies, and rolln will update this DPA or its documentation accordingly.

8.6 Supplementary measures and government access

rolln will implement the security measures in Annex II as supplementary measures supporting Restricted Transfers. If rolln receives a legally binding request from a public authority for access to Personal Data, rolln will, to the extent legally permitted, notify the Customer, challenge requests that are unlawful or overbroad, and disclose only the minimum amount of Personal Data necessary to comply.

9. Personal Data Breach

This Section 9 governs Personal Data Breaches affecting Personal Data that rolln processes as a Processor on the Customer's behalf under this DPA. Incidents affecting Personal Data for which rolln is the Controller (the limited data described in Section 3.4) are handled under Section 9.1 of the Privacy Policy (https://axelapp.ai/privacy); the two breach regimes are complementary and together cover both processor-side and controller-side incidents.

9.1 Notification

rolln will notify the Customer without undue delay (and, where feasible, no later than 72 hours) after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. For purposes of this Section, rolln "becomes aware" of a Personal Data Breach when rolln has a reasonable degree of certainty that a Personal Data Breach has occurred — not upon the mere receipt of an unverified alert, log entry, or report that has not yet been confirmed. The notification period runs from rolln's confirmation of the Personal Data Breach.

9.2 Information provided

The notification under Section 9.1 will, to the extent known and available to rolln at the time, describe: (a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its possible adverse effects; and (d) a point of contact for further information. Where, and insofar as, it is not possible to provide all of that information at the same time, rolln will provide it in phases without undue further delay as it becomes available.

9.3 Remediation and cooperation

rolln will take reasonable steps to investigate, contain, and remediate the Personal Data Breach, and will reasonably cooperate with the Customer and provide reasonable assistance to enable the Customer to meet its own breach-notification and other obligations under Data Protection Laws. rolln's notification of, or response to, a Personal Data Breach is not an acknowledgment by rolln of fault or liability.

9.4 Customer obligations

Except as required by law, the Customer is responsible for determining whether to notify any Supervisory Authority, Data Subjects, or other parties, and for making any such notifications, in respect of a Personal Data Breach affecting Personal Data for which it is the Controller. The Customer must keep its contact details current within its Workspace so that rolln can deliver breach notifications.

10. Audits and Information

10.1 Demonstrating compliance

rolln will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and with the Processor obligations in Article 28 of the EU GDPR, including the information in this DPA and its Annexes, the Sub-processors page, and rolln's then-current security documentation and, where available, third-party audit reports and certifications.

10.2 Third-party reports

The Customer agrees that, where rolln has obtained or obtains a relevant third-party audit report or certification (for example, a SOC 2 report, currently planned), rolln may satisfy an audit request by providing the most recent such report or certification, subject to confidentiality, and that the Customer will rely on such reports to the extent reasonable before requesting an on-site or bespoke audit.

10.3 Audit rights

Where the information made available under Sections 10.1 and 10.2 is not sufficient to demonstrate compliance, rolln will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, subject to the following conditions: (a) the Customer gives at least 30 days' prior written notice, unless a shorter period is required by a Supervisory Authority or following a Personal Data Breach; (b) audits occur no more than once per twelve-month period, unless required by a Supervisory Authority or following a Personal Data Breach; (c) audits are conducted during regular business hours, in a manner that does not unreasonably disrupt rolln's operations, and in accordance with rolln's reasonable security and confidentiality requirements; (d) the auditor is not a competitor of rolln and is bound by confidentiality obligations; and (e) the Customer bears its own and rolln's reasonable costs of any audit beyond the provision of information under Sections 10.1 and 10.2. Any audit will be limited to information and systems relevant to the Processing of the Customer's Personal Data and must not provide access to other customers' data or to confidential information of rolln or third parties.

10.4 Supervisory Authority audits

To the extent required by the SCCs or Data Protection Laws, rolln will allow for and contribute to audits conducted by, or on the instruction of, a competent Supervisory Authority.

11. CCPA / CPRA and U.S. State Privacy Law Addendum

This Section applies to the extent rolln processes "personal information" (as defined in the CCPA) on the Customer's behalf and the CCPA applies. It also applies, with equivalent effect and construed accordingly, where rolln processes personal data as a "processor" or "service provider" on the Customer's behalf under other applicable U.S. state privacy laws named in the definition of "Data Protection Laws" in Section 2 (for example, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, and the Texas Data Privacy and Security Act).

11.1 Service Provider status and limited and specified purpose

The parties acknowledge that, with respect to such personal information, the Customer is a "business" (or a service provider acting on behalf of a business) and rolln is a "service provider" within the meaning of the CCPA. rolln receives and processes personal information from, or on behalf of, the Customer only for the limited and specified purpose of performing the Service and the "business purposes" described in this DPA and the Terms, and not for any other purpose. rolln will not retain, use, or disclose the personal information for any purpose (including any commercial purpose) other than performing those services, except as otherwise permitted by the CCPA.

11.2 No sale or sharing; restrictions

rolln will not: (a) sell or share (as those terms are defined in the CCPA) the personal information; (b) retain, use, or disclose the personal information for any purpose other than the business purposes specified in this DPA and the Terms, including outside the direct business relationship between the parties, except as permitted by the CCPA; or (c) combine the personal information with personal information rolln receives from, or on behalf of, other persons, or collects from its own interactions with the consumer, except as permitted by the CCPA for a service provider.

11.3 Certification and assistance

rolln certifies that it understands and will comply with the restrictions in this Section 11. rolln will provide reasonable assistance to the Customer in responding to verifiable consumer requests under the CCPA, consistent with Section 7. rolln will notify the Customer if it determines that it can no longer meet its obligations as a service provider under the CCPA.

11.4 Customer monitoring; stop and remediate

The Customer may take reasonable and appropriate steps to ensure that rolln uses the personal information transferred in a manner consistent with the Customer's obligations under the CCPA and other applicable U.S. state privacy laws. The Customer also has the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of personal information by rolln. rolln will reasonably cooperate with such steps. The audit and information rights in Section 10 are one means by which the Customer may exercise this right.

11.5 Notice of contractors and Sub-processors

rolln will notify the Customer of any contractor or Sub-processor it engages to process the personal information on the Customer's behalf. This obligation is satisfied through the Sub-processors page (https://axelapp.ai/subprocessors), Annex III, and the notice-and-objection mechanism in Section 5.3. rolln will engage such contractors and Sub-processors only under a written contract that requires them to comply with obligations equivalent to those in this Section 11.

11.6 Onward disclosure

rolln will impose on its Sub-processors that process such personal information CCPA-compliant obligations consistent with this Section 11, as contemplated by Section 5.2 and Section 11.5.

12. Deletion and Return of Personal Data

12.1 On termination

Upon termination or expiry of the Terms, and at the choice of the Customer, rolln will delete or return Personal Data processed on the Customer's behalf, and delete existing copies, except to the extent applicable law requires rolln to retain some or all of the Personal Data. If the Customer does not make a documented election within 30 days after termination or expiry, rolln may delete the Personal Data in the ordinary course in accordance with this Section and the retention defaults below.

12.2 Mechanism and retention defaults

The Customer may export or delete Customer Data through the Service before termination. Following termination or expiry, and subject to Section 12.3, rolln will delete Personal Data within 30 days, except that Personal Data persisting in routine backups and in components governed by longer default retention periods will be deleted on the rolling schedules summarized below. As of the effective date, the Service's default retention behavior is:

• Raw payloads (Cloudflare R2): retained approximately 30 days by default for replay, configurable on higher tiers.
• Delivery / event logs (ClickHouse): retained for an approximately 30-day time-to-live.
• Dead-letter records: retained up to 365 days.
• Replay job records: retained up to 90 days.
• Audit log: retained long-term (approximately 10 years) for security, integrity, and legal/compliance purposes.

The audit log is retained as described above because it is necessary for security, dispute resolution, and compliance; the Customer acknowledges that this retention may continue after deletion of other Personal Data.

12.3 Legally required retention

rolln may retain Personal Data to the extent and for so long as required by applicable law, in which case rolln will continue to protect the retained Personal Data in accordance with this DPA and will process it only as necessary for the purpose(s) of the required retention.

12.4 Certification

Upon the Customer's written request following deletion under this Section, rolln will confirm in writing that it has deleted the Personal Data in accordance with this Section, subject to the exceptions stated above.

13. Liability and Miscellaneous

13.1 Liability

Each party's and each party's affiliates' liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms, and any reference in the Terms to a party's liability means the aggregate liability of that party and all of its affiliates under the Terms and this DPA together. For the avoidance of doubt, liability arising from a Personal Data Breach or any other breach of this DPA is within (and is not carved out of) the Terms' limitation of liability except as expressly stated below or as required by Data Protection Laws.

A Personal Data Breach or breach of this DPA is subject to the enhanced cap in Terms Section 13.3 (the greater of two (2) times the trailing-twelve-month fees or US$50,000) rather than the general cap in Section 13.2, and rolln maintains cyber / errors-and-omissions insurance of at least US$1,000,000. The Customer's indemnities in the Terms (Section 14 of the Terms, covering Customer Data, privacy, lawful basis, and unlawful instructions) are rolln's primary backstop for losses arising from the Customer's Customer Data and instructions.

This Section 13.1 does not limit any party's liability to Data Subjects or Supervisory Authorities under the Transfer Mechanisms or to the extent such limitation is not permitted by Data Protection Laws.

13.1A Notices under this DPA

Notices, requests, and communications under this DPA or the Transfer Mechanisms (including SCC-related correspondence) that are directed to rolln must be sent to legal@axelapp.ai, with a copy to privacy@axelapp.ai, and where a postal address is required, to rolln's registered business address at rolln, Inc., Delaware, United States (for our current postal address, contact legal@axelapp.ai). Sub-processor objections under Section 5.3 are sent to privacy@axelapp.ai as stated in that Section. The Customer may report a suspected or confirmed security incident or vulnerability affecting the Service to security@axelapp.ai; reporting to that address does not replace, and is in addition to, the Customer's obligation to keep its Workspace contact details current under Section 9.4. Notices to the Customer are given in accordance with the notice provisions of the Terms and, for operational and breach notifications, using the contact details the Customer maintains in its Workspace.

13.2 Governing law

This DPA is governed by the law specified in the Terms, except that the Transfer Mechanisms are governed by the law specified in Section 8 (or in the relevant Transfer Mechanism) to the extent required for those mechanisms to be effective.

13.3 Changes

rolln may update this DPA from time to time to reflect changes in Data Protection Laws, the Transfer Mechanisms, the Service, or its Sub-processors, provided that no such update will materially reduce the protections for Personal Data under this DPA. rolln will provide notice of material changes in accordance with the notice provisions of the Terms.

13.4 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the invalid or unenforceable provision will be replaced by a valid provision that most closely reflects the parties' intent.

13.5 Signatures

For Customers that accept the Terms online, this DPA is entered into electronically as part of the Terms and no separate signature is required. Where a signed copy is required, the following signature blocks apply:

rolln, Inc. By: _____________________ Title: _____________________ Date: _____________________

Customer Entity: _____________________ By: _____________________ Title: _____________________ Date: _____________________

ANNEX I — Details of Processing

A. List of Parties

Data exporter (Controller) — Customer

• Name: _____________________
• Address: _____________________
• Contact person's name, position, and contact details: _____________________
• Activities relevant to the data transferred: Use of the Axel Service to ingest, route, transform, store (for replay), and deliver webhook payloads and related event data that may contain Personal Data of the Customer's End Users and contacts.
• Role: Controller (or, where applicable under Section 3.5, Processor acting on behalf of a third-party controller).
• Signature and date: _____________________

Data importer (Processor) — rolln

• Name: rolln, Inc.
• Address: rolln, Inc., Delaware, United States (for our current postal address, contact legal@axelapp.ai)
• Contact person's name, position, and contact details: Privacy contact, privacy@axelapp.ai; legal notices, legal@axelapp.ai.
• Activities relevant to the data transferred: Provision of the Axel webhook-ingestion and event-pipeline Service, including edge ingestion, raw payload storage for replay, queuing, route/filter evaluation, sandboxed customer-authored transforms, delivery fan-out, logging, analytics, support, security, and billing.
• Role: Processor (or Sub-processor where the Customer is itself a Processor under Section 3.5).
• Signature and date: _____________________

B. Description of the Processing

Categories of Data Subjects whose Personal Data is processed. The Personal Data transferred concerns the following categories of Data Subjects, as determined and controlled by the Customer:

• the Customer's End Users and customers;
• the Customer's contacts, employees, agents, and representatives whose data appears in webhook payloads or configurations;
• any other natural persons whose Personal Data the Customer chooses to send through the Service.

The Customer determines and controls which categories of Data Subjects' Personal Data are sent through the Service.

Categories of Personal Data processed. The Personal Data transferred is whatever Personal Data the Customer includes in Customer Data sent to, processed in, or received from the Service, which may include:

• identifiers and contact data (for example, names, email addresses, phone numbers, user IDs, account identifiers);
• transaction and event data (for example, payment events, subscription changes, order data, identity changes, access grants, and other application events conveyed by webhooks);
• technical and metadata (for example, IP addresses, timestamps, request headers, source/destination identifiers);
• any other Personal Data the Customer chooses to include in webhook payloads, filters, transforms, or destination configurations.

rolln does not control, and is generally not aware of, the specific content of the payloads the Customer transmits; the Customer determines and controls the categories of Personal Data sent through the Service.

Special categories of Personal Data. The Service is not intended to be used to process special categories of Personal Data (Article 9 EU GDPR) or data relating to criminal convictions and offenses (Article 10), and the Customer is discouraged from transmitting such data through the Service (see Section 4.6). To the extent the Customer nonetheless transmits special-category data, the Customer does so as Controller and is responsible for ensuring an appropriate legal basis and additional safeguards. The Customer should not transmit special-category data through the Service; if the Customer does, the Customer is responsible for ensuring an appropriate lawful basis and safeguards.

Nature and purpose of the Processing. Receiving inbound webhook payloads at the Cloudflare edge; storing raw payloads in Cloudflare R2 for replay; queuing events; evaluating routes and filters; executing customer-authored filter/transform code in an isolated sandbox; fanning out idempotent deliveries to the Customer's configured destinations (HTTP endpoints, MongoDB, Postgres, R2); and related logging, analytics, monitoring, support, security, and billing — all for the purpose of providing the Service to the Customer in accordance with the Terms and the Customer's configuration.

Frequency of the Processing. Continuous, on an ongoing basis, for the duration of the Customer's use of the Service.

Duration of the Processing / retention. For the term of the Terms, plus the retention periods described in Section 12.2 and any legally required retention under Section 12.3.

For transfers to Sub-processors, the subject matter, nature, and duration of the Processing. As described on the Sub-processors page (https://axelapp.ai/subprocessors) and in Annex III, for the duration of rolln's engagement of each Sub-processor in connection with the Service.

C. Competent Supervisory Authority

For the purposes of Clause 13 and Annex I.C of the SCCs, the competent Supervisory Authority is determined in accordance with the SCCs and Data Protection Laws — generally the Supervisory Authority of the EU/EEA Member State in which the Customer (as data exporter) is established or, where applicable, the Member State in which its EU representative is established or in which the relevant Data Subjects are located. For UK transfers, the competent authority is the UK Information Commissioner's Office; for Swiss transfers, the Swiss Federal Data Protection and Information Commissioner. Where the data importer's SCC governing law and forum are set to Ireland (Section 8.2(e)–(f)), the lead authority for the SCCs is the Irish Data Protection Commission.

ANNEX II — Technical and Organizational Measures

rolln implements and maintains the technical and organizational measures described below, as they may be updated from time to time in a manner that does not materially reduce the overall level of security. These measures describe the controls rolln implements; they are not a guarantee of a specific result and are subject to the warranty disclaimers and limitations of liability in the Terms.

1. Access control to systems and data (authentication and tenant isolation)

• Strict multi-tenant isolation: every Postgres row, ClickHouse partition, and queue message is keyed by workspace_id, and the dashboard enforces Workspace scope on every query, so Customers can access only their own Workspace's data.
• Source ingest tokens are stored as SHA-256 hashes (never in plaintext), validated using constant-time comparison, and never logged in plaintext.
• Access to production systems and Personal Data is limited to authorized personnel on a need-to-know basis, subject to confidentiality obligations (Section 4.2).

2. Encryption

• Data in transit is protected by TLS 1.2 or higher at the edge.
• Raw payloads stored in Cloudflare R2 are encrypted at rest.

3. Application-layer isolation of customer-authored code

• Customer route filters and transforms execute in isolated Worker threads with V8 resource limits, a 250-millisecond wall-clock timeout per execution, and no network or filesystem access, reducing the risk that customer-authored code can affect other tenants or exfiltrate data.

4. Input validation and abuse controls

• Per-source rate limits, request body-size caps, and payload-depth caps are enforced to mitigate abuse and resource-exhaustion.
• Delivery fan-out is idempotent to reduce duplicate processing and delivery.

5. Logging, audit, and accountability

• An append-only audit log records privileged actions, including Workspace creation, member invitations, role changes, and source/destination mutations, supporting accountability and incident investigation.

6. Monitoring and incident response

• Application errors and performance are monitored via Sentry to support availability and prompt detection of operational issues; rolln maintains processes to investigate, contain, and remediate Personal Data Breaches and to notify the Customer in accordance with Section 9.

7. Data minimization, retention, and erasure

• Configurable retention controls and default retention windows limit how long raw payloads, delivery/event logs, dead-letter records, and replay job records are retained (Section 12.2).
• Data-subject erasure tooling (erasure subjects/requests) and in-dashboard data-reset controls enable deletion of Personal Data on the Customer's instruction (Sections 4.4 and 7).

8. Resilience and infrastructure security

• Core processing relies on established cloud providers (Cloudflare for edge ingest, R2 storage, and queues; Render for application compute, the Postgres control database, and the ClickHouse analytics database; Vercel for the dashboard and marketing site). These three are named here as the primary infrastructure providers; all Sub-processors listed in Annex III (not only these three) are subject to the Sub-processor obligations in Section 5.
• rolln relies on the underlying infrastructure providers' physical and environmental security, network security, and availability controls for the facilities and platforms they operate.

9. Organizational measures

• Personnel with access to Personal Data are bound by confidentiality obligations and access Personal Data only as necessary to provide and support the Service.
• rolln maintains internal policies and practices designed to support compliance with this DPA and Data Protection Laws, and intends to obtain a SOC 2 report (currently planned).

10. Measures for transfers

• The measures in this Annex II serve as supplementary measures for Restricted Transfers, alongside the contractual protections in the Transfer Mechanisms and rolln's commitments regarding government-access requests (Section 8.6).

ANNEX III — List of Sub-processors

The authoritative, maintained list of Sub-processors is published at the Sub-processors page, https://axelapp.ai/subprocessors. As of the effective date of this DPA, rolln engages the following Sub-processors. This Annex III is scoped to the Processing of Personal Data within Customer Data on the Customer's behalf under this DPA (i.e., where rolln acts as Processor). Some of the providers listed below process Personal Data within Customer Data; others process only controller-side Personal Data for which rolln is the controller (governed by the Privacy Policy, https://axelapp.ai/privacy) and do not process Customer Data. The Sub-processors page identifies each provider's role; not every vendor listed there or below touches Customer Data. All are located in the United States unless otherwise noted; certain providers operate global infrastructure as indicated.

Where a Sub-processor effects a Restricted Transfer, rolln relies on the applicable Transfer Mechanism (Section 8) and imposes data-protection terms on the Sub-processor in accordance with Section 5.2.

This document cross-references the Terms of Service / Master Subscription Agreement (https://axelapp.ai/terms), the Privacy Policy (https://axelapp.ai/privacy), the Acceptable Use Policy (https://axelapp.ai/acceptable-use), and the Sub-processors page (https://axelapp.ai/subprocessors).