OMNINEXT TECH LLC

This Customer Data Processing Addendum ("DPA") forms part of and is incorporated into the OmniNext Tech Terms of Service (the "Agreement") entered into between:

OmniNext Tech LLC, a limited liability company organized under the laws of the State of Wyoming, United States ("OmniNext", "Processor", or "Service Provider"); and

The entity or individual accepting the Agreement ("Customer" or "Controller").

This DPA governs the Processing of Customer Personal Data in connection with the Services.

In the event of conflict between this DPA and the Agreement, this DPA shall control with respect to data protection matters.

For purposes of this DPA:

Customer is the Controller of Customer Personal Data.

OmniNext acts as a Processor when Processing Customer Personal Data to provide the Services.

OmniNext acts as an independent Controller only with respect to:

• Account registration information
• Billing and payment data
• Fraud prevention logs
• Security monitoring
• Marketing communications sent directly by OmniNext

These activities are governed by OmniNext's Privacy Policy.

OmniNext shall Process Customer Personal Data:

• Only on documented instructions from Customer;
• Only to provide the Services;
• In accordance with the Agreement;
• In accordance with Applicable Data Protection Laws.

Processing may include:

• Storage
• Organization
• Retrieval
• Analytics
• AI-driven content generation
• Voice call processing
• Messaging delivery
• CRM record management
• Automation workflows

Customer acknowledges:

• The Platform includes AI-powered tools;
• AI prompts, system configurations, and workflow logic may be stored persistently within the Platform;
• AI inputs and outputs may be retained for operational continuity, debugging, system improvement, and account history preservation;
• OmniNext does not use Customer Personal Data to train public or generalized AI models.

Customer is responsible for:

• Reviewing AI outputs before use;
• Ensuring lawful use of Personal Data submitted to AI tools;
• Avoiding submission of highly sensitive data unless lawfully permitted.

Customer grants general authorization for OmniNext to engage Sub-Processors.

OmniNext shall:

• Conduct reasonable due diligence before engaging Sub-Processors;
• Enter into written agreements imposing data protection obligations;
• Remain responsible for Sub-Processor performance.

Customer may object to a new Sub-Processor on reasonable data protection grounds within 15 days of notice.

If no commercially reasonable alternative exists, Customer may terminate affected Services.

OmniNext shall implement reasonable and appropriate technical and organizational measures including:

• Encryption in transit (TLS)
• Role-based access control
• Authentication safeguards
• Access logging
• Environment segregation
• Vendor risk review
• Incident monitoring
• Secure cloud infrastructure

No system is guaranteed to be 100% secure.

Customer is responsible for:

• Account credential security
• Permission management
• Proper configuration
• Lawful data collection

In the event of a confirmed Personal Data Breach affecting Customer Personal Data:

OmniNext shall:

• Notify Customer without undue delay;
• Provide known details;
• Take reasonable mitigation measures;
• Cooperate with Customer's legal obligations.

Notification does not constitute admission of fault.

If OmniNext receives a request directly from a Data Subject regarding Customer Personal Data, OmniNext shall:

• Notify Customer;
• Not respond directly unless legally required;
• Provide reasonable assistance upon request.

Customer remains responsible for responding to Data Subject requests.

OmniNext may transfer data internationally to provide the Services.

Where required by law, OmniNext shall rely on:

• Standard Contractual Clauses;
• Contractual safeguards;
• Appropriate technical measures.

OmniNext does not currently rely on the Data Privacy Framework unless formally certified.

Upon termination of Services:

• Customer may export its data during the retention window;
• OmniNext retains Customer data for 90 days unless otherwise agreed;
• After retention period, data may be deleted or anonymized;
• System logs and security records may be retained longer as legally required.

Upon reasonable written request and no more than once per year, Customer may request documentation demonstrating compliance with this DPA.

On-site audits require:

• Advance notice;
• Confidentiality agreement;
• Cost coverage by Customer;
• No disruption of operations.

Liability under this DPA is subject to the limitations set forth in the Agreement.

This DPA shall be governed by the law governing the Agreement.

Where SCCs apply, they govern restricted transfer obligations.

This Data Processing Addendum ("Addendum") becomes effective on the Effective Date of the Agreement and shall remain in force for as long as OmniNext Tech LLC ("OmniNext") Processes Customer Personal Data pursuant to the Agreement.

This Addendum shall survive termination of the Agreement to the extent OmniNext continues to retain or Process Customer Personal Data in accordance with applicable retention obligations.

This Addendum applies to the Processing of all Customer Personal Data by OmniNext in connection with the Services, regardless of:

• The country of origin of the Personal Data;
• The geographic location of the Data Subject;
• The place of Processing;
• The storage location of infrastructure;
• The location of Sub-Processors.

This Addendum does not apply to:

• Personal Data Processed by OmniNext in its role as independent Controller (e.g., account registration data, billing information, fraud monitoring logs, internal analytics);
• Data processed outside the scope of the Services;
• Aggregated or irreversibly anonymized data.

This Addendum includes and incorporates the following:

• Exhibit A – Description and Details of Processing
• Appendix I to Exhibit A – Technical and Organizational Security Measures
• Exhibit B – Jurisdiction-Specific Data Protection Terms
• Appendix I to Exhibit B – Standard Contractual Clauses and Supplemental Transfer Safeguards (if applicable)

Each Exhibit and Appendix forms part of this Addendum and is legally binding.

OmniNext shall act as a Processor of Customer Personal Data.

Customer shall act as the Controller of Customer Personal Data.

Where Customer itself acts as a Processor for a third party, OmniNext shall act as a Sub- Processor to Customer with respect to such data.

OmniNext shall:

1. Process Customer Personal Data in compliance with Applicable Data Protection Laws;
2. Process Customer Personal Data only on documented instructions from Customer, including as necessary to provide the Services;
3. Implement appropriate technical and organizational measures to protect Customer Personal Data;
4. Ensure personnel authorized to Process Customer Personal Data are subject to confidentiality obligations;
5. Notify Customer if, in OmniNext's reasonable opinion, any Processing instruction violates Applicable Data Protection Laws.

Customer authorizes OmniNext to Process Customer Personal Data as necessary to:

• Provide, operate, and maintain the Services;
• Deliver CRM, automation, messaging, telecom, AI, and analytics features;
• Detect fraud and ensure system integrity;
• Perform security monitoring and incident response;
• Generate aggregated or anonymized datasets;
• Provide AI-powered features integrated into the Platform;
• Store AI prompts, automation logic, and workflow configurations persistently within the Customer environment.

For clarity:

• OmniNext may anonymize, de-identify, or aggregate Customer Personal Data;
• OmniNext does not use Customer Personal Data to train public or generalized AI models;
• AI inputs and outputs may be retained within Customer accounts to preserve continuity of service;
• Customer remains responsible for ensuring lawful data collection and lawful use of AI features.

Customer instructs and authorizes OmniNext (and its Sub-Processors) to transfer Customer Personal Data internationally where reasonably necessary to provide the Services, provided such transfers are conducted in compliance with Applicable Data Protection Laws.

Where required, OmniNext shall implement:

• Standard Contractual Clauses;
• Supplemental safeguards;
• Contractual data protection obligations with Sub-Processors.

Processing for service improvement shall be limited to:

• Anonymized or aggregated data;
• System performance diagnostics;
• Security analysis;
• Feature optimization.

Customer Personal Data shall not be repurposed beyond the scope of the Agreement.

OmniNext Tech LLC ("OmniNext") maintains strict internal access governance procedures for all personnel who may access Customer Personal Data.

OmniNext shall:

1. Ensure that employees, contractors, and agents with access to Customer Personal Data undergo appropriate background vetting consistent with their role and applicable law.
2. Limit access to Customer Personal Data strictly on a role-based, least-privilege basis, ensuring access is granted only where operationally required to provide the Services or comply with legal obligations.
3. Require all personnel with access to Customer Personal Data to be bound by:
   • Written confidentiality agreements,
   • Professional confidentiality duties, and/or
   • Statutory confidentiality obligations.
4. Maintain internal access logging and monitoring systems to detect unauthorized access or misuse.

Access rights are regularly reviewed and revoked promptly upon role change or termination.

OmniNext implements and maintains technical, administrative, and organizational safeguards designed to protect Customer Personal Data against unauthorized access, disclosure, alteration, or destruction.

Security controls are documented in Appendix I to Exhibit A and are designed in consideration of:

• The nature and scope of the Services;
• The sensitivity and volume of data processed;
• The evolving threat landscape;
• The state of the art in cybersecurity practices;
• Implementation costs proportional to risk;
• Risks to the rights and freedoms of individuals.

Security measures may include, where applicable:

• Encryption in transit and at rest;
• Role-based access controls;
• Multi-factor authentication;
• Infrastructure segmentation;
• Secure API architecture;
• Logging and anomaly detection;
• AI-specific input/output containment controls;
• Incident response procedures;
• Vendor risk management programs.

OmniNext may update its security measures from time to time provided that such updates do not materially reduce the level of protection afforded to Customer Personal Data.

Customer grants OmniNext general authorization to engage Sub-Processors to assist in providing the Services.

Sub-Processors may include infrastructure providers, AI service providers, messaging carriers, payment processors, analytics vendors, and cloud hosting services.

OmniNext will maintain an up-to-date list of Sub-Processors on its website.

If OmniNext intends to appoint a new Sub-Processor that will Process Customer Personal Data, OmniNext will provide advance notice via its Sub-Processor listing or subscription notification system.

Customer may subscribe to receive update notifications.

Customer may object to the appointment of a new Sub-Processor within thirty (30) days of notification if the objection is based on reasonable data protection grounds.

If an objection is received:

• The parties will work in good faith to address the concern;
• OmniNext may offer an alternative configuration, limitation of processing scope, or technical safeguard;
• If no resolution is reasonably achievable, Customer may terminate the affected Services upon written notice.

Termination under this Section shall apply only to impacted Services and shall not affect unrelated Services.

OmniNext shall ensure that each Sub-Processor:

1. Accesses Customer Personal Data only to the extent necessary to provide contracted services;
2. Is bound by written agreements imposing data protection obligations substantially equivalent to those set forth in this Addendum;
3. Implements appropriate security safeguards consistent with industry standards.

OmniNext remains responsible for the performance of its Sub-Processors in relation to their data protection obligations under this Addendum.

Taking into account the nature of the Services and available technical controls, OmniNext will assist Customer in responding to valid Data Subject rights requests under Applicable Data Protection Laws.

If OmniNext receives a request directly from a Data Subject regarding Customer Personal Data, OmniNext will:

1. Promptly notify Customer;
2. Not respond directly unless legally required to do so;
3. Follow Customer's documented instructions regarding response handling.

OmniNext will provide commercially reasonable assistance to enable Customer to:

• Provide access to Personal Data;
• Correct inaccurate data;
• Delete or restrict data;
• Facilitate portability where technically feasible.

Customer remains responsible for verifying the identity of Data Subjects and determining the validity of requests.

If OmniNext becomes aware of a confirmed or reasonably suspected Personal Data Breach affecting Customer Personal Data, OmniNext will:

1. Immediately initiate containment procedures;
2. Secure affected systems;
3. Preserve forensic evidence where appropriate.

OmniNext will notify Customer without undue delay and, where feasible, within seventy-two (72) hours of confirming awareness of a Personal Data Breach affecting Customer Personal Data.

Initial notification will include, to the extent reasonably available:

• A description of the nature of the incident;
• Categories of Personal Data affected;
• Approximate number of Data Subjects affected (if known);
• Likely consequences of the breach;
• Measures taken or proposed to remediate the breach.

OmniNext will supplement notifications as additional information becomes available.

OmniNext will provide reasonable assistance to Customer in meeting any regulatory notification obligations, including:

• Supervisory authority reporting;
• Data Subject notification where required;
• Documentation for compliance records.

Notification of a Personal Data Breach or participation in incident response activities shall not constitute an admission of fault, negligence, or liability by OmniNext.

To the extent required under Applicable Data Protection Laws, OmniNext Tech LLC ("OmniNext") will provide commercially reasonable assistance to Customer in connection with:

• Data Protection Impact Assessments (DPIAs);
• Transfer Impact Assessments (TIAs);
• Prior consultations with Supervisory Authorities; and
• Regulatory inquiries relating to Customer Personal Data processed through the Services.

Such assistance shall:

1. Be limited to Customer Personal Data processed by OmniNext;
2. Take into account the nature of the Services and information reasonably available to OmniNext;
3. Not require OmniNext to disclose confidential security architecture, proprietary technical documentation, or third-party protected information beyond what is reasonably necessary.

Customer remains responsible for determining whether a DPIA or consultation is required and for preparing and submitting any required filings.

OmniNext provides Customer with administrative tools and APIs that enable:

• Data export,
• Data deletion,
• Account-level erasure requests,
• Retention configuration settings.

Customer is responsible for initiating deletion requests through available technical mechanisms.

Upon termination or expiration of the Services:

1. Customer will have access to its data for the duration specified in the Terms of Service;
2. During that period, Customer may export Customer Personal Data;
3. Following the expiration of that retention window, OmniNext will delete or render inaccessible Customer Personal Data from production systems.

OmniNext may retain limited Customer Personal Data where required:

• To comply with applicable law;
• For tax, accounting, or audit purposes;
• To resolve disputes;
• To enforce agreements;
• To detect or prevent fraud or abuse;
• For documented security or compliance logging.

Retained data will be isolated and subject to restricted access controls.

Archived or backup data:

• May not be immediately deleted;
• Will be isolated and protected from active processing;
• Will be overwritten or deleted in accordance with OmniNext's standard backup lifecycle.

Backup retention does not constitute active processing.

OmniNext will make available documentation reasonably necessary to demonstrate compliance with this Addendum.

Audit rights shall be limited as follows:

1. Audits must be conducted no more than once annually unless required by law;
2. Audits shall be remote unless an on-site audit is legally mandated;
3. Customer must provide at least thirty (30) days' written notice;
4. Audits must not disrupt OmniNext's operations or compromise other customers' confidentiality;
5. Customer shall bear all costs of audit, including OmniNext's time at standard professional service rates.

OmniNext may satisfy audit obligations through:

• SOC 2 reports,
• ISO certifications,
• Third-party security assessments,
• Compliance attestations.

Direct access to production systems will not be permitted.

If Customer Personal Data originates from or is protected by specific regional data protection laws listed in Exhibit B, the corresponding jurisdiction-specific provisions shall apply in addition to this Addendum.

Where conflicts arise:

• Mandatory local law prevails;
• Jurisdiction-specific clauses override general provisions only to the extent legally required.

Restricted Transfers of Customer Personal Data shall be conducted in accordance with:

• Applicable Data Protection Laws;
• Standard Contractual Clauses (SCCs), where required;
• Alternative lawful transfer mechanisms;
• Data Privacy Framework participation where applicable.

If new SCCs or replacement transfer frameworks are adopted by regulatory authorities, this Addendum shall automatically incorporate such mechanisms without requiring re-execution.

OmniNext reserves the right to rely on:

• Binding Corporate Rules (if adopted),
• Approved codes of conduct,
• Adequacy decisions,
• Data Privacy Framework certifications,
• Or other legally recognized safeguards.

OmniNext will notify Customer if it determines that it can no longer meet applicable transfer safeguards.

OmniNext confirms:

1. It does not receive Customer Personal Data as consideration for Services;
2. It does not sell Customer Personal Data for monetary value;
3. It does not share Customer Personal Data for cross-context behavioral advertising unless expressly configured by Customer through the Services;
4. Customer retains all ownership rights in Customer Personal Data.

Nothing in this Addendum transfers ownership of Customer Personal Data to OmniNext.

OmniNext may update this Addendum, its Exhibits, or Appendices:

• To reflect changes in law;
• To address security enhancements;
• To reflect operational or infrastructure changes;
• To implement updated transfer mechanisms.

Material updates will be communicated to Customer in advance.

If Customer objects to a material change within fourteen (14) days:

• The parties will engage in good faith discussion;
• If no resolution is reached, Customer may terminate the affected Services without penalty.

Online versions of exhibits shall supersede prior embedded versions.

Each party's liability under this Addendum shall be subject to the limitations and exclusions of liability contained in the governing Agreement.

Nothing in this Addendum shall expand liability beyond what is required under Applicable Data Protection Laws.

Data protection-related notices shall be directed to the designated Data Protection Contacts listed in Exhibit A.

This Addendum supersedes all prior data processing agreements between the parties relating to the Services.

All non-amended terms of the main Agreement remain in effect.

The parties agree to review this Addendum periodically to ensure:

• Accuracy of processing descriptions,
• Continued adequacy of safeguards,
• Alignment with regulatory developments.

In the event of inconsistency:

1. Applicable Data Protection Laws prevail;
2. Jurisdiction-specific terms prevail over general provisions;
3. This Addendum prevails over conflicting terms in the Agreement regarding data protection.

If any provision is deemed unenforceable, the remainder shall remain valid and enforceable.

If OmniNext determines it cannot comply with a material obligation under this Addendum or Applicable Data Protection Laws, it will:

1. Notify Customer without undue delay; and
2. Take commercially reasonable remediation steps; or
3. If remediation is not feasible, cease the affected processing.

OmniNext may make non-material amendments to cure drafting ambiguities, update definitions, or correct clerical errors without prior notice, provided such changes do not materially reduce data protection safeguards.

Each signatory represents that they have authority to bind their respective entity to this Addendum.

Either party may disclose this Addendum to Supervisory Authorities or regulatory bodies if legally required.