Calibri Data Processing Addendum

Quilqy Inc. d/b/a Calibri 2093 Philadelphia Pike #7144, Claymont, DE 19703

Effective date: 21 May 2026 Last updated: 21 May 2026

1. Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and Quilqy Inc., a Delaware corporation doing business as Calibri ("Calibri", "we", "us"), under which Calibri provides services to the Customer (the "Agreement"). This DPA applies whenever Calibri processes Personal Data of EU, UK, Swiss, or California data subjects on behalf of the Customer in connection with the Service.

In the event of any conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data.

The Customer accepts this DPA on behalf of itself and, to the extent required, on behalf of its authorized affiliates and end users.

2. Definitions

Capitalized terms not defined here have the meanings given to them in the Agreement.

• "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK GDPR and Data Protection Act 2018 ("UK Data Protection Law"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and any other equivalent laws.
• "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-Processor", "Personal Data Breach", and "Supervisory Authority" have the meanings given to them in Applicable Data Protection Law (or, under the CCPA, the equivalent concepts of "Business", "Service Provider", "Consumer", and "Personal Information").
• "Customer Personal Data" means Personal Data that Calibri processes on behalf of the Customer in providing the Service.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in Decision 2021/914 of 4 June 2021, as may be amended from time to time.
• "UK Addendum" means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner's Office, version B1.0.

3. Roles of the Parties

The parties agree that, with respect to Customer Personal Data:

• The Customer is the Controller (or, where the Customer is itself a processor for a third-party controller, the Customer is the Processor acting on behalf of that controller).
• Calibri is the Processor acting on behalf of the Customer.

Under the CCPA, Calibri acts as a Service Provider to the Customer.

Each party will comply with its respective obligations under Applicable Data Protection Law.

4. Scope and Instructions

4.1 Documented Instructions

Calibri will process Customer Personal Data only:

• as necessary to provide the Service under the Agreement;
• in accordance with the Customer's documented written instructions, including those set out in this DPA and the Agreement;
• as required by applicable law (in which case Calibri will, where legally permitted, inform the Customer of the legal requirement before processing).

4.2 No Sale or Sharing of Personal Information

Calibri will not "sell" or "share" Customer Personal Data within the meaning of the CCPA, and will not retain, use, or disclose it for any purpose other than the specific purposes set out in this DPA and the Agreement, including for any "commercial purpose" (as defined under the CCPA) other than providing the Service.

4.3 Notification of Unlawful Instructions

Calibri will notify the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law (without obligation to perform a legal review).

4.4 Details of Processing

The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects covered by the processing are described in Annex A.

5. Confidentiality

Calibri will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and are trained on their data protection responsibilities. Access to Customer Personal Data is limited to personnel who need access to perform their role.

6. Security

Calibri will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, that data. A description of the measures Calibri applies is set out in Annex B.

Calibri may update these measures from time to time, provided that the level of security is not materially reduced.

7. Sub-Processors

7.1 General Authorization

The Customer grants Calibri general authorization to engage Sub-Processors to process Customer Personal Data in connection with the Service.

7.2 Current Sub-Processors

A list of Calibri's current Sub-Processors is set out in Annex C and is updated from time to time.

7.3 Sub-Processor Obligations

Calibri will enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those in this DPA, to the extent applicable to the services provided by that Sub-Processor.

7.4 Changes to Sub-Processors

Calibri will give the Customer reasonable prior notice (at least 14 days, where practicable) of any intended addition or replacement of a Sub-Processor. The Customer may object on reasonable data protection grounds by notifying Calibri in writing during the notice period. If the parties cannot resolve the objection, the Customer may terminate the affected portion of the Service for convenience, with a pro-rata refund of any prepaid fees covering the period after termination.

7.5 Liability for Sub-Processors

Calibri remains responsible for its Sub-Processors' performance of their obligations relating to the processing of Customer Personal Data.

8. Assistance to the Customer

8.1 Data Subject Requests

Calibri will, taking into account the nature of the processing and to the extent reasonably possible, assist the Customer through appropriate technical and organizational measures in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law. If Calibri receives a request directly from a Data Subject relating to Customer Personal Data, it will, without undue delay, forward the request to the Customer and not respond to the Data Subject directly except to acknowledge receipt and to instruct the Data Subject to contact the Customer.

8.2 Other Obligations

Calibri will provide reasonable assistance to the Customer with:

• data protection impact assessments;
• prior consultations with Supervisory Authorities;
• responding to inquiries or investigations by Supervisory Authorities,

in each case to the extent the Customer cannot reasonably perform these obligations without Calibri's involvement and taking into account the information available to Calibri.

Calibri may charge a reasonable fee for assistance that goes beyond what Applicable Data Protection Law requires Calibri to provide free of charge.

9. Personal Data Breaches

Calibri will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known:

• the nature of the breach, including categories and approximate number of Data Subjects and records concerned;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and mitigate its adverse effects;
• a contact point for further information.

Calibri will cooperate reasonably with the Customer in investigating and responding to the breach.

Notifying the Customer is not an acknowledgment by Calibri of fault or liability.

10. International Data Transfers

10.1 Transfers Outside the EEA / UK / Switzerland

To the extent Calibri processes Customer Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland in a country that is not the subject of an adequacy decision, the parties agree that the Standard Contractual Clauses are incorporated into this DPA by reference and apply as follows:

• Module Two (Controller to Processor) applies where the Customer is a Controller and Calibri is a Processor;
• Module Three (Processor to Processor) applies where the Customer is a Processor and Calibri is a Sub-Processor.

For each applicable module:

• Clause 7 (docking clause) is included.
• Clause 9 — Option 2 (general written authorization) applies; the notice period for Sub-Processor changes is the period specified in Section 7.4.
• Clause 11 — the optional independent dispute resolution language is not included.
• Clause 17 — Option 1 applies; the SCCs are governed by the law of Ireland.
• Clause 18 — disputes will be resolved by the courts of Ireland.
• Annexes I, II, and III to the SCCs are populated by Annex A, Annex B, and Annex C of this DPA, respectively.

10.2 UK Transfers

For transfers subject to UK Data Protection Law, the UK Addendum is incorporated by reference and supplements the SCCs. The information required in Tables 1–3 of the UK Addendum is taken from this DPA and its Annexes; Table 4 is completed such that either party may end the UK Addendum as set out in its Section 19.

10.3 Swiss Transfers

For transfers subject to the Swiss FADP, the SCCs apply with the following modifications: references to the GDPR are interpreted as references to the FADP; the term "Member State" does not prevent Swiss Data Subjects from exercising their rights in their place of habitual residence; and the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner.

10.4 Conflict

In the event of any conflict between the SCCs (or the UK Addendum) and the rest of this DPA, the SCCs (or the UK Addendum, as applicable) control with respect to the relevant transfers.

11. Audits

11.1 Information

Calibri will make available to the Customer information necessary to demonstrate compliance with this DPA, including by providing summaries of its most recent third-party audits or certifications (where any exist) and responses to reasonable security or compliance questionnaires.

11.2 On-Site Audits

Where the Customer reasonably considers that information made available under Section 11.1 is insufficient, the Customer may, on at least 30 days' written notice and not more than once per year (except in the case of a confirmed Personal Data Breach or a binding instruction from a Supervisory Authority), conduct or mandate a qualified independent third-party auditor to conduct an audit of Calibri's relevant processing operations. The auditor must execute appropriate confidentiality undertakings. Audits will be conducted during normal business hours, with minimum disruption, and at the Customer's cost.

12. Return or Deletion of Customer Personal Data

On termination or expiration of the Agreement, Calibri will, at the Customer's choice, return or delete Customer Personal Data in its possession, except where applicable law requires continued storage. Backup copies may persist in encrypted form for a limited period for business-continuity purposes and will be deleted in the ordinary course of Calibri's backup rotation.

Unless the Customer instructs otherwise within 30 days after termination, Calibri may delete Customer Personal Data in accordance with its standard retention policy.

13. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, the liability cap in the Agreement applies in the aggregate to all claims arising under the Agreement and this DPA together.

14. Term

This DPA takes effect on the effective date set out above and remains in effect for as long as Calibri processes Customer Personal Data under the Agreement. Termination of the Agreement automatically terminates this DPA, except that provisions that by their nature should survive termination will survive.

15. Governing Law

This DPA is governed by the law of the State of Delaware, except that the SCCs and the UK Addendum are governed by the laws specified in Sections 10.1 and 10.2 respectively.

16. Contact

Quilqy Inc. d/b/a Calibri 2093 Philadelphia Pike #7144, Claymont, DE 19703 Privacy contact: oleg@funnelbakers.com

Annex A — Details of Processing

Subject matter: Provision of the Service described in the Agreement.

Duration of processing: For the term of the Agreement, plus any retention period required under the Agreement, this DPA, or applicable law.

Nature and purpose of processing: Operating an AI-powered email deliverability service for the Customer, including: connecting to the Customer's email accounts via OAuth (Google Workspace / Microsoft 365), reading and analyzing email metadata and content for deliverability signals, generating AI-assisted recommendations and reports, storing deliverability metrics and account configuration, and producing analytics for the Customer's review.

Categories of Data Subjects:

• Customer's personnel and authorized users of the Service;
• Customer's prospects, leads, and contacts whose data the Customer provides to the Service;
• Other individuals identified in communications processed through the Service.

Categories of Personal Data:

• Name, business email address, business phone number, job title, employer, professional background, public social profile information (e.g., LinkedIn URL), and similar B2B contact data;
• Communications content (email and message bodies, reply content, threading metadata);
• Engagement data (opens, clicks, replies, bounces, unsubscribes, meeting bookings);
• Account, login, and access information for Customer personnel.

Sensitive data: Not intended. Customer agrees not to provide special categories of data (Article 9 GDPR) or sensitive personal information (CCPA) through the Service except where strictly necessary and lawful.

Frequency of transfer: Continuous, for the duration of the Service.

Recipients: Calibri personnel and Sub-Processors listed in Annex C.

Annex B — Technical and Organizational Measures

Calibri implements and maintains the following measures, as appropriate to the risk of the processing:

• Access control: Role-based access to systems processing Customer Personal Data; multi-factor authentication on administrator accounts; password complexity and rotation requirements; revocation of access on termination.
• Encryption: Transport encryption (TLS) for data in transit; encryption at rest for production data stores, to the extent supported by the underlying infrastructure provider.
• Network security: Firewalls, restricted ingress, and segmentation of production systems from corporate systems.
• Application security: Secure software development practices; dependency monitoring; restriction of credentials from source-controlled code.
• Personnel security: Confidentiality obligations; security and privacy awareness for personnel with access to Customer Personal Data.
• Vendor management: Selection of Sub-Processors with appropriate data protection commitments; written agreements imposing equivalent obligations.
• Logging and monitoring: Audit logs of administrative access; monitoring for security events.
• Incident response: Documented procedures for detection, response, and notification of Personal Data Breaches.
• Business continuity: Regular backups; documented recovery procedures.
• Physical security: Reliance on certified data center providers (Hetzner Online GmbH, Lovable AB) for physical access controls to underlying infrastructure. Self-operated infrastructure is held in secured premises in Germany.

These measures may be updated from time to time, provided that the overall level of security is not materially reduced.

Annex C — Sub-Processors

Calibri uses the following Sub-Processors to support the Service:

Calibri will maintain an updated list and provide notice of changes as set out in Section 7.4.