CUSTOMER DATA PROCESSING ADDENDUM

This Customer Data Processing Addendum, including its exhibits and appendices (the “Addendum”) is entered into between Aesthetix CRM LLC, a limited liability company incorporated under the laws of South Carolina, United States (“Aesthetix CRM,” “Company,” “we,” “us,” “our”), and the counterparty accepting this Addendum (“Customer”) (each, a “Party” and, collectively, the “Parties”) by virtue of the Customer signing and accepting the Terms of Service Agreement (the “Agreement”).

As of the effective date of the Agreement (the “Effective Date”), the terms of this Addendum shall be incorporated by reference and be part of the Agreement. In case of any conflict, this Addendum takes precedence over the Agreement to the extent of such conflict. The Standard Contractual Clauses prevail over any other term of this Addendum.

1. Definitions

“Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Customer Personal Data, including the GDPR, UK GDPR, CCPA/CPRA, and other laws identified in Exhibit B, as amended.

“Controller” means the natural or legal person which determines the purposes and means of the Processing of Personal Data.

“Customer Personal Data” means Personal Data contained within Customer Data that Aesthetix CRM Processes on behalf of Customer to provide the Services. Does not include Customer’s Account information.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“Infrastructure Providers” means GoHighLevel LLC (CRM platform), Twilio Inc. (communications), DigitalOcean LLC (hosting), Vercel Inc. (application hosting), and Supabase Inc. (database services), with whom Aesthetix CRM maintains Business Associate Agreements and appropriate data protection terms.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

“Processor” means a natural or legal person which Processes Personal Data on behalf of the Controller.

“SCCs” means the Standard Contractual Clauses adopted by the European Commission or other relevant authorities for Restricted Transfers.

“Sub-Processor” means a direct Processor engaged by Aesthetix CRM to Process Customer Personal Data.

2. Scope and Applicability

This Addendum applies to the Processing of all Customer Personal Data, regardless of country of origin, for the duration that Personal Data is Processed pursuant to the Agreement. This Addendum includes: Exhibit A (Details of Processing and Technical Measures), Exhibit B (Jurisdiction Specific Terms), and Exhibit C (Sub-Processors).

3. Processing of Customer Personal Data

3.1 Roles. Aesthetix CRM acts as Processor. Customer acts as Controller. Where Customer is a Processor to other parties, Aesthetix CRM acts as Sub-Processor.

3.2 Obligations. Aesthetix CRM shall: (i) comply with Applicable Data Protection Laws; (ii) Process Customer Personal Data only on Customer’s documented instructions unless required by law; (iii) immediately inform Customer if an instruction infringes Applicable Data Protection Laws; (iv) ensure authorized persons are subject to confidentiality obligations.

3.3 Infrastructure. Aesthetix CRM utilizes Infrastructure Providers (GoHighLevel, Twilio, DigitalOcean, Vercel, Supabase) to deliver the Services. Aesthetix CRM maintains Business Associate Agreements with each Infrastructure Provider and has enabled HIPAA compliance configuration across all customer accounts on HighLevel and Twilio. Aesthetix CRM’s Processing obligations are limited to its own acts and omissions in configuring and deploying the Platform.

4. Personnel

Aesthetix CRM shall ensure: (i) the reliability of employees, agents, or contractors with access to Customer Personal Data; (ii) access is strictly limited to those who need it; (iii) all such individuals are subject to confidentiality obligations.

5. Security of Processing

Aesthetix CRM shall implement and maintain the administrative, technical, and organizational security measures identified in Exhibit A, Appendix I, ensuring a level of security appropriate to the risk of Processing.

6. Sub-Processors

6.1 Authorization. Customer authorizes Aesthetix CRM to engage the Sub-Processors listed in Exhibit C and to appoint additional Sub-Processors, subject to this Section.

6.2 Notification. Aesthetix CRM will provide Customer with written notice of any new Sub-Processor. The current list is at https://aesthetixcrm.com/sub-processors.

6.3 Objection. Customer has thirty (30) days from notice to object to a new Sub-Processor. If no objection is received, Customer is deemed to have consented. If Customer objects and no resolution is reached, Customer may terminate the Agreement with no further fees due.

6.4 Requirements. Each Sub-Processor shall be bound by written obligations providing at least the same protection as this Addendum. Aesthetix CRM remains liable for Sub-Processor performance.

7. Data Subject Rights

Aesthetix CRM shall assist Customer in responding to Data Subject requests by: (i) promptly notifying Customer of requests received directly; (ii) not responding except on Customer’s instructions or as required by law; (iii) implementing appropriate measures to enable Customer to respond.

8. Personal Data Breaches

8.1 Response. If Aesthetix CRM becomes aware of a Personal Data Breach, it will: (i) immediately implement measures to stop unauthorized access; (ii) notify Customer without undue delay and within seventy-two (72) hours of becoming aware.

8.2 Information. Notification shall include: the nature of the breach, categories and approximate number of affected Data Subjects and records, likely consequences, measures taken or proposed, and assistance in meeting Customer’s notification obligations.

9. Data Protection Assessments

Aesthetix CRM shall provide relevant information and assist Customer in complying with data protection impact assessments and prior consultations with Supervisory Authorities, solely regarding Customer Personal Data Processed by Aesthetix CRM.

10. Deletion or Return of Personal Data

Upon termination or Customer’s request: (i) Aesthetix CRM will permanently delete all Customer Personal Data from active systems within thirty (30) days after the export period (90 days); (ii) backups will be cycled out within ninety (90) days; (iii) upon request, Aesthetix CRM will provide written confirmation of deletion; (iv) Customer is responsible for exporting data prior to termination.

11. Audit Rights

Aesthetix CRM shall allow for and contribute to audits by Customer or Customer’s mandated auditor regarding Processing of Customer Personal Data. Customer shall provide reasonable notice and audits shall be conducted during normal business hours with minimal disruption.

12. Restricted Transfers

Restricted Transfers shall be conducted in accordance with Exhibit B and Applicable Data Protection Laws, subject to the Standard Contractual Clauses or other approved safeguards.

13. No Selling of Customer Personal Data

Aesthetix CRM does not receive Customer Personal Data as consideration for Services. Customer retains all rights. Aesthetix CRM will not sell, share, or make available Customer Personal Data except as necessary to provide Services or as required by law.

14. Liability

Each Party’s liability under this Addendum is subject to the exclusions and limitations of liability set out in the Agreement, including the twelve (12) month fee cap, except where prohibited by Applicable Data Protection Laws.

15. General Terms

15.1 Contact. Data Protection Contact: privacy@aesthetixcrm.com

15.2 Amendment. Aesthetix CRM may update this Addendum with thirty (30) days prior written notice to Customer. Material changes that expand the scope of data Processing, reduce Customer rights, or modify security obligations require Customer’s affirmative consent. Non-material changes (formatting, clarification, addition of jurisdictions) take effect after the notice period unless Customer objects.

15.3 Governing Law. This Addendum is governed by the laws of the State of South Carolina, except where Applicable Data Protection Laws require otherwise.

EXHIBIT A: DETAILS OF PROCESSING

APPENDIX I: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

EXHIBIT B: JURISDICTION SPECIFIC TERMS

1. European Economic Area (EEA)

EU 2021 Standard Contractual Clauses (Commission Decision 2021/914) are incorporated. Module Two (Controller-to-Processor) applies. Governing law: Republic of Ireland. Supervisory authority: European Data Protection Board.

2. United Kingdom

EU 2021 SCCs as modified by the UK Transfer Addendum (UK ICO) apply. Governing law: England and Wales. Supervisory authority: UK Information Commissioner’s Office.

3. Switzerland

EU 2021 SCCs with modifications required by the Swiss FDPIC apply. Governing law: Switzerland.

4. United States

Aesthetix CRM acts as a “Service Provider” under applicable US privacy laws (CCPA, CPRA, and similar state laws). Aesthetix CRM will not sell or share Customer Personal Data, will not retain or use data except to provide Services or as permitted by law, and certifies understanding of these restrictions.

5. Brazil

Brazilian Standard Contractual Clauses (ANPD) apply where required for international transfers under the LGPD.

6. Australia

Aesthetix CRM will comply with applicable requirements under the Australian Privacy Act (1988) and Australian Privacy Principles for overseas disclosure.

7. Canada

Aesthetix CRM will comply with applicable cross-border transfer requirements under PIPEDA.

EXHIBIT C: LIST OF SUB-PROCESSORS

An updated list is available at https://aesthetixcrm.com/sub-processors.

Core Infrastructure

Communication

AI

Payment

Other