CUSTOMER DATA PROCESSING ADDENDUM

This Customer Data Processing Addendum, including its exhibits and appendices (the “Addendum”) is entered into between Aesthetix CRM LLC, a limited liability company incorporated under the laws of South Carolina, United States (“Aesthetix CRM”, “Company”, “we”, “us”, “our”), and the counterparty accepting this Addendum (“Customer”) (each, a “Party” and, collectively, the “Parties”) by virtue of the Customer signing and accepting the Terms of Service Agreement (the “Agreement”).

As of the effective date of the Agreement (the “Effective Date”), the terms of this Addendum shall be incorporated by reference and be part of the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this Addendum will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. For clarity, the Standard Contractual Clauses prevail over any other term of this Addendum.

1. DEFINITIONS

For the purpose of interpreting this Addendum, the following terms shall have the meanings set out below:

“Account” means any accounts or instances created by, or on behalf of, Customer or its Affiliates within the Services.

“Affiliate” means any entity within a controlled group of companies that directly or indirectly, through one or more intermediaries, is controlling, controlled by, or under common control with one of the Parties.

“Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Customer Personal Data, including but not limited to the GDPR, UK GDPR, CCPA, and other laws identified in Exhibit B, as amended from time to time.

“Contracted Processor” means any third party appointed by or on behalf of Aesthetix CRM to Process Customer Personal Data in connection with the Services, including sub-processors.

“Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Customer Personal Data” means Personal Data contained within Customer Data that Aesthetix CRM Processes by or on behalf of Customer to provide the Services. Customer Personal Data does not include Customer’s Account information.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and, where applicable, the UK GDPR.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

“Processor” means a natural or legal person which Processes Personal Data on behalf of the Controller.

“Restricted Transfer” means any transfer of Customer Personal Data to a country outside the EEA, UK, or Switzerland that does not benefit from an adequacy decision.

“SCCs” or “Standard Contractual Clauses” means the model clauses for Restricted Transfers adopted by the European Commission or other relevant authorities.

“Services” means the CRM platform, marketing automation, communication tools, and related services provided by Aesthetix CRM pursuant to the Agreement.

“Sub-Processor” means a direct Processor engaged by Aesthetix CRM to Process Customer Personal Data.

2. SCOPE AND APPLICABILITY

2.1 Duration

This Addendum shall take effect on the Effective Date and shall continue for the duration that Personal Data is Processed by Aesthetix CRM pursuant to the Agreement.

2.2 Scope

This Addendum applies to the Processing of all Customer Personal Data, regardless of country of origin, place of Processing, location of Data Subjects, or any other factor.

2.3 Exhibits and Appendices

This Addendum includes the following:

• Exhibit A – Details of Processing
• Appendix I to Exhibit A – Technical and Organizational Security Measures
• Exhibit B – Jurisdiction Specific Terms
• Exhibit C – List of Sub-Processors

3. PROCESSING OF CUSTOMER PERSONAL DATA

3.1 Roles of the Parties

Aesthetix CRM will act as a Processor of Customer Personal Data. Customer will act as the Controller of Customer Personal Data. To the extent Customer acts as a Processor to other parties, Aesthetix CRM will act as the Sub-Processor to Customer.

3.2 Processor Obligations

Aesthetix CRM shall:

1. Comply with all Applicable Data Protection Laws in the Processing of Customer Personal Data;
2. Not Process Customer Personal Data other than on Customer’s documented instructions, unless required by law;
3. Immediately inform Customer if, in Aesthetix CRM’s reasonable opinion, an instruction infringes Applicable Data Protection Laws;
4. Ensure that persons authorized to Process Customer Personal Data are subject to confidentiality obligations.

4. PERSONNEL

Aesthetix CRM shall take reasonable steps to ensure:

1. The reliability of any employee, agent, or contractor who may have access to Customer Personal Data;
2. That access to Customer Personal Data is strictly limited to those individuals who need access to fulfill documented instructions;
3. That all such individuals are subject to formal confidentiality undertakings or statutory obligations of confidentiality.

5. SECURITY OF PROCESSING

Aesthetix CRM shall implement and maintain the administrative, technical, and organizational security measures identified in Appendix I to Exhibit A, which ensure a level of security appropriate to the risk of Processing, taking into account the state of the art, costs of implementation, the nature and purposes of Processing, and the risks to Data Subjects.

6. SUB-PROCESSORS

6.1 Authorization

Customer authorizes Aesthetix CRM to engage the Sub-Processors listed in Exhibit C and to appoint additional Sub-Processors, provided the obligations of this Section are met.

6.2 Notification of Changes

Aesthetix CRM will provide Customer with written notice of any new Sub-Processor, including the details of Processing to be undertaken. The current list of Sub-Processors is available at https://aesthetixcrm.com/sub-processors.

6.3 Objection Rights

Customer will have thirty (30) days from notice to object to a new Sub-Processor. If no objection is received, Customer is deemed to have consented. If Customer objects and no resolution is reached, Customer may terminate the Agreement with no further fees due.

6.4 Sub-Processor Requirements

Aesthetix CRM shall ensure that each Sub-Processor is bound by written obligations that provide at least the same level of protection as this Addendum. Aesthetix CRM remains fully liable for the performance of its Sub-Processors.

7. DATA SUBJECT RIGHTS

Aesthetix CRM shall assist Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws by:

1. Promptly notifying Customer of any requests received directly from Data Subjects;
2. Not responding to such requests except on Customer’s documented instructions or as required by law;
3. Implementing appropriate technical and organizational measures to enable Customer to respond to such requests.

8. PERSONAL DATA BREACHES

8.1 Breach Response

If Aesthetix CRM becomes aware of a Personal Data Breach affecting Customer Personal Data, Aesthetix CRM will:

1. Immediately implement measures to stop unauthorized access and secure the data;
2. Notify Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.

8.2 Breach Information

Aesthetix CRM shall provide Customer with:

1. The nature of the breach, including categories and approximate number of Data Subjects and records affected;
2. The likely consequences of the breach;
3. Measures taken or proposed to address and mitigate the breach;
4. Assistance in meeting Customer’s notification obligations to authorities and Data Subjects.

9. DATA PROTECTION ASSESSMENTS

Aesthetix CRM shall provide Customer with relevant information and documentation, and assist Customer in complying with data protection impact assessments and prior consultations with Supervisory Authorities when required, solely with regard to Customer Personal Data Processed by Aesthetix CRM.

10. DELETION OR RETURN OF PERSONAL DATA

Upon termination or expiration of the Agreement, or upon Customer’s request:

1. Aesthetix CRM will permanently delete all Customer Personal Data from active systems within thirty (30) days;
2. Backups containing Customer Personal Data will be cycled out within ninety (90) days;
3. Upon request, Aesthetix CRM will provide written confirmation of deletion;
4. Customer is responsible for exporting data prior to termination.

11. AUDIT RIGHTS

Aesthetix CRM shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer with regard to Processing of Customer Personal Data. Customer shall provide reasonable notice and audits shall be conducted during normal business hours with minimal disruption to operations.

12. RESTRICTED TRANSFERS

Restricted Transfers shall be conducted in accordance with Exhibit B and Applicable Data Protection Laws. Where Restricted Transfers occur, they shall be subject to the Standard Contractual Clauses or other appropriate safeguards approved under Applicable Data Protection Laws.

13. NO SELLING OF CUSTOMER PERSONAL DATA

Aesthetix CRM confirms that it does not receive Customer Personal Data as consideration for any Services. Customer retains all rights and interests in Customer Personal Data. Aesthetix CRM will not sell, share, or otherwise make available Customer Personal Data to third parties except as necessary to provide the Services or as required by law.

14. LIABILITY

The liability of each Party under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement, except where prohibited by Applicable Data Protection Laws.

15. GENERAL TERMS

15.1 Contact Information

Data Protection Contact: privacy@aesthetixcrm.com

Address: 2541 N Pleasantburg Dr Ste 338, Greenville, SC 29609

15.2 Amendment

Aesthetix CRM may update this Addendum with prior notice to Customer. If Customer does not object within fourteen (14) days, changes are deemed accepted.

15.3 Governing Law

This Addendum is governed by the laws of the State of South Carolina, except where Applicable Data Protection Laws require otherwise.

EXHIBIT A: DETAILS OF PROCESSING

1. LIST OF PARTIES

1. DETAILS OF PROCESSING

APPENDIX I TO EXHIBIT A: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Aesthetix CRM within High Level CRM infrastructure implements and maintains the following security measures:

EXHIBIT B: JURISDICTION SPECIFIC TERMS

1. European Economic Area (EEA)

For Processing subject to the EU GDPR, the EU 2021 Standard Contractual Clauses (Commission Implementing Decision 2021/914) are incorporated by reference. Module Two (Controller-to-Processor) applies. The competent supervisory authority is the European Data Protection Board. Governing law is the Republic of Ireland.

2. United Kingdom

For Processing subject to UK Data Protection Laws, the EU 2021 SCCs as modified by the UK Transfer Addendum issued by the UK ICO apply. Governing law is England and Wales. The competent supervisory authority is the UK Information Commissioner’s Office.

3. Switzerland

For Processing subject to Swiss Data Protection Laws, the EU 2021 SCCs apply with modifications required by the Swiss Federal Data Protection and Information Commissioner (FDPIC). Governing law is Switzerland.

4. United States

For Processing subject to US Data Protection Laws including the CCPA, CPRA, and similar state laws:

1. Aesthetix CRM acts as a “Service Provider” as defined under applicable US privacy laws;
2. Aesthetix CRM will not sell or share Customer Personal Data;
3. Aesthetix CRM will not retain, use, or disclose data except to provide Services or as permitted by law;
4. Aesthetix CRM certifies understanding of these restrictions and agrees to comply.

5. Brazil

For Processing subject to Brazil’s Lei Geral de Proteção de Dados (LGPD), the Brazilian Standard Contractual Clauses adopted by ANPD apply where required for international transfers.

6. Australia

For Processing subject to the Australian Privacy Act (1988) and Australian Privacy Principles, Aesthetix CRM will comply with applicable requirements for overseas disclosure of personal information.

7. Canada

For Processing subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Aesthetix CRM will comply with applicable cross-border transfer requirements.

EXHIBIT C: LIST OF SUB-PROCESSORS

The following Sub-Processors are authorized to Process Customer Personal Data. An updated list is available at https://aesthetixcrm.com/sub-processors.

Core Infrastructure Sub-Processors

Communication Sub-Processors

AI Sub-Processors

Payment Sub-Processors

Other Sub-Processors