Data Processing Addendum (Template)

Effective when executed. Last updated: April 28, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service or written agreement (the “Agreement”) between Golden Boy Holdings LLC (“Processor,” “Golden Boy”) and the customer identified in the Agreement (“Controller,” “Customer”), and reflects the parties’ agreement on Processing of Personal Data on Controller’s behalf.

Status note for Huntor: Use this as the base when an enterprise prospect requests a DPA. Have counsel localize for any non-US Customer. Sub-processor list and SCC annexes are referenced, not embedded — keep them on the live legal page.

1. Definitions

Capitalized terms not defined here have the meanings given in the Agreement, the GDPR, the CCPA/CPRA, or other applicable Data Protection Laws.

• Personal Data: any information relating to an identified or identifiable natural person Processed by Processor on behalf of Controller in connection with the Service.
• Processing / Process: any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• Sub-processor: any third party engaged by Processor to Process Personal Data.

2. Roles and scope

Controller is the controller of Personal Data submitted to or generated through the Service. Processor will Process Personal Data only (a) to provide the Service, (b) on Controller’s documented instructions including those in the Agreement, this DPA, and Controller’s configuration of the Service, and (c) as required by law (with notice to Controller where permitted).

The subject matter, duration, nature, and purpose of Processing, and the categories of data subjects and Personal Data, are described in Annex I.

3. Confidentiality and personnel

Processor ensures personnel authorized to Process Personal Data are bound by confidentiality obligations and receive appropriate training.

4. Security

Processor implements and maintains the technical and organizational measures described in Annex II, designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, at minimum:

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Row-Level Security with strict tenant isolation.
• Mandatory MFA for privileged accounts; SSO/SAML available for enterprise.
• Append-only audit logging with 12-month retention.
• Annual third-party security testing once SOC 2 readiness work begins.
• Documented incident response plan.

5. Sub-processors

Controller authorizes Processor to engage Sub-processors listed at https://app.huntingthegap.com/legal/subprocessors. Processor will:

• Impose data protection obligations on each Sub-processor that are no less protective than this DPA.
• Provide at least 14 days’ prior notice of new or replaced Sub-processors via the URL above or by email to the Controller’s designated contact.
• Allow Controller to object on reasonable grounds. If the parties cannot resolve the objection, Controller may terminate the affected portion of the Service for convenience.

6. Data subject requests

Processor will provide reasonable assistance enabling Controller to respond to data subject requests. Where Processor receives a request directly from a data subject, it will instruct the data subject to contact Controller and notify Controller of the request unless prohibited by law.

7. International transfers

Processor primarily Processes Personal Data in the United States. Where transfers are subject to GDPR or UK GDPR, the parties will execute the EU Standard Contractual Clauses and the UK International Data Transfer Addendum as Annex III.

8. Personal Data Breach

Processor will notify Controller without undue delay (and in any event within 72 hours of confirmation) after becoming aware of a Personal Data Breach affecting Controller’s Personal Data, and will provide information reasonably available to assist Controller’s notification obligations.

9. Audit

Once per 12-month period (or more frequently if required by law or following a Personal Data Breach), Controller may, on 30 days’ written notice, conduct an audit of Processor’s compliance with this DPA, subject to Processor’s reasonable security and confidentiality requirements. Processor’s then-current SOC 2 report (when available) satisfies this obligation absent specific cause.

10. Deletion or return

Upon termination of the Agreement, Processor will, at Controller’s option, delete or return all Personal Data within 90 days, except where law requires retention. Backup data is overwritten on a rolling 30-day cycle.

11. Liability

Liability under this DPA is subject to the limitations in the Agreement. This DPA does not increase the parties’ aggregate liability beyond what is set out in the Agreement.

Annex I — Description of Processing

• Categories of data subjects: Customer’s employees and authorized vendors; Customer’s residential and commercial customers (end consumers).
• Categories of Personal Data: Contact information, role/title, IP addresses, device fingerprints, authentication artifacts; service addresses, job records, lead source attribution, ticket size, equipment age, integration tokens.
• Special categories: None expected.
• Frequency of Processing: Continuous.
• Duration: Term of the Agreement plus retention as defined in §10.
• Nature and purpose: Hosting, analyzing, and visualizing Customer Data to deliver location intelligence and recommendations.

Annex II — Technical and organizational measures

The measures listed in Section 4 above, implemented in accordance with Processor’s then-current Security Overview at https://app.huntingthegap.com/legal/security.

Annex III — Standard Contractual Clauses

If applicable, the EU SCCs (Module 2) and the UK International Data Transfer Addendum are incorporated. Module-specific elections are set out in the executed signature page.