BEDPOST DATA PROCESSING ADDENDUM (DPA) Version 1.0 — Effective May 7, 2026 This Data Processing Addendum ("DPA") forms part of the agreement (the "Agreement") between Stetty Ventures LLC ("BedPost", "Processor") and the customer identified in the Agreement ("Customer", "Controller") for the provision of the BedPost service ("Services"). Where Customer is a consumer using BedPost in a personal capacity, this DPA applies only to the limited extent BedPost acts as a processor on their behalf (for example, content the user explicitly transmits through the Services). For most consumer use, BedPost acts as the data controller under the Privacy Policy. ================================================================ 1. DEFINITIONS ================================================================ "Applicable Data Protection Laws" means (a) Regulation (EU) 2016/679 ("GDPR"); (b) the UK Data Protection Act 2018 and UK GDPR; (c) the California Consumer Privacy Act, as amended by the CPRA ("CCPA"); and (d) any other privacy or data protection law applicable to the Processing of Personal Data under the Agreement. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Sub-Processor", "Supervisory Authority" and "Special Category Data" have the meanings given in the GDPR. "SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914. ================================================================ 2. ROLES AND SCOPE ================================================================ 2.1 Roles. Customer is the Controller and BedPost is the Processor of Personal Data Processed under the Agreement, except where BedPost determines the means and purposes of Processing (for example, aggregated usage analytics for product improvement), in which case BedPost is the Controller and its Privacy Policy applies. 2.2 Subject matter, duration, nature and purpose. The subject matter is the provision of the Services. The duration is the term of the Agreement plus any retention period set out in Section 9. 2.3 Categories of Data Subjects. End users of the Customer's instance of the Services. 2.4 Categories of Personal Data. Account identifiers (email, name), authentication tokens, profile preferences, and — where the Data Subject elects to log it — wellness, cycle, fertility and intimacy data (Special Category Data under Article 9 GDPR). ================================================================ 3. PROCESSOR OBLIGATIONS ================================================================ 3.1 BedPost shall Process Personal Data only on documented instructions from the Customer, including the instructions set out in the Agreement and this DPA, unless required to do so by law (in which case BedPost shall inform the Customer first unless that law prohibits such notice). 3.2 BedPost shall ensure that personnel authorised to Process Personal Data are bound by written confidentiality obligations. 3.3 BedPost shall implement and maintain the technical and organisational measures set out in Annex II. 3.4 BedPost shall not Sell or Share Personal Data within the meaning of the CCPA. ================================================================ 4. SUB-PROCESSING ================================================================ 4.1 Customer grants BedPost general authorisation to engage Sub-Processors listed at https://getbedpost.com/subprocessors ("Sub-Processor List"). 4.2 BedPost shall give at least 30 days' prior notice of intended additions to or replacements of Sub-Processors. Customer may object on reasonable data-protection grounds; if no resolution is reached within 30 days, Customer may terminate the affected portion of the Services. 4.3 BedPost remains liable to the Customer for the acts and omissions of its Sub-Processors as if performed by BedPost itself. ================================================================ 5. DATA SUBJECT REQUESTS ================================================================ 5.1 BedPost shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures to fulfil its obligations to respond to Data Subject requests under Chapter III GDPR. Self-service export and deletion are exposed in-product. 5.2 If BedPost receives a request directly from a Data Subject in the Customer's instance, BedPost will redirect that request to the Customer (where identifiable) without responding to the substance. ================================================================ 6. SECURITY OF PROCESSING ================================================================ 6.1 BedPost shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: encryption in transit (TLS 1.2+), encryption at rest (AES-256), authenticated and rate-limited APIs, audit-logged administrative access, secure SDLC review, and quarterly vulnerability scanning. Full controls are listed in Annex II. ================================================================ 7. PERSONAL DATA BREACH ================================================================ 7.1 BedPost shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include the information required by Article 33(3) GDPR to the extent then known. 7.2 Internal procedures for detection, triage, escalation and notification are documented in BedPost's Breach Runbook (docs/security/breach-runbook.md), reviewed at least annually. ================================================================ 8. DATA PROTECTION IMPACT ASSESSMENT & PRIOR CONSULTATION ================================================================ 8.1 BedPost shall provide reasonable assistance to the Customer in carrying out Data Protection Impact Assessments and prior consultations with Supervisory Authorities under Articles 35–36 GDPR. ================================================================ 9. RETURN AND DELETION ================================================================ 9.1 At the Customer's choice, BedPost shall delete or return all Personal Data after the end of the provision of Services and delete existing copies, unless retention is required by Union or Member State law. Default retention: deletion within 30 days of account termination, except backups which roll off within 90 days. ================================================================ 10. AUDITS ================================================================ 10.1 BedPost shall make available to the Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, no more than once per calendar year (and on no less than 30 days' written notice), conducted during business hours and subject to reasonable confidentiality undertakings. ================================================================ 11. INTERNATIONAL TRANSFERS ================================================================ 11.1 Transfers of Personal Data from the EEA, UK or Switzerland to a country not subject to an adequacy decision are governed by: (a) the SCCs (Module Two: Controller-to-Processor) incorporated by reference and completed by Annex I of this DPA; (b) for UK transfers, the UK International Data Transfer Addendum; (c) for Swiss transfers, the Swiss Federal Data Protection and Information Commissioner's adaptations to the SCCs. ================================================================ 12. ORDER OF PRECEDENCE & MISCELLANEOUS ================================================================ 12.1 In the event of a conflict between the Agreement and this DPA, this DPA shall prevail to the extent of the conflict and only with respect to Processing of Personal Data. 12.2 This DPA is governed by the law of Wyoming, USA, except where Applicable Data Protection Laws require otherwise. ================================================================ ANNEX I — DETAILS OF PROCESSING (SCC ANNEX I) ================================================================ A. List of parties. Data Exporter: Customer (as identified in the Agreement). Data Importer: Stetty Ventures LLC, Wyoming, USA. Contact for both: privacy@getbedpost.com B. Description of transfer. Categories of data subjects: end users of the Services. Categories of personal data: account identifiers, authentication credentials, profile preferences, and — where the data subject elects to log it — wellness/cycle/intimacy data (Special Category Data). Sensitive data: yes; protected by access controls listed in Annex II. Frequency: continuous. Nature: storage, retrieval, computation, transmission to authorised sub-processors. Purpose: provision of the Services as described in the Agreement. Retention: see Section 9. C. Competent supervisory authority. For EU data subjects: the lead supervisory authority of the data exporter's Member State. For UK data subjects: the UK Information Commissioner's Office. ================================================================ ANNEX II — TECHNICAL AND ORGANISATIONAL MEASURES ================================================================ 1. Encryption. - In transit: TLS 1.2+ enforced on all public endpoints; HSTS with a 1-year max-age. - At rest: database storage encrypted with AES-256; per-user credential blobs additionally encrypted with AES-256-GCM under a versioned, rotatable application key (HKDF-SHA256-derived). 2. Access control. - Production database access is limited to engineers on-call; every administrative action against the admin dashboard is written to an immutable audit log (admin_audit_log). - Multi-factor authentication (TOTP) is mandatory for the admin dashboard. Idle session timeout is 30 minutes (sliding). - Optional CIDR allowlist (ADMIN_IP_ALLOWLIST) restricts admin access to designated networks. 3. Network security. - Helmet-configured HTTP security headers (HSTS, CSP, COOP, Referrer-Policy, Permissions-Policy). - CSRF protection (double-submit cookie) on all cookie-authenticated surfaces. - Brute-force throttling (Postgres-backed) on all authentication endpoints with constant-shape responses. 4. Logging and monitoring. - Sentry crash reporting with PII scrubbing. - Server-side console output is wrapped with a redactor that masks authorization headers, cookies, tokens, secrets, OTP codes, and partially masks email addresses. - Webhook idempotency (claim-once table) prevents duplicate processing across retries. 5. Secure SDLC. - All changes are peer-reviewed before merge. - Dependencies are tracked and audited for known vulnerabilities. 6. Resilience. - Daily database backups retained for 30 days. - Disaster-recovery procedures rehearsed at least annually. 7. Data minimisation. - Health and wellness data is never used for advertising. - Analytics events are anonymised before transmission and IP-anonymised at the analytics provider. 8. Sub-processor management. - Public list at https://getbedpost.com/subprocessors with 30-day notice of changes. - Each sub-processor is bound by a DPA equivalent in substance to this DPA. ================================================================ ANNEX III — LIST OF SUB-PROCESSORS ================================================================ The current list of sub-processors is published at https://getbedpost.com/subprocessors and is incorporated into this DPA by reference. -------------------------------------------------------------------------- Questions: privacy@getbedpost.com This DPA is provided as a standard contractual framework. BedPost is willing to negotiate bespoke amendments with enterprise customers on request. A signed counterpart will be returned within 10 business days of countersignature by Customer. --------------------------------------------------------------------------