Data Processing Agreement (DPA)

This Data Processing Agreement (hereinafter "DPA") is part of, and governed by, the General Terms and Conditions of Service for BRADsearch. It governs the processing of personal data by UAB Invertus ("Processor") on behalf of its client ("Controller").

Unless otherwise defined herein, capitalized terms shall have the meaning given under the GDPR.

• Personal Data ("Data"): Any information relating to an identified or identifiable natural person.
• Data Subject: A natural person whose identity can be directly or indirectly determined, particularly by identifiers like name, ID number, location data, or online identifiers.
• Data Protection Laws: European and Lithuanian laws governing data protection, including but not limited to the GDPR, national laws, and supervisory authority guidelines.
• Supervisory Authority: State Data Protection Inspectorate (Lithuania).
• Sub-Processor: A third party engaged by the Data Processor to process Data on behalf of the Data Controller.
• Data Breach: A breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
• Security Measures: Technical and organizational measures ensuring an appropriate level of data security, meeting the minimum requirements set out in the Supervisory Authority's Guidelines.

Controller: The Client, as the data Controller, determines the purposes and means of the processing of personal data under this DPA. The Controller is responsible for ensuring that the processing of personal data complies with applicable data protection laws, including the GDPR.

Processor: UAB Invertus, acting as the data Processor, shall process personal data in accordance with this DPA, applicable data protection laws, and recognized industry best practices.

This DPA forms an integral part of the contractual relationship between the Parties and supplements the BRADsearch General Terms and Conditions of Service. It applies exclusively to the processing of personal data by the Processor on behalf of the Controller in the context of providing the BRADsearch services. This DPA becomes effective from the moment the Controller starts using the Services and the processing will continue for the duration of the subscription and until the Personal Data is deleted in accordance with this DPA.

We may process personal data of various types of individuals in the course of our business. Depending on your relationship with us, we use your information for different purposes. The main categories of data subjects we handle, and the purposes for processing personal data in each case, are outlined below:

• Prospective Clients: If you have shown interest in our products or Services (for example, by contacting us or requesting information) but have not yet become a client, we use your personal data to manage the potential relationship. This includes responding to your inquiries, providing the information or quotes you requested, and sending you offers for our Services or products that might interest you. We also keep a record of our communications and use your data to follow up on any questions or issues you have raised. Additionally, with your consent (or as otherwise permitted by law), we may send you marketing communications about our Services to keep you informed of what we offer.
• Registered Users and Clients: If you have created an account with us or are using our Services as a client, we process your personal data to manage and fulfill our contractual obligations to you. We use this information to provide and maintain the Services you signed up for, to personalize and improve your user experience, and to offer you client support (for example, assisting with any questions or technical issues). We also handle necessary administrative tasks with your data, such as managing billing and payments and resolving any disputes or Service problems. In addition, we implement security measures (using information like authentication data and account activity) to protect your account and our platform against fraud or misuse. Finally, we send you important communications about your account and our Services - such as notifications of new features, changes, or updates - and, where allowed by law, may inform you about related products or special offers that could be of interest to you.
• Business Partners and Service Providers: If you are a representative or contact person of one of our business partners, vendors, or service providers, we process your work-related personal data to manage and maintain our business relationship with your organization. This includes using your contact details to communicate with you about orders, projects, or contracts, and handling associated administrative operations (like issuing purchase orders, arranging deliveries or services, making payments, and keeping appropriate records). We may also use your information to perform due diligence or compliance checks as required by law or our internal policies (for example, verifying identity for anti-fraud or anti-corruption purposes). Overall, processing this type of data allows us to collaborate effectively with your company and fulfill our mutual contractual obligations.
• Website Visitors: If you visit our website or use our online Services, we may collect certain data about your interaction with our site through cookies and similar tracking technologies. This browsing data can include information like your IP address, device type, browser settings, and how you navigate or interact with our content. We use this information to analyze and improve the performance and usability of our website - for example, to fix technical issues, understand which pages or features are most popular, and remember your preferences (such as language or display settings). We also use it to ensure the security of our website and Services by detecting and preventing fraud, bugs, or abuse of our systems. Additionally, if you choose to submit your contact information on our website (for instance, by signing up for a newsletter or filling out a contact form), we will use the personal data you provide only for the purposes you submitted it (such as sending the newsletter or responding to your inquiry).
• Event Attendees: If you register for or attend an event that we host or sponsor (such as a conference, webinar, or workshop), we process your personal data to manage your participation in the event. Typically, this information includes your name, contact details, and any preferences or requirements you share with us (for example, dietary restrictions for a catered event or accessibility accommodations). We use these details to organize the event logistics - for instance, to confirm your registration, prepare attendee materials like badges or schedules, and communicate with you about event updates or instructions. After the event, we may send you a follow-up communication to thank you for attending, provide additional resources or a recap, and gather feedback to help us improve future events. If you give us your consent, we might also contact you about upcoming events or related Services that we believe could be of interest to you.

4.1 Data Provided by the Controller:

The following categories of personal data may be submitted to the Processor by the Controller for processing under this Agreement:

• Identification and contact details: name, surname, job title, company name, email address, phone number
• Account data: account credentials (e.g. username, password), authentication tokens, user roles, or permissions
• Billing and payment information: invoice data, tax identification numbers, payment method details
• Technical and Usage Data: IP address, country, geographic region, city, browser type, browser version, operating system, device type, session logs, time zone, interaction behavior, in-site search and result logs, order history
• Communication data: support inquiries, feedback, messages, technical requests and other correspondence
• Consent and preference data: marketing preferences, event participation details, or other explicitly submitted consent preferences

4.2 Automatically Collected Data

When the Controller uses the BRADsearch Service, the following personal data may be collected and processed automatically:

• Contact and Identifier Data: client ID, guest ID
• Technical and System Usage Data:
  • IP address
  • Country, region, city (geolocation data)
  • Browser type and version
  • Device type (e.g., desktop, tablet, mobile)
  • Operating system
  • User agent string
  • Session logs
  • Date and time of actions taken on the platform
• Behavioral and Browsing data:
  • Search queries entered and search results
  • Clicks and navigation paths
  • Products viewed, added to cart, purchased, and other engagement
  • Pages visited within the platform
  • History of first and last visit
• E-commerce activity data:
  • Product catalog content, prices, categories, inventory metadata
  • Client-submitted inquiries and engagement with product listings

This data is used exclusively for service delivery and support purposes and may be pseudonymized or aggregated to improve service reliability, performance and personalization.

4.3 Personal Data Processed as a Processor

As part of the BRADsearch Service, the Processor may process personal data submitted by the Controller that belongs to the Controller's own customers, merchants, users, or third-party contacts. This may include:

• Product catalog and metadata
• End-user search queries, search results, clicks, navigation paths, products viewed, added to cart, purchased, and other engagement, history of first and last visit, or session behavior
• End-user IP address, country, region, city (geolocation data), time zone, browser type and version, device type (e.g., desktop, tablet, mobile), operating system, user agent string, session logs, date and time of actions taken on the platform
• Customer inquiries and transactional data
• Interaction logs, feedback, or preferences

In these cases:

• The Controller remains the data controller of such data.
• The Processor acts as a data processor, handling data exclusively for the operation, maintenance, and improvement of the BRADsearch platform, in accordance with this DPA, applicable data protection laws, and recognized industry best practices.
• The Processor shall not use such data for its own purposes - such as profiling, resale, or unrelated analytics - unless explicitly authorized in writing by the Controller. However, the Processor may analyze pseudonymized or aggregated data strictly to ensure and enhance the stability, performance, and security of the BRADsearch Service, without identifying individual data subjects or repurposing the data beyond platform improvement.
• All processing remains subject to the terms, limitations, and safeguards outlined in this Data Processing Agreement (DPA).

4.4 Categories of Data Subjects

The personal data processed under this Agreement may relate to the following categories of individuals:

• The Controller's employees or authorized representatives (e.g. platform administrators, technical users)
• The Controller's customers or end-users (e.g. online store visitors, search users, or merchants)
• Business partners or service providers engaging with the BRADsearch platform
• Event participants or contacts provided by the Controller (e.g. training attendees or demo requesters)

The Processor shall process Personal Data only for the purposes described in this DPA and shall not process data beyond these purposes, except where required by law or explicitly authorized in writing by the Controller. This includes activities such as client support, security monitoring, and technical operations.

The Processor may process Personal Data only:

• As necessary to deliver and enhance the Services.
• For legitimate operational requirements, including security and support.
• To comply with applicable legal obligations.

The Processor shall not use Personal Data for profiling, resale, or automated decision-making, unless explicitly instructed by the Controller in writing.

No processing shall take place beyond these purposes or outside the Controller's documented instructions.

The data processing purposes outlined herein are further supported by the publicly available BRADsearch Privacy Policy, which describes the Processor's general data handling practices in accordance with applicable law.

6.1 General Obligations

Both Parties must ensure data is protected against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access - especially during electronic transmission. Each Party shall implement adequate technical and organizational measures in line with Article 32 of the GDPR.

6.2 Controller's Rights and Duties

• The Controller shall provide lawful, clear, and documented instructions for processing. Such instructions must fall within the scope of the services defined in this DPA and may not extend or alter the Processor's role beyond the technical scope of the Services. The Processor shall not be obliged to comply with any instructions that it reasonably believes may breach applicable law. The Controller shall indemnify the Processor against any claims resulting from unlawful instructions.
• The Controller warrants that all Personal Data shared with the Processor has been lawfully collected and may be processed for the stated purposes.
• The Controller may audit the Processor's compliance with this DPA once per year, upon at least 30 days' prior written notice, and only during normal business hours. Additional audits shall be permitted only in case of a confirmed data breach or regulatory requirement. Audits shall be limited to the scope of data processing performed for the Controller, subject to confidentiality, and conducted at the Controller's expense.
• The Controller shall be responsible for responding to and managing data subject requests unless otherwise agreed in writing.
• Upon written request, the Processor shall provide information reasonably required for the Controller to maintain its records of processing activities under Article 30(1) of the GDPR, where applicable.

6.3 Processor's Obligations

• The Processor shall process Personal Data solely as described in this DPA and in accordance with applicable data protection law and industry best practices. The Processor shall not be obliged to implement individualized or undocumented instructions unless explicitly agreed by both Parties in writing
• The Processor shall ensure that only authorized personnel bound by confidentiality obligations have access to Personal Data.
• The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• The Processor shall notify the Controller without undue delay, and no later than 48 hours after becoming aware of a personal data breach affecting the Controller's data.
• The Processor shall provide reasonable assistance to the Controller in responding to data subject requests, solely where such requests relate to processing activities carried out by the Processor and where the Controller lacks the technical means. Such assistance shall not include direct communication with data subjects unless explicitly agreed in writing by both Parties. Upon written request, the Processor shall also provide the Controller with information required to maintain records of processing activities in accordance with Article 30(1) of the GDPR, where applicable.
• The Processor may engage Sub-processors as permitted under this DPA, and remains responsible for their performance.
• The Processor shall delete or return personal data after the end of the processing, unless retention is required by law.
• The Processor shall provide relevant information reasonably necessary to demonstrate compliance upon written request, but may limit or redact proprietary or security-sensitive information.
• Any audits must be limited to data processing relevant to the Controller, and conducted under strict confidentiality obligations at the Controller's expense.
• Upon written request, the Processor shall provide information required to maintain the Controller's records under Article 30(1) of the GDPR, where applicable.

Processing must follow the principles of lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, and confidentiality. Any further instructions regarding security or privacy become binding upon effect.

The Processor shall only be liable for damages directly resulting from its proven gross negligence or willful misconduct in performing obligations under this DPA.

The Controller remains solely and fully responsible for:

• the lawfulness of Personal Data provided,
• the accuracy and quality of such data,
• the lawfulness of processing purposes and instructions given to the Processor.

The Processor shall not be liable for any processing performed in accordance with the Controller's instructions.

The Controller shall indemnify and hold harmless the Processor against any third-party claims, regulatory actions, fines, or damages arising out of:

• unlawful or inaccurate data supplied by the Controller,
• instructions that violate applicable law,
• the Controller's breach of GDPR or this Agreement.

Where the Processor engages a Sub-processor, it shall ensure compliance with GDPR Article 28 requirements. The Processor shall only be liable for Sub-processors to the extent required by GDPR and shall not assume broader liability for their independent acts or omissions.

Limitation of Liability: Except for cases of gross negligence, willful misconduct, or mandatory liability under applicable law, the Processor's total cumulative liability under this Agreement shall in no event exceed the total fees paid by the Controller to the Processor for the Services in the twelve (12) months preceding the event giving rise to liability.

Confidentiality: Each Party shall treat all personal data and other confidential information as strictly confidential and shall not disclose it to third parties without prior written consent, unless required by law.

Authorized Access: The Processor shall ensure only authorized personnel with a need-to-know basis have access to personal data, and that they are subject to confidentiality obligations.

Survival: The confidentiality obligations under this clause shall survive the termination of this DPA.

The Processor may engage Sub-processors to support the delivery and operation of the BRADsearch services, including for infrastructure, analytics, or related functionalities.

A list of current Sub-processors is maintained in Appendix A. The Controller hereby authorizes use of the listed Sub-processors.

The Processor shall notify the Controller in writing at least 15 calendar days before appointing any new or replacement Sub-processor. The Controller may object to a new Sub-processor only on reasonable, documented grounds relating to data protection. If such objection is not raised within the notice period, the new Sub-processor shall be deemed accepted. If an objection is raised, the Parties shall cooperate in good faith to find a suitable solution. If no agreement is reached, the Controller may terminate the affected service in writing, with thirty (30) days' notice.

The Processor shall enter into a written agreement with each Sub-processor that imposes obligations substantially equivalent to those in this DPA, especially ensuring compliance with Article 28 of the GDPR.

The Processor shall remain fully liable for the acts and omissions of its Sub-processors to the same extent it would be liable if performing the services directly.

Any international transfer of personal data by a Sub-processor outside the European Economic Area shall comply with applicable data protection laws, including appropriate safeguards such as Standard Contractual Clauses or adequacy decisions under Chapter V of the GDPR.

The Processor shall implement appropriate technical and organizational measures to protect personal data, as required under Article 32 of the GDPR. These include, where applicable:

• Encryption of data in transit and at rest
• Access controls and authentication
• Activity logging and monitoring
• Regular system updates and vulnerability checks
• Pseudonymization or anonymization where feasible

The Processor shall ensure only authorized personnel have access to personal data and that they are bound by confidentiality obligations.

The Processor shall notify the Controller without undue delay, and in any case within 48 hours of becoming aware of a personal data breach affecting the Controller's data.

The notification shall include, to the extent available:

• a description of the nature of the breach;
• the categories and approximate number of data subjects and data records affected;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and mitigate its effects.

Where complete information cannot be provided within 48 hours, the Processor shall provide the available details and supplement the notification as soon as further information becomes available.

The Processor shall cooperate fully with the Controller to support compliance with the Controller's obligations under Articles 33 and 34 of the GDPR, including assisting with communications to supervisory authorities and affected data subjects where required.

Upon termination or expiry of the Services, the Processor shall, at the Controller's choice, either return or securely delete all personal data processed on behalf of the Controller, unless applicable law requires longer retention.

Unless otherwise agreed in writing, the Processor shall retain the data for up to one (1) year after termination for the sole purposes of potential reactivation, audit, or legal defense. After this period, all personal data shall be securely and irreversibly deleted.

If the Controller requests earlier deletion or data return, the Processor shall fulfill such request within thirty (30) days, provided no legal obligation prevents it.

Deletion shall be carried out using appropriate technical means, and confirmation shall be provided to the Controller upon written request.

This DPA shall be governed by and construed in accordance with the laws of the Republic of Lithuania. Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Kaunas, Lithuania, unless otherwise agreed by the Parties in writing.

If any provision of this DPA is found to be invalid or unenforceable, the remainder shall remain valid and enforceable.

This DPA may only be amended by a written agreement signed or confirmed by both Parties.

This DPA becomes effective upon acceptance of the BRADsearch General Terms and Conditions of Service or upon mutual signature, as applicable.

No partnership, joint venture, or agency is created by this DPA.

For any questions or concerns regarding Data Processing Agreement (DPA), please contact our support or:

Email: legal@invertus.eu

Address: K. Donelaičio g. 62-522, LT-44248 Kaunas, Lithuania

Last updated: September 10, 2025

This Appendix forms an integral part of the Data Processing Agreement ("DPA") between the Controller and UAB Invertus ("Processor").

The following third-party service providers are authorized by the Controller to act as Sub-Processors, assisting the Processor in delivering the BRADsearch services. All Sub-Processors are bound by written agreements ensuring substantially similar data protection obligations as set out in the DPA and in compliance with Article 28 of the GDPR.