Data Processing Agreement

Last updated: March 21, 2026

This legal document is available in English only. Translated versions are provided for convenience and are not legally binding.

This Data Processing Agreement ("DPA") forms part of the agreement between the entity agreeing to these terms ("Controller" or "Customer") and lnk24co Inc. ("Processor" or "lnk24co") for the provision of the lnk24co services (the "Services"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU 2016/679) ("GDPR") and supplements the Terms of Service and Privacy Policy.

1. Definitions

In this DPA, the following terms have the meanings set out below, unless the context requires otherwise:

• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Under this DPA, the Customer acts as the Controller.
• "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. Under this DPA, lnk24co acts as the Processor.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to a Data Subject, as defined by applicable Data Protection Laws.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor (or by any subsequent Sub-processor) to process Personal Data on behalf of the Controller.
• "Data Protection Laws"means all applicable laws and regulations relating to the Processing of Personal Data, including the GDPR, the UK GDPR, the California Consumer Privacy Act ("CCPA"), and any other applicable data protection legislation.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Scope and Purpose

The Customer acts as the Controller of Personal Data, and lnk24co acts as the Processor. lnk24co will process Personal Data solely on behalf of and in accordance with the documented instructions of the Controller, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

This DPA applies to all Processing of Personal Data by lnk24co in the course of providing the Services to the Customer.

3. Processing Details

The following describes the Processing activities carried out under this DPA:

• Subject Matter: Provision of the lnk24co link management, URL shortening, analytics, bio pages, and related services as described in the Terms of Service.
• Duration:For the duration of the Customer's use of the Services, plus any post-termination retention period as described in Section 10 of this DPA.
• Nature and Purpose of Processing: Processing of Personal Data as necessary to provide the Services, including link creation and management, click tracking and analytics reporting, user account management, team collaboration features, billing and payment processing, and customer support.
• Types of Personal Data: Names, email addresses, IP addresses, browser and device information (user-agent strings, screen resolution), geolocation data (country and city level derived from IP addresses), referrer URLs, click timestamps and interaction data, account credentials (stored in hashed form), billing information (processed through Stripe), and any other Personal Data the Customer chooses to process through the Services.
• Categories of Data Subjects:The Customer's end users and website visitors who interact with shortened links, the Customer's employees and team members who use the Services, and any other individuals whose Personal Data is processed through the Services at the direction of the Customer.

4. Obligations of the Processor

lnk24co, as the Processor, shall:

• Documented Instructions: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.
• Confidentiality: Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security Measures: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 of this DPA.
• Sub-processor Obligations: Comply with the conditions set out in Section 5 regarding the engagement of Sub-processors.
• Data Subject Rights:Taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.
• Assistance with Compliance: Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor.
• Deletion or Return: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
• Audit Rights:Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits are subject to at least 30 days' written notice, shall be conducted during normal business hours, and are limited to one per calendar year unless a Data Breach or regulatory investigation necessitates an additional audit. In lieu of an on-site audit, lnk24co may provide SOC 2 Type II audit reports, penetration test summaries, and other relevant compliance documentation.

5. Sub-processors

The Controller provides general written authorization to the Processor to engage Sub-processors for the Processing of Personal Data, subject to the following conditions:

• The Processor shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA.
• The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, providing the Controller with at least 30 days' prior written notice before engaging any new Sub-processor.
• The Controller shall have a 30-day objection period from the date of notification to object to the appointment of a new Sub-processor on reasonable data protection grounds. If the Controller objects, lnk24co will make commercially reasonable efforts to provide an alternative solution. If no alternative is available, the Controller may terminate the affected Services without penalty.
• The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations under the sub-processing agreement.

The following Sub-processors are currently engaged:

6. International Transfers

The Processor may transfer Personal Data to countries outside the European Economic Area (EEA), the United Kingdom, or Switzerland. For any such transfer, the Processor shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): European Commission Standard Contractual Clauses, Module 2 (Controller to Processor) and Module 3 (Processor to Sub-processor) as applicable, adopted pursuant to Commission Implementing Decision (EU) 2021/914.
• EU-US Data Privacy Framework: Where applicable, reliance on the EU-US Data Privacy Framework certification for transfers to certified US organizations.
• UK Addendum: The UK International Data Transfer Addendum to the EU SCCs, where applicable for transfers subject to UK data protection law.
• Supplementary Measures: Transfer Impact Assessments and supplementary technical and organizational measures, including encryption in transit and at rest, access controls, and pseudonymization where feasible.

7. Security Measures

The Processor shall implement and maintain the following technical and organizational security measures (equivalent to GDPR Annex II requirements) to protect Personal Data:

• Encryption at Rest: All Personal Data is encrypted at rest using AES-256 encryption.
• Encryption in Transit: All data in transit is encrypted using TLS 1.3.
• Access Controls: Role-based access controls (RBAC), multi-factor authentication for all personnel with access to production systems, and enforcement of the principle of least privilege.
• Logging and Monitoring: Comprehensive audit logging of access to Personal Data, 24/7 security monitoring, intrusion detection systems, and automated alerting for anomalous activity.
• Vulnerability Management: Regular vulnerability scanning, penetration testing at least annually, and timely application of security patches.
• Incident Response: Documented incident response procedures with defined roles, escalation paths, and communication protocols. Response initiated within 72 hours as detailed in Section 8.
• Physical Security: Production systems are hosted in SOC 2 Type II certified data centers with physical security controls, redundant power, and environmental monitoring.
• Employee Measures: All employees with access to Personal Data receive regular security awareness training, are subject to background checks, and are bound by confidentiality obligations.
• Backups: Regular encrypted backups with tested recovery procedures and geographically separated storage.

8. Data Breach Notification

In the event of a Data Breach involving Personal Data processed on behalf of the Controller, the Processor shall:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Data Breach, to enable the Controller to comply with its notification obligations under Article 33 of the GDPR.
• Provide the Controller with the following information as part of the notification (or, where not all information is available at the time of initial notification, in phases without further undue delay):
  • A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned
  • The name and contact details of the Processor's data protection contact point
  • A description of the likely consequences of the Data Breach
  • A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects
• Take immediate steps to contain, investigate, and remediate the Data Breach.
• Cooperate with the Controller in notifying affected Data Subjects and supervisory authorities as required by applicable Data Protection Laws.
• Document all Data Breaches, including the facts relating to the breach, its effects, and the remedial actions taken.

9. Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under Articles 35 and 36 of the GDPR, taking into account the nature of the Processing and the information available to the Processor.

10. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of the Services. Upon termination or expiry of the Services:

• The Processor shall, at the Controller's written election, either return all Personal Data to the Controller in a structured, commonly used, machine-readable format, or delete all Personal Data, within 30 days of termination. The Controller must make this election before the expiry of the 30-day period.
• The Processor shall certify in writing that all Personal Data has been deleted upon the Controller's request, unless retention is required by applicable law.
• Provisions that by their nature should survive termination shall survive, including confidentiality, liability, and audit rights for a period of 12 months following termination.

11. Liability

Each party's total aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the Terms of Service.

In no event shall the Processor's total aggregate liability under this DPA exceed the greater of (a) the amounts paid by the Controller to the Processor in the twelve (12) months preceding the claim, or (b) the liability cap specified in the Terms of Service.

The Processor shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenue, data (beyond its obligations under this DPA), or business opportunity, however caused and regardless of theory of liability.

Nothing in this section shall limit a party's obligations under applicable Data Protection Laws that cannot be limited by contract, or a party's liability for fraud, gross negligence, or willful misconduct.

12. Contact

For questions about this Data Processing Agreement or to exercise any rights under it, please contact us at:

• Email: [email protected]
• Data Protection Officer: [email protected]
• Address: lnk24co Inc., 123 Link Street, Suite 400, San Francisco, CA 94105, United States