UTE DATA PROCESSING AGREEMENT (DPA)

Between:

UnLock’d Holdings, LLC and Its Subsidiaries (including UnLock’d Training Ecosystem,

LLC) (“Processor” or “Company”)

and

Client (“Controller”)                                                         Effective Date: 11.15.2025

Governing Law: Delaware (United States)                     Arbitration: AAA Arbitration – Wilmington, Delaware

‍

This Data Processing Agreement (“DPA”) governs the processing of Personal Data by the

Company on behalf of the Client, in accordance with GDPR, CPRA, and other applicable

privacy laws. This DPA forms part of the Terms of Service or Master Services Agreement

between the Parties (“Agreement”).

‍

1. Definitions

• “Controller” means the entity that determines the purposes and means of processing Personal Data.

• “Processor” means UnLock’d Holdings, LLC and its subsidiaries, including UnLock’d Training Ecosystem, LLC.

• “Personal Data” means any information relating to an identified or identifiable natural person.

• “Sub-Processor” means any third party engaged by Processor to assist in processing Personal Data.

• “Applicable Laws” includes GDPR, CPRA/CCPA, and other privacy regulations.

• “TOMs” means technical and organizational security measures.

‍

2. Roles and Responsibilities

The Client is the Controller.

The Company is the Processor, acting solely on documented instructions from the Client. Processor will not process Personal Data for its own purposes, nor sell or share Personal Data for cross-context behavioral advertising.

‍

3. Purpose of Processing

Processor processes Personal Data strictly for:

• AI-assisted course development.

• Digital learning content creation.

• Mentorship program automation.

• Learning analytics and reporting.

• Professional development workflows.

• Platform administration and technical support.

Processor shall not process data for any purpose not authorized by the Controller.

‍

4. Sub-Processing

Processor may engage Sub-Processors only as listed in Annex A Processor will:

1. Notify Client 30 days in advance of adding or replacing a Sub-Processor.

2. Ensure Sub-Processors are bound by written obligations equivalent to this DPA.

3. Remain fully liable for Sub-Processors’ actions.

‍

5. Technical and Organizational Measures (TOMs)

Processor maintains TOMs aligned with:

• SOC 2 Type II security principles.

• ISO 27001 standards.

• Secure encryption (AES-256 at rest, TLS 1.2+ in transit).

• Access controls based on least privilege.

• Multifactor authentication.

• Network segmentation.

• Regular penetration testing.

• Data minimization and secure deletion procedures.

• Vendor security review framework.

A full TOMs description may be provided upon request.

‍

6. Confidentiality

All personnel of the Processor and Sub-Processors are bound to strict confidentiality obligations and undergo security training.

‍

7. Data Subject Rights

Processor will assist the Client in fulfilling requests under GDPR/CPRA, including:

• Access

• Erasure

• Rectification

• Objection

• Opt-out of sale/sharing (as applicable)

• Data portability

Processor shall not respond to requests directly unless legally required.

‍

8. International Transfers

If Personal Data is transferred outside the originating jurisdiction:

• Processor will implement Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

• Adequate safeguards will be applied.

‍

9. Data Breach Notification

Processor shall notify Client within 72 hours of confirming any Personal Data breach, including:

• Description of incident

• Categories of affected data subjects

• Remediation steps taken

• Recommendations for mitigation

Processor will cooperate fully with audits and regulatory inquiries related to the breach.

‍

10. Audit Rights

Client may conduct a privacy or security audit:

• No more than once every 12 months,

• With 30 days’ written notice,

• During normal business hours,

• At Client’s cost unless a breach or legal requirement triggers additional audits.

‍

11. Data Deletion and Retention

Upon termination of the Agreement:

• Processor will delete or return Client Personal Data within 90 days, unless legally required to retain it.

• Backups will be overwritten on a standard rolling basis.

‍

12. Liability

Processor’s aggregate liability under this DPA is limited to the amount paid under the Agreement,in the preceding twelve (12) months,

except where prohibited by law.

‍

13. Governing Law and Dispute Resolution

This DPA is governed by the laws of the State of Delaware.

Any dispute will be resolved by binding AAA arbitration in Wilmington, Delaware.

‍

14. Term and Termination

This DPA remains in effect so long as Processor processes Personal Data on behalf of Client.

ANNEX A — AUTHORIZED SUB-PROCESSORS

The following vendors may process Personal Data on behalf of the Processor:

AI & Content Creation Providers

• Pete

• Synthesia

• HeyGen

• Colossyan

Learning Platforms

• LearnWorlds

• Absorb LMS (via Together Platform)

• Storyy (video editing automation)

Operational Tools

• ClickUp (project management)

• Zapier / Make (automation workflows)

• Google Workspace

• Microsoft 365

Infrastructure Providers

• Amazon Web Services (AWS)

• Google Cloud Platform (GCP)

Processor will update this list with 30-day notice before adding new vendors.

‍

ANNEX B — Description of Processing

Nature: AI-enabled content creation, training development, hosting, analytics

Duration: Term of Agreement

Types of Data: names, emails, roles, performance data, course engagement, uploaded materials

Data Subjects: Client employees, learners, contractors

‍