Data Processing Addendum

This Data Processing Addendum ("DPA") is entered into between Customer ("Controller") and SaliencyLab, operated by Oussama Nakhil ("Processor"), and forms part of the agreement covering Customer's use of the Service (whether the public Terms of Service or a signed MSA / Order Form).

Definitions ("personal data", "data subject", "processing", "controller", "processor", "sub-processor", "supervisory authority") have the meanings set out in the EU General Data Protection Regulation 2016/679 ("GDPR") and, where applicable, the UK GDPR and Moroccan Law 09-08.

Customer is the Controller of personal data processed through the Service. SaliencyLab is the Processor, acting only on documented instructions from Customer.

For limited operational activities (billing, abuse prevention, service analytics, security monitoring) SaliencyLab acts as an independent controller for its own minimal processing of personal data such as account email addresses.

Subject matter: provision of the SaliencyLab SaaS creative intelligence platform.

Duration: the term of the underlying agreement plus the retention periods stated in Section 11.

Nature and purpose: processing uploaded advertising creative and user account data to deliver scoring, benchmarking, reporting, and related workspace features.

Data subjects include Customer's authorized users (employees, contractors) and any individuals depicted in or identifiable from uploaded creative assets.

Categories of personal data processed:

• Account data: email, name, organization, authentication identifiers.
• Billing metadata: subscription state, plan tier (full payment details held by Stripe).
• Customer Content: uploaded images and videos, which may include images of individuals.
• Usage telemetry: pageviews, feature clicks, pipeline timings, error events.
• Support correspondence and any data voluntarily included in support requests.

SaliencyLab will:

• Process personal data only on Customer's documented instructions, including for international transfers.
• Ensure personnel with access to personal data are bound by confidentiality obligations.
• Implement and maintain the technical and organizational measures described in Section 7.
• Assist Customer in responding to data subject rights requests (Section 9) and in meeting Customer's obligations under Articles 32–36 GDPR.
• Notify Customer without undue delay (and within 72 hours) after becoming aware of a personal data breach affecting Customer Content.
• At Customer's choice, delete or return personal data at the end of the Service, and delete existing copies unless retention is required by law.
• Make available the information necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality and security controls.

Customer grants a general authorization for SaliencyLab to use the sub-processors listed at /legal/sub-processors. The current list includes service, purpose, region, and data categories involved.

SaliencyLab will notify Customer of any intended change to the sub-processor list (addition or replacement) at least 30 days in advance via the sub-processors page and/or email to the account owner. Customer may object for legitimate data-protection reasons; if the parties cannot agree on a reasonable accommodation, Customer may terminate the Service for convenience without penalty for the unused prepaid term.

SaliencyLab imposes data-protection obligations on each sub-processor substantively equivalent to those in this DPA.

SaliencyLab applies the following technical and organizational measures, updated from time to time in line with evolving best practice:

• Encryption in transit (TLS 1.3) and at rest (AES-256 via managed Supabase Postgres and Storage).
• Short-lived signed URLs for creative asset access (15-minute TTL).
• Row-level security (RLS) policies enforcing workspace and tenant isolation at the database layer.
• Role-based access inside the product (owner / admin / editor / viewer) and audit logging for privileged operations (e.g. pro_override).
• Least-privilege access to production systems; unique named accounts; MFA for administrative access.
• Secrets management via environment variables and platform-level secret stores; no secrets in source control.
• Regular dependency updates, automated vulnerability scanning, and independent penetration testing (most recent pass: April 2026).
• Separate staging and production environments; change-management via version control and code review.
• Daily encrypted database backups; documented recovery procedures.

Primary data storage (Supabase Postgres and Storage) is located in the European Union (Frankfurt, DE). Some sub-processors are based in the United States (Vercel, Stripe, Resend, PostHog, Sentry) or process data internationally.

EU → non-EU/EEA transfers: covered by the European Commission Standard Contractual Clauses (SCCs), Commission Implementing Decision (EU) 2021/914 of 4 June 2021. For transfers from Customer (Controller) to SaliencyLab (Processor in Morocco), Module 2 applies. For onward transfers from SaliencyLab to downstream sub-processors acting as processors, Module 3 applies. The SCCs are incorporated into this DPA by reference; executing this DPA constitutes execution of the SCCs.

UK → non-UK transfers: covered by either (a) the UK International Data Transfer Agreement (IDTA), or (b) the UK Addendum to the EU SCCs issued by the ICO under s.119A of the Data Protection Act 2018, at the Controller's election.

Morocco is not currently on the European Commission's adequacy list. Accordingly, EU → Morocco transfers rely on the SCCs plus the supplementary measures in §7 (encryption in transit and at rest, RLS isolation, short-lived signed URLs, named-account access controls).

Morocco → non-adequate jurisdictions: subject to prior authorization from the Moroccan CNDP under Article 43 of Law n° 09-08. SaliencyLab will file the required cross-border authorization before initiating onward transfers of Moroccan data subjects' personal data.

Transfer Impact Assessments: SaliencyLab has carried out TIAs for primary US-based sub-processors assessing the risk of third-country-authority access, the effectiveness of supplementary measures, and the availability of redress. Summaries are available on reasonable written request to dpa@saliencylab.com subject to confidentiality.

SaliencyLab will assist Customer, by appropriate technical and organizational measures and insofar as possible, in fulfilling Customer's obligation to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection, automated decision-making).

Data subjects can contact SaliencyLab directly at contact@saliencylab.com; where the request relates to Customer Content, SaliencyLab will forward it to Customer without undue delay.

SaliencyLab will notify the Customer account owner by email without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Content.

The notification will describe the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address it and mitigate adverse effects.

On termination or expiry of the Service, or at Customer's request during the term, SaliencyLab will:

• Delete Customer Content and personal data from active systems within 30 days, except where retention is required by law (for example, invoicing records for tax purposes).
• Delete or overwrite backups containing the data according to the backup rotation schedule (no longer than 90 days).
• On request, provide Customer with a reasonable export of Customer Content in a commonly used, machine-readable format before deletion.

SaliencyLab will make available to Customer, on reasonable request, information necessary to demonstrate compliance with this DPA (for example, current security summary, sub-processor list, and pentest summary).

For deeper audit needs beyond the information made available, Customer may request (not more than once per year, subject to reasonable notice and cost-sharing) either (a) a written response to a documented security questionnaire, or (b) a remote audit scoped to the relevant processing activities and subject to confidentiality.

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the underlying agreement (Terms of Service or MSA / Order Form).

In case of conflict between this DPA and the underlying agreement concerning the processing of personal data, this DPA prevails. For all other matters, the underlying agreement prevails.

This DPA is governed by the same law as the underlying agreement (Moroccan law, as stated in /terms §13) and, where the SCCs are incorporated, by the law chosen in Clause 17 of the SCCs (which, when Module 2 applies to a controller in an EU Member State, is typically the law of that Member State).

Mandatory provisions of the EU GDPR, UK GDPR, and Moroccan Law n° 09-08 continue to apply regardless of the governing-law choice. The CNDP, the ICO, and the EU/EEA national supervisory authorities retain their respective competences.

Customer may countersign this DPA by executing a separate signature page referencing this URL and version date, or by incorporating this DPA into a signed Order Form or MSA. SaliencyLab's agreement is evidenced by the publication of this DPA at saliencylab.com/dpa.

Customer wishing to countersign: send a PDF export of this page plus a short signature block ("Customer Name, Signatory Name, Title, Date") to contact@saliencylab.com. We will return a counter-signed version for your records.