DATA PROCESSING ADDENDUM

For the purposes of this Data Processing Addendum ("DPA"):

• "Controller" — the customer who determines the purposes and means of processing personal data through the Service.
• "Processor" — Mygom.tech, MB, which processes personal data on behalf of the Controller.
• "Sub-processor" — a third party engaged by the Processor to process personal data.
• "Data Subject" — an identified or identifiable natural person whose personal data is processed.
• "Personal Data" — any information relating to a Data Subject.
• "Processing" — any operation performed on personal data, including collection, storage, use, and deletion.
• "GDPR" — Regulation (EU) 2016/679 of the European Parliament and of the Council.

This DPA applies to the processing of personal data by Mygom.tech, MB (Processor) on behalf of the customer (Controller) in connection with the Mygom SEO service.

The Processor processes personal data as necessary to provide website analysis, SEO auditing, content generation, and related services. The categories of data processed include website content, URLs, domain data, and any personal data contained within the websites submitted for analysis.

This DPA is incorporated into and subject to our Terms of Service.

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required by EU or member state law.
• Inform the Controller if, in the Processor's opinion, an instruction infringes GDPR or other applicable data protection law.
• Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 10 (Data Security) of our Privacy Policy.

These measures include but are not limited to:

• Encryption of data in transit (TLS) and at rest
• Secure password hashing (argon2)
• Access controls and principle of least privilege
• Regular security assessments and updates
• Incident response procedures

The Controller provides general authorization for the Processor to engage sub-processors. A current list of sub-processors is maintained at our Sub-Processors List page.

The Processor shall:

• Provide at least 15 days' advance notice before adding or replacing a sub-processor.
• Ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.
• Remain fully liable for the acts and omissions of its sub-processors.

If the Controller objects to a new sub-processor within 14 days of notice, the parties shall work together to find a reasonable resolution.

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, and objection).

The Processor shall respond to the Controller's assistance requests within 10 business days. If the Processor receives a request directly from a data subject, it shall promptly redirect the request to the Controller.

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
• Provide sufficient information to enable the Controller to meet its notification obligations to supervisory authorities and data subjects.
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

Upon termination of the Service agreement, the Processor shall:

• Delete all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law.
• Provide written confirmation of deletion upon the Controller's request.
• Retain payment and tax records for 7 years as required by Lithuanian law, with access restricted to authorized personnel.

The Controller has the right to verify the Processor's compliance with this DPA. The Processor shall:

• Make available all information necessary to demonstrate compliance with GDPR Article 28.
• Allow and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
• Audits shall be conducted remotely where possible, with at least 30 days' advance written notice, and no more than once per year unless required by a supervisory authority.

Where personal data is transferred outside the European Economic Area, the Processor shall ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) as approved by the European Commission.
• Reliance on adequacy decisions where applicable.
• The EU-U.S. Data Privacy Framework for transfers to certified U.S. organizations.

For more information about international transfers, see Section 7 of our Privacy Policy.

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

Nothing in this DPA limits either party's liability for breaches of data protection law to the extent that such limitation is not permitted by applicable law.

This DPA shall remain in effect for the duration of the Controller's subscription to the Service (co-terminous). The DPA shall automatically terminate when the underlying service agreement ends, subject to the data deletion obligations in Section 8.

Obligations relating to confidentiality and data protection shall survive termination of this DPA.

This DPA shall be governed by and construed in accordance with the laws of the Republic of Lithuania. Any disputes arising from this DPA shall be subject to the dispute resolution provisions in our Terms of Service.

For data protection matters, the competent supervisory authority is the State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija) of Lithuania.

For questions about this DPA or to exercise data protection rights, please contact us using the information below.

• Data Protection Contact: Mygom.tech, MB
• Email: info@mygom.tech
• Address: Chemijos g. 27C-62, LT-51332 Kaunas, Lithuania