Data Processing Agreement

Between Articulation, LLC ("Processor") and Customer ("Controller")

Version: 1.0 — Effective 2026-05-15

This Data Processing Agreement is incorporated by reference into Articulation's Terms of Service (the "Principal Agreement") and applies to all customers, whether on a paid or free plan, for whom Articulation processes Personal Data.

1. Background

1.1. The Controller and Articulation, LLC, a Florida limited liability company with its registered address at 160 W Camino Real Unit #997, Boca Raton, FL 33432, United States ("Articulation"), have entered into the Principal Agreement under which Articulation provides the Articulation website-builder and hosting platform, including integrated commerce functionality (the "Service").

1.2. In the course of providing the Service, Articulation processes Personal Data on behalf of the Controller. This Data Processing Agreement (the "DPA") sets out the terms on which that processing occurs and forms an integral part of the Principal Agreement.

1.3. In the event of any conflict between this DPA and the Principal Agreement on any matter relating to the processing of Personal Data, this DPA prevails.

2. Definitions

2.1. Terms used but not defined in this DPA have the meanings given to them in the GDPR. In particular:

"GDPR" means Regulation (EU) 2016/679 (the General Data Protection Regulation) and, where applicable, the UK GDPR as incorporated by the Data Protection Act 2018.
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given in Article 4 GDPR.
"Customer Personal Data" means Personal Data that Articulation processes on behalf of the Controller under the Principal Agreement, as further described in Annex I.
"Subprocessor" means any third party engaged by Articulation to process Customer Personal Data.
"SCCs" means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
"Data Protection Laws" means the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, and any other applicable data protection or privacy laws.

3. Scope and Roles

3.1. Roles. With respect to Customer Personal Data, the Controller is the controller and Articulation is the processor.

3.2. Customer's data subjects. The Controller is itself the controller of Personal Data relating to (a) end-users and visitors of websites the Controller operates using the Service, and (b) end-customers who place orders through the Controller's stores hosted on the Service. Articulation processes such data only as a processor on the Controller's behalf.

3.3. Articulation's own data. Articulation acts as an independent controller with respect to Personal Data it processes about the Controller itself (e.g., account registration information, billing data, support communications). The processing of such data is governed by Articulation's Privacy Policy and is outside the scope of this DPA.

3.4. Compliance. Each party will comply with its respective obligations under Data Protection Laws.

4. Processing of Personal Data

4.1. Documented instructions. Articulation will process Customer Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by Union or Member State law to which Articulation is subject. The Principal Agreement, this DPA, and the Controller's use of the Service (including its configuration choices) constitute the Controller's documented instructions.

4.2. Out-of-scope instructions. If Articulation believes that an instruction from the Controller infringes Data Protection Laws, Articulation will inform the Controller without undue delay and may suspend the relevant processing until the instruction is confirmed, modified, or withdrawn.

4.3. Purpose limitation. Articulation will not process Customer Personal Data for any purpose other than (a) providing the Service in accordance with the Principal Agreement, (b) complying with applicable law, or (c) as otherwise instructed in writing by the Controller.

4.4. Annex I. The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex I.

5. Security

5.1. Technical and organizational measures. Articulation will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risk to Data Subjects. Articulation's current measures are described in Annex II.

5.2. Updates. Articulation may update its security measures from time to time, provided that such updates do not materially reduce the overall level of protection of Customer Personal Data.

6. Confidentiality of Personnel

6.1. Articulation will ensure that any person authorized to process Customer Personal Data is bound by a contractual or statutory obligation of confidentiality and has received appropriate training on data protection.

6.2. Access to Customer Personal Data is limited to personnel who require such access to perform their duties.

7. Subprocessors

7.1. General authorization. The Controller grants Articulation general written authorization to engage Subprocessors to process Customer Personal Data, subject to this Section 7.

7.2. Current Subprocessors. Articulation's current Subprocessors are listed in Annex III.

7.3. Notice of changes. Articulation will notify the Controller of any intended addition or replacement of a Subprocessor at least 30 days in advance, giving the Controller the opportunity to object on reasonable data-protection grounds. Notice may be given by updating the published Subprocessor list (maintained on Articulation's website alongside the Privacy Policy and Terms of Service, at the URL notified to Customers and linked from the Terms of Service) and/or by email to the Controller's account contact.

7.4. Objection. If the Controller objects on reasonable data-protection grounds within 15 days of notice, the parties will work in good faith to find a mutually acceptable resolution. If no resolution is reached, the Controller may terminate the affected portion of the Service or, where the affected functionality is integral to the Service, the entire Service, in either case without penalty and with a pro-rata refund of any prepaid fees for the terminated portion.

7.5. Subprocessor obligations. Articulation will impose on each Subprocessor, by written contract, data protection obligations no less protective than those set out in this DPA. Articulation remains fully liable to the Controller for the performance of each Subprocessor's obligations.

8. Assistance with Data Subject Rights

8.1. Taking into account the nature of the processing, Articulation will assist the Controller by appropriate technical and organizational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, and objection).

8.2. The Service includes self-service functionality enabling the Controller to access, export, rectify, and delete Customer Personal Data within its account. Where additional assistance is required, Articulation will provide reasonable cooperation, and may charge a reasonable fee for assistance that is excessive or manifestly unfounded.

8.3. If Articulation receives a request directly from a Data Subject relating to Customer Personal Data, Articulation will, unless legally prohibited, promptly forward the request to the Controller and will not respond except on the Controller's instructions.

9. Personal Data Breach

9.1. Articulation will notify the Controller of a Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware of it, and in any event within 72 hours.

9.2. The notice will, to the extent known and as the information becomes available, include:

(a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
(b) the likely consequences of the breach;
(c) the measures taken or proposed to address the breach and mitigate its possible adverse effects; and
(d) the contact details of a person from whom further information can be obtained.

9.3. Articulation will provide reasonable assistance to the Controller in connection with the Controller's obligations under Articles 33 and 34 GDPR. Notification of, or response to, a Personal Data Breach by Articulation will not be construed as an acknowledgment of fault or liability.

10. Data Protection Impact Assessments

10.1. Taking into account the nature of the processing and the information available to Articulation, Articulation will provide reasonable assistance to the Controller with any data protection impact assessment and any prior consultation with a Supervisory Authority that the Controller is required to carry out under Articles 35 and 36 GDPR.

11. Deletion or Return

11.1. The Controller's standing right to deletion or return. The Controller has a standing right, exercisable at any time during the term and at or after termination or expiry of the Principal Agreement, to require Articulation to delete or return Customer Personal Data and to delete existing copies, unless Union or Member State law requires storage of the Personal Data. Articulation will give effect to such a documented request within 30 days of receiving it, or such shorter period as is reasonable given the circumstances (including where required by a Supervisory Authority or where the request arises from a Personal Data Breach).

11.2. Retention absent a request. Unless and until the Controller exercises the right in Section 11.1, Articulation does not automatically delete Customer Personal Data on termination. The Controller's right under Section 11.1 continues to be exercisable after termination for as long as Articulation holds the data. Certain assets are purged automatically 90 days after termination as part of routine housekeeping.

11.3. Backups and logs. Customer Personal Data contained in routine backups and operational logs is retained for up to 90 days and will remain protected by the security measures in Annex II until deletion.

12. Audits

12.1. Articulation will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

12.2. Audit reports. Articulation will satisfy its audit obligations by making available, on request and subject to confidentiality undertakings, its most recent third-party audit reports and certifications (e.g., SOC 2, ISO 27001) where these exist, together with a written response to a reasonable security questionnaire.

12.3. On-site audits. Where the information referred to in Section 12.2 is insufficient, the Controller may, on at least 30 days' prior written notice and no more than once per twelve months (except following a Personal Data Breach or at the documented request of a Supervisory Authority), cause an audit to be conducted, subject to the following:

(a) the audit will be performed by an independent third-party auditor mandated by the Controller and mutually agreed by the parties, such agreement not to be unreasonably withheld; Articulation may object to a proposed auditor that is a competitor of Articulation or that is not suitably independent or qualified;
(b) the auditor must enter into a confidentiality agreement with Articulation before the audit;
(c) all costs of the audit, including the auditor's fees and Articulation's reasonable costs of supporting the audit, are borne by the Controller, regardless of the audit's findings;
(d) the audit must be conducted during normal business hours and in a manner that does not unreasonably interfere with Articulation's operations;
(e) if the parties cannot agree on an auditor within a reasonable period, Articulation may instead satisfy this Section by providing its most recent third-party audit report and a written response to a reasonable security questionnaire; and
(f) the Controller will provide a copy of the audit report to Articulation and treat its contents as Articulation's confidential information.

13. International Transfers

13.1. Permitted transfers. Articulation may transfer Customer Personal Data outside the EEA, the UK, and Switzerland only where an appropriate safeguard under Chapter V GDPR is in place.

13.2. EU SCCs. Where Articulation transfers Customer Personal Data from the EEA to a third country that has not been the subject of an adequacy decision, the parties incorporate the SCCs into this DPA by reference, as follows:

Module 2 (controller to processor) applies;
Clause 7 (docking clause) is included;
Clause 9, Option 2 (general written authorization) applies, with the time period for prior notice of Subprocessor changes set out in Section 7.3;
Clause 11(a) independent dispute resolution option is not selected;
Clause 17 (governing law) is the law of Ireland;
Clause 18 (forum and jurisdiction) is the courts of Ireland;
Annex I.A (parties) is completed by reference to the Principal Agreement;
Annex I.B (description of transfer) is Annex I to this DPA;
Annex I.C (competent supervisory authority) is the Irish Data Protection Commission;
Annex II (technical and organizational measures) is Annex II to this DPA;
Annex III (list of sub-processors) is Annex III to this DPA.

13.3. UK transfers. Where Articulation transfers Customer Personal Data from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs by reference, with the elections in Section 13.2 applying mutatis mutandis.

13.4. Swiss transfers. Where Articulation transfers Customer Personal Data from Switzerland, the SCCs apply with the adaptations described in the Swiss Federal Data Protection and Information Commissioner's guidance of 27 August 2021.

13.5. Transfer impact assessment assistance. Articulation will provide the Controller with reasonable assistance and reasonably available information to enable the Controller to carry out a transfer impact assessment for transfers of Customer Personal Data to a third country, including information about the relevant Subprocessors, processing locations, and applicable safeguards.

13.6. Government access requests. If Articulation receives a legally binding request from a public authority for disclosure of Customer Personal Data, Articulation will, to the extent legally permitted: (a) review the legality of the request and challenge it where it is unlawful or overbroad; (b) disclose only the minimum amount of data reasonably necessary; and (c) notify the Controller without undue delay, or as soon as legally permitted where notification is prohibited.

13.7. Conflict. In the event of conflict between this DPA and the SCCs, the SCCs prevail.

14. General

14.1. Liability. Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement, except that no such limitation or exclusion applies to: (a) liability that the SCCs require not to be limited (including liability to data subjects under Clause 12 of the SCCs); or (b) claims brought directly by a data subject under Article 82 GDPR. Administrative fines imposed under Article 83 GDPR are excluded from the Principal Agreement's liability cap to the extent they arise from the non-compliance of the party against whom they are asserted; each party indemnifies the other for fines and regulatory penalties to the extent caused by that party's own non-compliance with this DPA or Data Protection Laws.

14.2. Governing law. This DPA is governed by the law specified in the Principal Agreement, except that Sections 13.2–13.4 are governed by the law specified in those Sections to the extent required.

14.3. Term. This DPA takes effect on the effective date of the Principal Agreement and continues until the Principal Agreement terminates and Articulation has completed its obligations under Section 11.

14.4. Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force.

Annex I — Description of the Processing

A. List of Parties

As set out in the Principal Agreement.

B. Description of the Processing

Subject matter	Provision of the Articulation website-builder and hosting platform, including integrated commerce functionality, to the Controller.
Duration	For the term of the Principal Agreement, plus the retention period set out in Section 11.
Nature and purpose	Hosting, storing, transmitting, displaying, indexing, analyzing, and processing Customer Personal Data as necessary to: (a) operate the Controller's website(s) and store(s) on the Service; (b) process orders and payments placed through those store(s); (c) deliver transactional and marketing email initiated by the Controller; (d) provide editor, analytics, search, and content-generation features; (e) provide error monitoring, security, and abuse prevention; and (f) provide support to the Controller.
Categories of Personal Data	(a) Controller's end-users and site visitors: IP address, device and browser identifiers, cookie identifiers, page-view and interaction data, geolocation derived from IP, content submitted via forms (including names, email addresses, and any other fields the Controller chooses to collect); (b) End-customers of stores: name, email address, billing address, shipping address, phone number, order history, product preferences, payment method type (full payment-card data is processed directly by the relevant payment Subprocessor and not stored by Articulation), customer service correspondence; (c) Content uploaded by the Controller: any Personal Data contained within pages, posts, products, images, or other content the Controller creates within the Service.
Categories of Data Subjects	(a) Visitors to the Controller's websites; (b) End-customers who place orders through the Controller's stores; (c) Recipients of transactional or marketing email sent through the Service; (d) Individuals whose Personal Data is contained within content the Controller uploads or creates within the Service.
Sensitive data	The Service is not designed for the processing of special categories of Personal Data under Article 9 GDPR or criminal-conviction data under Article 10 GDPR. The Controller will not submit such data to the Service except with Articulation's prior written agreement and subject to any additional safeguards required.
Data location	Customer Personal Data is hosted and processed in the United States, in a secure data center in Pompano Beach, Florida. Certain Subprocessors listed in Annex III process limited data in other locations as described there. Transfers from the EEA/UK/Switzerland rely on the safeguards in Section 13.
Frequency of transfer	Continuous, for the duration of the Principal Agreement.
Retention	For the duration of the Principal Agreement. After termination, Customer Personal Data is retained subject to Section 11 (not automatically deleted absent a documented request; certain assets purged 90 days after termination). Operational logs are retained for up to 90 days; backups for up to 90 days.

C. Competent Supervisory Authority

The Irish Data Protection Commission, or such other Supervisory Authority as determined under Clause 13 of the SCCs.

Annex II — Technical and Organizational Measures

The following measures are implemented by Articulation to protect Customer Personal Data. Specific implementation details may evolve over time consistent with Section 5.2.

1. Encryption

Selected high-sensitivity fields in the production database — items like form-submission entries and third-party access tokens — are encrypted at rest using application-level AES-256 encryption.
Personal Data in transit between the Controller, Data Subjects, and the Service is protected by HTTPS/TLS; SSL certificates for customer domains are provisioned and renewed automatically.
Payment-card data is not stored by Articulation; it is collected directly by the PCI DSS Level 1 payment Subprocessors listed in Annex III.

2. Confidentiality and access control

Administrative access requires multi-factor authentication (MFA).
Administrative access uses individually-attributed accounts; shared administrative credentials are prohibited and access follows a least-privilege model.
Access is revoked promptly upon personnel changes.

3. Integrity and change management

Changes to production are deployed via version-controlled code through a Kamal-based deployment pipeline.

4. Availability and resilience

Backups are taken and are tested for restorability at reasonable intervals.
Backups are replicated to two redundant storage locations in geographically diverse data centers (operated by InterServer) to support restoration in the event of a physical or technical incident affecting the primary facility.
Backups are retained for up to 90 days.

5. Testing and evaluation of security measures

Static analysis (PHPStan, Psalm) and the automated test suite are executed on code changes.
Dependency vulnerability scanning and code vulnerability scanning are performed via GitHub.

6. Protection of data during transmission

HTTPS is enforced for customer- and visitor-facing endpoints; automatic SSL certificate provisioning and renewal for customer domains.

7. Protection of data during storage

Production data is segregated from development and staging environments.
Note on published content: the Service is a website host. Files and content the Controller publishes to its website (including uploaded media) are, by design, served publicly over the internet and are directly accessible by URL. This is inherent to the nature of the Service; the Controller determines what content and files it makes public.

8. Physical security of processing locations

Production infrastructure is hosted in a secure data center in Pompano Beach, Florida, United States, which provides full physical access control, 24/7 on-site staff and video surveillance, comprehensive fire detection and suppression systems, and three independent power backup systems.

9. Event logging

Access logging is in place for the Service; logs are actively monitored and alerted on.
Logs are retained for up to 90 days.

10. System configuration

Production secrets are provided to the application via environment variables.
Application dependencies and systems are patched on a roughly bi-weekly cadence.

11. Internal IT and IT security governance and management

Security responsibilities are assigned to identified personnel; the technical and organizational measures applied are as set out elsewhere in this Annex.

12. Certification / assurance of processes and products

Articulation does not currently hold a SOC 2 or ISO 27001 certification. Articulation relies in part on the third-party certifications held by its Subprocessors (e.g., SOC 2 Type II, ISO 27001, PCI DSS), as summarized in Annex III.

13. Data minimization

The Service collects only the categories of Personal Data described in Annex I.B.
The Controller is responsible for configuring forms and other data-collection points within the Service to collect only data necessary for its stated purpose.

14. Data quality

The Service provides tools for the Controller and, where applicable, Data Subjects to view, correct, and delete Personal Data.

15. Limited retention

Customer Personal Data is retained for the duration of the Principal Agreement and deleted in accordance with Section 11.

16. Accountability

Articulation maintains records of processing activities and Subprocessor engagements.
Designated personnel are responsible for responding to data-protection inquiries (see the Contact section below).

17. Allowing data portability and ensuring erasure

The Controller can export its content and customer/order data through the Service's export functionality.
Deletion is performed in accordance with Section 11.

Annex III — List of Subprocessors

The following Subprocessors are engaged by Articulation as of the date of this DPA. The current list is published on Articulation's website alongside the Privacy Policy and Terms of Service (at the URL notified to Customers and linked from the Terms of Service) and is updated in accordance with Section 7.

1. Google Analytics

Legal entity / location: Google LLC (US); Google Ireland Ltd. for EU
Purpose: Website analytics, traffic measurement, conversion tracking
Data categories processed: IP address (truncated where configured), device/browser identifiers, page views, referrer URLs, cookie IDs, behavioral events
Security / compliance: ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3
Transfer mechanism: EU-US DPF + SCCs

2. Resend

Legal entity / location: Resend, Inc. (Delaware, US)
Purpose: Transactional email delivery
Data categories processed: Recipient email, name, email subject/body, delivery metadata, sender IP
Security / compliance: SOC 2 Type II; TLS in transit, AES-256 at rest
Transfer mechanism: SCCs

3. Anthropic (Claude API)

Legal entity / location: Anthropic, PBC (San Francisco, US)
Purpose: AI-assisted content generation features
Data categories processed: Content submitted to the AI features, which may include personal data of the Controller's end-users and site visitors (e.g. data drawn from site content or form submissions) in addition to controller-authored input; not used to train models by default on the API tier used
Security / compliance: SOC 2 Type II, ISO 42001
Transfer mechanism: SCCs

4. Stripe

Legal entity / location: Stripe Payments Europe Ltd. (Ireland) for EEA; Stripe, Inc. (US) globally
Purpose: Card/payment processing
Data categories processed: Cardholder data, billing address, name, email, transaction history, IP
Security / compliance: PCI DSS Level 1, SOC 1, SOC 2, ISO 27001
Transfer mechanism: EU customers via Stripe Europe; otherwise SCCs + EU-US DPF

5. Square

Legal entity / location: Block, Inc. (San Francisco, US)
Purpose: Card/payment processing
Data categories processed: Cardholder data, billing address, name, email, transaction history
Security / compliance: PCI DSS Level 1, SOC, ISO 27001
Transfer mechanism: SCCs + EU-US DPF

6. PayPal

Legal entity / location: PayPal (Europe) S.à r.l. (Luxembourg) for EU; PayPal Holdings, Inc. (US) globally
Purpose: Payment processing
Data categories processed: Payer name, email, billing/shipping address, payment instrument identifiers, transaction history, IP
Security / compliance: PCI DSS Level 1, SOC, ISO 27001
Transfer mechanism: EU customers via PayPal Europe; otherwise SCCs

7. Shippo

Legal entity / location: Shippo, Inc. (San Francisco, US)
Purpose: Shipping rate calculation, label generation, tracking
Data categories processed: Sender/recipient name, shipping address, contact info, package details, tracking numbers
Security / compliance: SOC 2
Transfer mechanism: SCCs

8. Printful

Legal entity / location: Printful, Inc. (US); Printful Latvia SIA (Latvia) for EU fulfillment
Purpose: Print-on-demand fulfillment
Data categories processed: Customer name, shipping address, contact info, order details, customer-supplied artwork
Security / compliance: SOC 2
Transfer mechanism: EU orders via Printful Latvia; otherwise SCCs

9. hCaptcha (Intuition Machines)

Legal entity / location: Intuition Machines, Inc. (San Francisco, US)
Purpose: Bot/abuse detection, CAPTCHA challenges
Data categories processed: IP address, browser/device fingerprint, interaction signals, challenge responses
Security / compliance: SOC 2 Type II, ISO 27001
Transfer mechanism: SCCs + EU-US DPF

10. OpusDNS

Legal entity / location: OpusDNS GmbH, Franz-Mayer-Str. 1, 93053 Regensburg, Germany
Purpose: Domain registration / management and DNS
Data categories processed: Registrant name, address, email, phone; domain configuration; DNS query metadata
Security / compliance: EU-established processor. Art. 28 DPA + MSA available per OpusDNS GTC §4.6; execution in progress — to be completed by 2026-08-13. TOMs/certifications requested from OpusDNS. OpusDNS hosts on DigitalOcean (US) and uses further US sub-processors
Transfer mechanism: OpusDNS sub-processor transfers (e.g. DigitalOcean US) under SCCs/DPF. Domain registration transmits registrant data to registries, which act as independent controllers; transfers to non-adequate third-country registries rely on the Art. 49(1)(b) derogation (necessary to perform the contract), not SCCs (OpusDNS GTC §9.2–9.4). Public WHOIS exposure applies

11. Cloudflare

Legal entity / location: Cloudflare, Inc. (US); Cloudflare Ireland Ltd. for EU
Purpose: CDN, reverse proxy, DDoS protection, WAF, TLS termination
Data categories processed: IP address, HTTP request metadata, TLS-terminated request/response content in transit
Security / compliance: SOC 2 Type II, ISO 27001, ISO 27018, PCI DSS, FedRAMP Moderate
Transfer mechanism: SCCs + EU-US DPF; Data Localization Suite available

12. InterServer

Legal entity / location: InterServer, Inc. (US)
Purpose: Redundant off-site backup storage across two geographically diverse US data centers
Data categories processed: Backup copies of Customer Personal Data held in the production environment
Security / compliance: Art. 28 DPA integrated into InterServer Terms of Service (interserver.net/terms-of-service.html): processor-on-instructions, equivalent-obligation sub-processors, breach notice without undue delay, deletion/return within 30 days, security measures, SCCs
Transfer mechanism: SCCs

Contact

Privacy and data-protection inquiries should be directed to:

Articulation, LLC — Privacy Team
160 W Camino Real Unit #997, Boca Raton, FL 33432, United States
privacy@articulationmail.com

Acceptance

This DPA does not require signature. It is incorporated by reference into Articulation's Terms of Service and forms part of the Principal Agreement. By accepting the Terms of Service or by using the Service, the Customer (as Controller) and Articulation (as Processor) agree to this DPA, including the SCCs incorporated under Section 13, in accordance with Article 28(9) GDPR (which permits the contract to be in electronic form). Absence of a signature does not affect the binding effect of this DPA.