Legal

Data Processing Addendum

Effective: April 24, 2026 Version: 1.0 Contact: hello@loadbear.co

About this document This document was drafted by LoadBear for a typical B2B SaaS deployment of the LoadBear Platform. It is provided as a starting point and should be reviewed by a qualified attorney before being relied upon as a binding agreement. Email hello@loadbear.co with any questions.

1. Introduction and Scope

This Data Processing Addendum (the "DPA") forms part of the Agreement between LoadBear ("LoadBear," "Processor") and the Customer ("Customer," "Controller") governing the processing of Personal Data in connection with Customer's use of the LoadBear Platform (the "Services"). This DPA is intended to satisfy the requirements of (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"); (b) the UK General Data Protection Regulation as implemented by the Data Protection Act 2018 (the "UK GDPR"); (c) the Swiss Federal Act on Data Protection of 25 September 2020 (the "FADP"); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the "CCPA/CPRA"); and (e) other applicable U.S. state privacy laws including the Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and the comprehensive privacy laws of Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Florida, Delaware, New Hampshire, New Jersey, Kentucky, Minnesota, Maryland, and Rhode Island, as in effect from time to time (collectively, "Applicable Privacy Laws").

This DPA is incorporated into and forms part of the Terms of Service or other written agreement between the parties governing Customer's use of the Services (the "Agreement"). To the extent of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls.

2. Definitions

Capitalized terms not defined here have the meanings given in the Agreement, the GDPR, the UK GDPR, the CCPA/CPRA, or other Applicable Privacy Laws, as the context requires.

"Approved Subprocessor" means a Subprocessor authorized under Section 7.
"Customer Personal Data" means Personal Data contained in Customer Data that LoadBear processes on behalf of Customer in providing the Services.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"EEA" means the European Economic Area.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
"Restricted Transfer" means a transfer of Customer Personal Data from a jurisdiction whose Applicable Privacy Laws restrict cross-border transfers to a jurisdiction not deemed to provide adequate protection.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended.
"Sub-User" has the meaning set out in Section 8 of the Terms.

3. Roles of the Parties

With respect to Customer Personal Data:

Under the GDPR, UK GDPR, and FADP: Customer is the Controller (or, where Customer acts on behalf of a third party, a Processor) and LoadBear is the Processor (or Sub-Processor, as applicable).
Under the CCPA/CPRA: Customer is the Business and LoadBear is a Service Provider acting on Customer's behalf.
Under other Applicable Privacy Laws: Customer is the Controller (or analogous role) and LoadBear is the Processor (or analogous role).

LoadBear acts as an independent Controller (or Business) only with respect to its own business operations, including account administration, billing, security, and product analytics; such processing is governed by our Privacy Policy, not this DPA.

4. Scope, Duration, and Subject Matter of Processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1 below. LoadBear shall process Customer Personal Data only for the duration of the Agreement and only for the purposes set out in Annex 1, the Agreement, and any documented instructions from Customer.

5. Customer's Instructions and Compliance

LoadBear shall process Customer Personal Data only on documented instructions from Customer, including with regard to Restricted Transfers, except where required to do so by applicable law to which LoadBear is subject (in which case LoadBear shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). The Agreement, including this DPA, the Documentation, Customer's configuration and use of the Services, and any subsequent written instructions agreed by both parties, constitute Customer's complete and final instructions to LoadBear in relation to Customer Personal Data. Additional instructions outside the scope of the Agreement require a separate written agreement and may incur additional fees.

Customer represents and warrants that: (a) it has provided all required notices and obtained all required consents and authorizations to enable the lawful processing of Customer Personal Data under the Agreement; (b) Customer's instructions to LoadBear comply with Applicable Privacy Laws; and (c) Customer's use of the Services does not violate any third-party rights.

6. LoadBear's Obligations

6.1 Confidentiality of personnel

LoadBear shall ensure that personnel authorized to process Customer Personal Data are bound by appropriate written confidentiality obligations or are under a statutory obligation of confidentiality, and have received appropriate training on their responsibilities.

6.2 Security

LoadBear shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The current measures are described in Annex 2 (Technical and Organizational Measures). LoadBear may update these measures from time to time, provided that the updated measures do not materially diminish the level of protection.

6.3 Personal Data Breach notification

LoadBear shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification shall include, to the extent then available: (a) the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate possible adverse effects; and (d) the name and contact details of LoadBear's data protection contact. Notification of or response to a Personal Data Breach is not an acknowledgment of fault or liability by LoadBear.

6.4 Assistance with Data Subject rights

Taking into account the nature of the processing, LoadBear shall assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Privacy Laws (including rights of access, rectification, erasure, restriction of processing, data portability, and objection). If LoadBear receives a request directly from a Data Subject regarding Customer Personal Data, LoadBear shall not respond to the request (other than to direct the Data Subject to Customer or confirm receipt) and shall promptly forward the request to Customer.

6.5 Assistance with impact assessments and consultations

LoadBear shall provide reasonable assistance to Customer with any data protection impact assessments or prior consultations with supervisory authorities required under Articles 35 and 36 of the GDPR or analogous provisions, taking into account the nature of the processing and the information available to LoadBear.

6.6 Records of processing

LoadBear shall maintain records of processing activities carried out on behalf of Customer as required by Article 30(2) of the GDPR.

7. Subprocessors

7.1 General authorization

Customer provides general written authorization for LoadBear to engage Subprocessors to process Customer Personal Data, subject to this Section 7. The current list of Subprocessors is set out in Annex 3.

7.2 Notice of new Subprocessors

LoadBear shall update the Subprocessor list before engaging any new Subprocessor and provide notice via email to the address designated by Customer (or, if no address is designated, by posting an updated list on loadbear.co with a mechanism to subscribe to changes). LoadBear shall provide such notice at least thirty (30) days before the new Subprocessor processes Customer Personal Data, except in the case of replacement of an existing Subprocessor where a shorter period is required for urgent operational, security, or legal reasons.

7.3 Right to object

Customer may object to the appointment of a new Subprocessor on reasonable grounds related to data protection by giving written notice within ten (10) business days of LoadBear's notice. The parties shall discuss the objection in good faith and seek a commercially reasonable solution. If no resolution is reached within thirty (30) days, Customer may terminate the affected Services on written notice with a refund of any prepaid fees for the unused portion of the Subscription Term as Customer's exclusive remedy.

7.4 Subprocessor agreements and liability

LoadBear shall enter into written agreements with each Subprocessor that impose data protection obligations no less protective than those in this DPA. LoadBear remains liable for the acts and omissions of its Subprocessors that cause LoadBear to breach this DPA, to the same extent LoadBear would be liable if performing the obligations directly.

8. International Data Transfers

8.1 Restricted Transfers from the EEA

To the extent that LoadBear's processing of Customer Personal Data involves a Restricted Transfer from the EEA, the SCCs are hereby incorporated by reference and apply, with the following selections: (a) Module Two (Controller-to-Processor) shall apply where Customer is a Controller and LoadBear is a Processor; (b) Module Three (Processor-to-Processor) shall apply where Customer is a Processor; (c) Clause 7 (Docking Clause) is included; (d) Clause 9(a) Option 2 (general written authorization) shall apply with the time period in Section 7.2 above; (e) Clause 11(a) optional language is excluded; (f) Clause 17 Option 1 shall apply, governed by the laws of the Republic of Ireland; (g) Clause 18(b) shall designate the courts of Ireland; and (h) Annexes I, II, and III to the SCCs shall be deemed completed with the information set out in Annexes 1, 2, and 3 of this DPA.

8.2 Restricted Transfers from the United Kingdom

To the extent that LoadBear's processing involves a Restricted Transfer from the UK, the parties incorporate the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner ("UK Addendum"). Tables 1, 2, and 3 of the UK Addendum are deemed completed with the corresponding information from this DPA and the SCCs. Table 4 is completed by selecting "neither party."

8.3 Restricted Transfers from Switzerland

To the extent that LoadBear's processing involves a Restricted Transfer from Switzerland, the SCCs apply with the following modifications: (a) references to "GDPR" are deemed to include the FADP; (b) references to the European Commission and supervisory authorities are amended to include the Swiss Federal Data Protection and Information Commissioner ("FDPIC"); (c) the term "member state" is amended to include Switzerland; (d) Clause 17 designates Swiss law; and (e) Clause 18(b) designates the courts of Switzerland.

8.4 Alternative transfer mechanisms

If a competent court or supervisory authority determines that the SCCs or UK Addendum are no longer a valid transfer mechanism, or if LoadBear adopts an alternative recognized transfer mechanism (such as Binding Corporate Rules or an approved certification), the parties shall cooperate in good faith to implement such alternative mechanism.

9. Audit Rights

LoadBear shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable prior written notice (at least thirty (30) days, except in the event of a Personal Data Breach or where required by a supervisory authority), and no more than once per twelve-month period (except where required by a supervisory authority), Customer may, at its own expense, conduct or commission an audit of LoadBear's compliance with this DPA, subject to the following:

The audit shall be conducted during normal business hours, in a manner that does not unreasonably interfere with LoadBear's business operations, and in accordance with reasonable security and confidentiality requirements;
Customer (or its auditor) shall sign customary confidentiality agreements before any audit;
The auditor shall not be a competitor of LoadBear;
LoadBear may satisfy its audit obligations by providing Customer with copies of recent third-party audit reports, certifications (e.g., SOC 2 Type II, ISO 27001), or completed security questionnaires (such as the CAIQ);
If a regulator requires more detailed audit, LoadBear shall cooperate with the regulator's lawful requirements.

10. Return or Deletion of Customer Personal Data

Within thirty (30) days after termination or expiration of the Agreement, LoadBear shall, at Customer's choice (made by written notice within that period), return or delete all Customer Personal Data, unless retention is required by applicable law. Where retention is required, LoadBear shall protect the retained Customer Personal Data with the same security measures and limit further processing to what is required by law. LoadBear may retain Customer Personal Data in routine backups for up to ninety (90) days, after which it shall be deleted or anonymized in accordance with LoadBear's standard data lifecycle policies.

11. CCPA-Specific Provisions

To the extent LoadBear processes Personal Information (as defined in the CCPA/CPRA) on behalf of Customer:

LoadBear is a "Service Provider" and Customer is a "Business" as those terms are defined under the CCPA/CPRA;
LoadBear shall not (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than for the specific business purpose of providing the Services as set forth in the Agreement, or as otherwise permitted by the CCPA/CPRA; (c) retain, use, or disclose Personal Information outside the direct business relationship between LoadBear and Customer; or (d) combine Personal Information that LoadBear receives from or on behalf of Customer with Personal Information that LoadBear receives from or on behalf of any other person, or collects from its own interaction with the consumer, except as permitted by Section 7050(b) of the CCPA Regulations;
LoadBear certifies that it understands these restrictions and will comply with them;
LoadBear shall notify Customer if it determines it can no longer meet its obligations under the CCPA/CPRA;
Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

12. Limitation of Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement. Any reference in such limitations to liability under "the Agreement" includes liability under this DPA. For the avoidance of doubt, LoadBear's total cumulative liability under the Agreement and this DPA, taken together, shall not exceed the cap set forth in the Agreement.

13. Order of Precedence

If there is any conflict between this DPA and any other agreement between the parties, the order of precedence is: (a) the SCCs and UK Addendum (where applicable); (b) this DPA; (c) the Agreement.

14. Updates to this DPA

LoadBear may update this DPA from time to time to reflect changes in Applicable Privacy Laws, Subprocessors, or LoadBear's processing operations, provided that no update shall materially diminish Customer's protections under this DPA without Customer's consent. Updates will be posted at loadbear.co/dpa with an updated "Effective" date.

Annex 1 — Description of Processing

Subject matter	Provision of the LoadBear Platform under the Agreement.
Duration	For the term of the Agreement, plus any retention period required by law or specified in the Agreement.
Nature and purpose	Hosting, storage, processing, and presentation of Customer Personal Data necessary to operate AI agents and workflows configured by Customer; security; access management; backup; support.
Categories of Data Subjects	As determined by Customer; may include Customer's employees, contractors, agents, customers, prospects, suppliers, applicants, end users, and other individuals whose Personal Data Customer chooses to submit to the Services.
Types of Personal Data	As determined by Customer; commonly includes contact details, professional information, account credentials, communications, transaction records, and business documents. Customer is responsible for not submitting categories of Personal Data the Services are not designed to process (including special categories of Personal Data under GDPR Article 9 or "sensitive personal information" under U.S. state laws) without first ensuring suitability and entering into any required additional agreements.
Frequency of transfer	Continuous for the duration of the Agreement.
Subprocessors	See Annex 3.
Retention	As set out in Section 10 of this DPA and the Agreement.

Annex 2 — Technical and Organizational Measures (TOMs)

Access control and authentication

Multi-factor authentication required for administrative access;
Role-based access control with least-privilege principles;
Quarterly review of access rights;
Workspace isolation: each Customer's data is logically segregated and cannot be accessed by other Customers.

Encryption

Data in transit: TLS 1.2 or higher for all external communications;
Data at rest: AES-256 for stored Customer Personal Data;
Secrets management: API keys and credentials stored in encrypted secret stores.

Operational security

Vulnerability management with regular scanning and patching;
Endpoint protection on personnel devices;
Secure software development lifecycle including code review and dependency monitoring;
Logging and monitoring of administrative actions and security-relevant events;
Incident response plan with defined roles, procedures, and notification thresholds.

Personnel

Background checks for personnel with access to Customer Personal Data, where permitted by law;
Confidentiality obligations and security training for all personnel;
Prompt revocation of access upon role change or termination.

Physical security

Cloud infrastructure providers maintain SOC 2 Type II and ISO 27001 certified data centers with 24/7 physical security, biometric access controls, environmental safeguards, and redundant power and cooling.

Resilience and continuity

Daily backups of Customer Personal Data;
Documented disaster recovery and business continuity procedures;
Multi-region or multi-availability-zone deployment of critical services where feasible.

Vendor management

Risk-based security assessment of Subprocessors before onboarding;
Contractual security and privacy obligations imposed on Subprocessors.

AI-specific measures

Customer Personal Data is not used to train any general-purpose AI model;
Model providers are contractually obligated not to retain Customer Personal Data for training purposes;
Configuration controls available to Customer to manage prompt logging and output retention.

Annex 3 — Subprocessors

LoadBear engages the following Subprocessors to provide the Services:

Subprocessor	Service provided	Location of processing
Cloudflare, Inc.	Edge compute (Workers), DNS, content delivery, web application firewall, analytics	Global edge network with data center in U.S.; configurable regional restrictions available for certain features.
Anthropic, PBC	Large language model API for AI agent functionality	United States.
Stripe, Inc.	Payment processing and subscription billing	United States.
Resend, Inc.	Transactional and notification email delivery	United States.
Cal.com, Inc.	Booking and scheduling	United States.
Google LLC	Workspace email and calendar (where used by Customer's authorized integrations)	United States.

The current Subprocessor list is maintained at loadbear.co/dpa. Customer may subscribe to subprocessor change notifications by emailing hello@loadbear.co with the subject line "Subprocessor Updates."