1. Scope and Applicability

1.1 Purpose

This Data Processing Agreement ("DPA") is entered into between:

• Data Controller: You (the customer/user of Pretend's Services)

• Data Processor: Pretend Group LLC

This DPA governs how Pretend processes personal data on your behalf in connection with our Services.

1.2 When This DPA Applies

This DPA applies if:

• You are located in the European Union (EU), European Economic Area (EEA), United Kingdom (UK), or Switzerland

• You process personal data of EU/UK residents

• You use Pretend's Services to process this data

• GDPR, UK GDPR, or equivalent privacy laws apply

1.3 Relationship to Other Agreements

• This DPA is part of our Terms & Conditions and Privacy Policy

• In case of conflict, this DPA supersedes other documents on data processing matters

• Your Data Processing Addendum (if you have one) may supplement this DPA

1.4 Legal Framework

This DPA complies with:

• GDPR (Regulation (EU) 2016/679)

• UK GDPR (Data Protection Act 2018 as modified)

• Swiss FADP (Federal Act on Data Protection)

• SCCs (Standard Contractual Clauses Module One and Two)

2. Definitions

"Personal Data" – Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).

"Processing" – Any operation performed on personal data (collection, recording, organization, use, storage, disclosure, etc.).

"Data Subject" – The individual to whom personal data relates.

"Data Controller" – The entity that determines the purposes and means of processing. For this DPA, you (the customer).

"Data Processor" – The entity that processes data on behalf of the controller. For this DPA, Pretend Group LLC.

"Sub-processor" – A processor engaged by us to process personal data on our behalf.

"Breach" – Unauthorized or accidental access, disclosure, alteration, or loss of personal data.

"Standard Contractual Clauses (SCCs)" – EU-approved contractual terms for international data transfers.

"Appropriate Safeguards" – Security measures, including encryption, access controls, and organizational practices.

3. Roles and Responsibilities

3.1 Your Role as Data Controller

As the data controller, you are responsible for:

• Determining what personal data to collect and why

• Ensuring lawful basis exists for processing

• Providing privacy notices to data subjects

• Responding to data subject requests

• Notifying of data breaches (to authorities and affected individuals)

• Conducting Data Protection Impact Assessments (DPIAs) where required

• Ensuring sub-processors comply with GDPR

• Monitoring our processing activities

3.2 Our Role as Data Processor

As the data processor, we:

• Process personal data only as instructed by you

• Process only for the purposes you specify

• Implement appropriate security measures

• Assist with your GDPR obligations

• Do NOT determine purposes or means of processing

• Do NOT use data for our own purposes (except with your consent)

3.3 Where We Act as Data Controller

For our own business purposes, we act as a data controller regarding:

• Your account information (name, email, payment details)

• Your usage analytics

• Your support tickets

• Marketing communications (if you opted in)

These are covered by our Privacy Policy, not this DPA.

4. Scope of Data Processing

4.1 Categories of Personal Data

We process the following personal data categories on your behalf:

Directly Provided by You:

• Project descriptions and briefs

• Text content you upload

• Client names and contact information (in project details)

• Any other data you intentionally submit

Automatically Collected:

• Usage logs (project creation times, file uploads)

• System metadata (file names, upload dates, versions)

• IP addresses (from upload/access logs)

• Device information (if included in uploaded files)

From Third Parties:

• File content (metadata, embedded data from your files)

• Project collaborators' information (if you invite team members)

4.2 Categories of Data Subjects

The data subjects whose data we process on your behalf:

• Your clients and customers

• Your team members and collaborators

• Your vendors and contractors

• Your end-users (whose content appears in projects)

• Any individuals whose data appears in your projects

4.3 Types of Processing

We perform these processing operations:

• Storage: Saving files and data to secure servers

• Access Control: Allowing authorized access (you, your team)

• Backup: Creating backup copies for disaster recovery

• Analysis: Analyzing usage for service improvement

• Deletion: Removing data per your instructions or upon account closure

• Export: Converting data to formats you can download

• Security: Scanning for malware and unauthorized access

4.4 Processing Duration

• Active Subscription: Data is processed for the duration of your account

• After Cancellation: Data is retained for 30 days to allow export

• Backup Retention: Backup copies retained for 30 days before deletion

• Legal Holds: Data retained longer if required by law

5. Instructions and Permitted Processing

5.1 Your Instructions

You instruct us to process personal data solely for:

• Providing creative services (design, video editing, etc.)

• Storing and organizing your projects

• Providing customer support

• Improving our Services (analytics only)

• Complying with legal obligations

We will not process data for any other purpose without your explicit written instruction.

5.2 Additional Instructions

You may provide written instructions to:

• Delete specific data

• Restrict processing of certain data

• Export data in a specific format

• Limit access to specific team members

• Implement special security measures

Submit instructions to: [admin@gopretend.com]

5.3 Prohibited Processing

We will NOT process data for:

• Marketing or promotional purposes (without explicit consent)

• Selling or sharing with third parties for their marketing

• Creating profiles or automated decision-making

• Combining with other data sources without your instruction

• Any purpose not specified in our Services or this DPA

6. Data Security and Protection Measures

6.1 Technical Safeguards

We implement these technical security measures:

Encryption

• Data in transit: TLS 1.2+ encryption (HTTPS)

• Data at rest: AES-256 encryption for sensitive data

• Database encryption with industry-standard algorithms

Access Controls

• Role-based access control (RBAC)

• Multi-factor authentication for admin accounts

• Principle of least privilege (employees access only necessary data)

• Activity logging and monitoring

Data Isolation

• Your data is logically separated from other customers

• Separate encryption keys per customer

• No cross-customer data access

Backup and Recovery

• Daily automated backups

• Geographically redundant storage

• Tested recovery procedures

• Backup data encrypted same as primary

Network Security

• Firewalls and intrusion detection systems

• Regular security scans and penetration testing

• DDoS protection

• Secure API design and authentication

6.2 Organizational Safeguards

Personnel

• Confidentiality agreements with all staff

• Data protection training

• Screening and background checks

• Limited access to personal data

• Disciplinary procedures for violations

Processes

• Data minimization (collect only necessary data)

• Regular security assessments

• Incident response procedures

• Data subject request procedures

• Data retention and deletion policies

Auditing

• Regular security audits and assessments

• Compliance monitoring

• Documentation of security measures

• Third-party security reviews

6.3 Subprocessor Security

Sub-processors must:

• Implement equivalent security measures

• Sign data processing agreements

• Comply with GDPR and this DPA

• Undergo security assessments

• Promptly notify of breaches

• Assist with data subject requests

7. Data Subject Rights and Assistance

7.1 Your Obligations

As data controller, you are responsible for:

• Responding to data subject requests (access, deletion, correction, portability, objection)

• Providing notices required under GDPR Articles 13-14

• Obtaining necessary consents

• Managing data retention and deletion

7.2 Our Assistance

We will assist you with data subject requests by:

• Providing personal data in a structured format upon request

• Correcting inaccurate data

• Deleting data as instructed

• Exporting data for portability requests

• Restricting processing as requested

• Assisting with DPIAs

• Responding to competent authorities

7.3 Request Process

To request data subject assistance:

1. You receive a request from a data subject

2. You forward to us (or data subject contacts us directly)

3. We verify the request and confirm your authorization

4. We fulfill the request within 30 days (or timeline you specify)

5. We document and report back to you

Contact for Data Subject Requests:

[admin@gopretend.com]

7.4 Timelines

• Access requests: 30 days from request receipt

• Deletion requests: 30 days (subject to retention requirements)

• Correction requests: Implemented promptly

• Portability requests: 30 days in portable format

• Objection handling: Processed per your instructions

8. Sub-processors and Third Parties

8.1 List of Sub-processors

We use the following sub-processors to process your personal data:

Infrastructure and Hosting

Service Providers

Analytics (if your data is processed)

8.2 Authorized Sub-processors

You authorize us to use the sub-processors listed above. For any new sub-processors, we will:

• Notify you in advance (typically 30 days)

• Provide details of the new processor

• Offer you the right to object

• Provide an objection process (see Section 8.3)

8.3 Your Right to Object

If you object to a new sub-processor:

6. Email [admin@gopretend.com] with your objection

7. Explain your data protection concerns

8. We will work with you on alternatives

9. If unresolved, you may suspend/terminate the agreement per Section 12

8.4 Sub-processor Agreements

All sub-processors have data processing agreements that:

• Provide equivalent data protection obligations

• Restrict use to the purposes authorized

• Require appropriate security measures

• Permit auditing and inspection

• Address confidentiality and liability

Copies of sub-processor agreements available upon request.

9. International Data Transfers

9.1 Transfer Mechanism

Pretend is based in the United States. As an EU/UK-based company processing personal data, your data will be transferred to the United States.

Legal Basis for Transfer:

• Standard Contractual Clauses (SCCs) – see Section 9.2

• Supplementary Measures – see Section 9.3

• Appropriate Safeguards – see Section 6

9.2 Standard Contractual Clauses (SCCs)

We rely on the EU Commission-approved Standard Contractual Clauses (Module One: Controller to Processor; Module Two: Processor to Sub-processor) as the transfer mechanism.

SCC Details:

• Clauses Used: Module One and Two (as applicable)

• Effective Date: 31 March 2026

• Parties: You (exporter) ↔ Pretend (importer)

• Data Categories: As defined in Section 4

• Frequency of Transfer: Continuous during subscription

• Duration: For the duration of the agreement

9.3 Supplementary Measures

In addition to SCCs, we implement supplementary measures to protect your data:

Technical Safeguards

• Encryption of data in transit and at rest

• Secure access controls

• Regular security assessments

• Data isolation from other customers

Organizational Safeguards

• Data minimization principles

• Restricted employee access

• Confidentiality agreements

• Data protection training

Legal Safeguards

• Compliance with GDPR requirements

• Cooperation with authorities

• Data subject rights protection

• Transparency and documentation

9.4 US Legal Process

You acknowledge that:

• US authorities may request access to data under US law

• We will challenge unlawful requests where possible

• We will notify you of legal requests where permitted

• We comply with GDPR requirements regarding such requests

Notification of Legal Requests:

If a US authority requests your data, we will:

10. Notify you (unless legally prohibited)

11. Provide a copy of the request

12. Cooperate with you on any challenge

13. Disclose only the minimum necessary

9.5 Right to Terminate on Transfer Concerns

If you believe the transfer mechanisms are inadequate:

14. Contact us to discuss your concerns: [admin@gopretend.com]

15. We will explain our safeguards

16. If unresolved, you may terminate per Section 12

10. Data Breach Notification

10.1 Breach Notification Obligations

In the event of a confirmed data breach (unauthorized access, disclosure, alteration, or loss of personal data), we will:

Notification to You:

• Notify without unreasonable delay (typically within 24-72 hours)

• Provide details of:

• What data was breached

• Which data subjects were affected

• Likely consequences

• Measures we've taken to contain the breach

• Steps you should take

Notification to Authorities:

• You are responsible for notifying supervisory authorities (data protection authorities)

• We will provide information needed for your notification

• We will cooperate with authority investigations

Notification to Data Subjects:

• You are responsible for notifying affected data subjects (where legally required)

• We will assist with notifications as needed

10.2 Breach Investigation

Upon discovering a breach, we will:

• Immediately contain and investigate

• Preserve evidence

• Document timeline and root cause

• Implement remediation measures

• Report findings to you

10.3 No Admission of Liability

Breach notification is required by law and is NOT an admission of liability or negligence. We will investigate the cause and provide findings.

11. Audit and Inspection Rights

11.1 Your Audit Rights

You have the right to:

• Request information about our data processing practices

• Audit our compliance with this DPA

• Inspect our facilities and systems (with notice)

• Review our security measures and safeguards

• Request proof of sub-processor compliance

11.2 Audit Procedures

Notification Period

• Provide at least 15 days' written notice

• Specify audit scope and objectives

• Provide reasonable timeframe for audit

Audit Timing

• Audits conducted during business hours

• Maximum frequency: once per year (unless breach/compliance concern)

• Emergency audits available for suspected breaches

Audit Scope

• May include documentation review

• System access review

• Sub-processor verification

• Security assessments

Confidentiality

• Audit findings kept confidential

• NDA may be required

• Findings reported to you only

• Competitors prohibited from attending audits

Cost

• First audit annually: Covered by Pretend

• Additional audits: You pay Pretend's reasonable costs

• Third-party audits: You pay auditor fees plus our coordination costs

11.3 Third-Party Audits

You may engage a third party (auditor, law firm, consultant) to conduct audits on your behalf. The auditor must:

• Sign a confidentiality agreement

• Be independent and qualified

• Provide audit plan in advance

• Report findings to you only

• Not be a competitor

11.4 Certifications and Reports

We maintain certifications and can provide:

• SOC 2 Type II Report

• ISO 27001 Certificate

• Privacy Shield / Adequacy Decision

• Security assessment reports

• Penetration testing results

12. Term, Termination, and Data Return

12.1 Term

This DPA:

• Comes into effect on the date you accept our Terms & Conditions

• Continues for as long as you use our Services

• Automatically updates when our Privacy Policy or Terms change

• Can be supplemented with additional DPA terms

12.2 Termination

This DPA terminates when:

• Your subscription/account is cancelled

• Our Services are discontinued

• Mutual agreement to terminate

12.3 Post-Termination Obligations

Upon termination, within 30 days, we will:

• Delete or Return: Provide all personal data in portable format OR securely delete

• Backup Deletion: Delete backup copies (backups may be retained for 30 days before deletion)

• Sub-processor Notice: Instruct sub-processors to delete data

• Certification: Provide written certification of deletion

• Exceptions: Retain data if required by law

12.4 Data Export

Before termination, you can:

• Download all your project data from your account dashboard

• Request a data export in portable format

• Extract data independently

12.5 Survival

The following sections survive termination:

• Section 5 (Data Subject Rights Assistance) - for requests received after termination

• Section 9 (International Data Transfers) - for any data retained

• Section 10 (Data Breach Notification) - for breaches discovered after termination

• Section 11 (Audit Rights) - for a 12-month post-termination period

13. Liability and Indemnification

13.1 Liability Cap

Our liability under this DPA is limited as follows:

• To the extent permitted by law

• Limited to direct damages only

• Maximum: equivalent to the subscription fees paid in the 12 months preceding the claim"

• Does not apply to: Data breaches caused by your breach, indemnification obligations, IP infringement

13.2 Indemnification

We will defend and indemnify you against:

• Third-party claims that we breached this DPA

• Claims we failed to comply with GDPR

• Claims of unauthorized processing

Conditions:

• You notify us promptly of the claim

• You provide reasonable cooperation

• We have sole control of defense

13.3 Your Liability

You are liable for:

• Claims arising from your instructions to process data

• Data you provide (inaccuracy, incompleteness)

• Your breach of data controller obligations

• Your failure to obtain necessary consents

14. Dispute Resolution and Governing Law

14.1 Governing Law

This DPA is governed by:

• Primary: The laws of the State of California, USA

• GDPR: Interpretation follows GDPR and guidance from data protection authorities

• Conflict of Laws: California law applies without regard to conflict of law principles

14.2 Dispute Resolution

Negotiation

17. In good faith, attempt to resolve within 30 days

18. Escalate to executive leadership if needed

Mediation

If negotiation fails:

19. Either party may request mediation

20. Mediation conducted in San Diego, California

21. Each party bears own costs (mediator costs split equally)

22. Mediation confidential

Arbitration or Litigation

If mediation fails:

• Either party may pursue arbitration or litigation

• Venue: San Diego County, California (per main Terms & Conditions)

• GDPR and UK GDPR override choice of law for data protection matters

14.3 Data Protection Authority

Regardless of dispute mechanism:

• Either party may contact competent data protection authorities

• Authorities investigate independently

• Either party may file complaints with authorities

15. General Provisions

15.1 Amendments

We may update this DPA:

• To comply with GDPR or legal requirements

• To reflect changes in our data processing practices

• Upon 30 days' notice to you

• Your continued use constitutes acceptance

• Material changes require your explicit consent

15.2 Precedence

This DPA precedence order:

23. This DPA (Data Processing Agreement)

24. Privacy Policy (for controller obligations)

25. Terms & Conditions (for general terms)

26. GDPR and applicable law (if any conflict)

15.3 Entire Agreement

This DPA, together with our Terms & Conditions and Privacy Policy, constitutes the entire agreement regarding data processing. All prior agreements are superseded.

15.4 Severability

If any provision is found unenforceable:

• That provision is severed

• Remaining provisions remain in effect

• Severed provision is replaced with enforceable language reflecting original intent

15.5 Assignment

• You may not assign this DPA without our consent

• We may assign to successor (acquisition, merger) with notice

• Assignment of any type requires data protection authority notification (if required)

15.6 Waiver

• No waiver of this DPA is valid unless in writing

• Waiving one provision doesn't waive others

• Failure to enforce a right doesn't forfeit the right

16. Contact and Inquiries

16.1 Data Protection Officer

For DPA and data protection questions:

Email: [admin@gopretend.com]

Mailing Address:

Pretend Group LLC

630 Alta Vista Dr, Suite 106

Vista, CA 92084

United States

Response Time: Within 10 business days

16.2 Data Processing Inquiries

For specific data processing questions or instructions:

Email: [admin@gopretend.com]

16.3 Data Subject Requests

Data subjects can submit requests at:

Email: [admin@gopretend.com]

17. Appendices

Appendix A: Standard Contractual Clauses

Module One Clauses (Controller to Processor)

• Clause 1: Definitions

• Clause 2: Purpose and scope

• Clause 3: Personal data

• Clause 4: Processor obligations

• Clause 5: Rights of data subjects

• Clause 6: Sub-processor

• Clause 7: International transfers

• Clause 8: Data subject rights

• Clause 9: Redress

• Clause 10: Liability

• Clause 11: Solving disputes

Module Two Clauses (Processor to Sub-processor)

[Applied to all sub-processors as specified in Section 8]

Appendix B: List of Sub-processors

[Current as of 31 March 2026. Full details in Section 8.1]

Appendix C: Data Categories and Processing Operations

[As detailed in Section 4]

Appendix D: Technical and Organizational Measures

[As detailed in Section 6]

18. Acknowledgment and Acceptance

By using Pretend's Services, you acknowledge and accept:

• You have read and understand this DPA

• You understand your obligations as a data controller

• You understand the risks and protections regarding international data transfers

• You accept the terms and conditions of this DPA

• You authorize processing of personal data per this DPA

No Separate Signature Required: Your continued use of our Services constitutes acceptance.

Request for Signed DPA: If you require a signed version, email [admin@gopretend.com] with "Executed DPA Request."

End of Data Processing Agreement