DATA PROCESSSING AGREEMENT

Last Updated November 2025

This Data Processing Agreement and its Annexes A, B, and C (“DPA”) is between Launch Point LLC (“Launch Point LLC,” “we,” “us,” “Processor”) and the party executing this agreement as Customer (“Customer”). This DPA reflects the parties’ agreement with respect to the Processing of Personal Data by Launch Point LLC on behalf of Customer in connection with the Services provided under the contemporaneously executed Terms of Service between the parties (“Agreement”).

This DPA forms part of the Agreement and becomes effective upon execution or as otherwise specified in the Agreement or an Order. If any conflict arises between this DPA and the Agreement, the terms of this DPA shall take precedence to the extent of the conflict. This DPA supersedes any prior data processing agreement between the parties.

1. Definitions

a. CCPA means the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), including amendments under the California Privacy Rights Act.

b. California Personal Information means Customer Personal Data subject to CCPA protections.

c. Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Process, and Processing have the meanings assigned by Data Protection Laws.

d. Customer Personal Data means Personal Data contained within Customer Data processed under the Agreement.

e. Data Protection Laws means all applicable global privacy and data protection legislation, including European Data Protection Laws, CCPA, and others, as amended.

f. Europe means the EU, EEA, Switzerland, and the UK.

g. European Data means Personal Data subject to European Data Protection Laws.

h. European Data Protection Laws includes GDPR, UK GDPR, Swiss DPA, and related regulations.

i. GDPR means Regulation (EU) 2016/679 and the retained UK version.

j. Standard Contractual Clauses (SCCs) means the EU Commission-approved clauses for international transfers.

k. UK Addendum means the ICO’s official international data transfer addendum.

2. Compliance

Both parties must comply with all applicable Data Protection Laws. This DPA supplements, and does not replace, obligations under such laws.

3. Controller / Processor Roles

Customer acts as Controller (or Processor where acting on behalf of its clients).
Launch Point LLC acts as Processor.

4. Consents

Customer is responsible for obtaining all lawful consents, notices, and permissions required to collect and transfer Customer Personal Data to Launch Point LLC. Customer indemnifies Launch Point LLC for any failure to meet these obligations.

5. Nature, Scope, Purpose of Processing & Data Subjects

Details are provided in Annex A.

6. Customer Instructions

Launch Point LLC will only Process Customer Personal Data on documented instructions from Customer, including instructions in the Agreement and this DPA, unless required by law.
Launch Point LLC will notify Customer if any instruction appears unlawful.

7. Launch Point LLC Obligations

Launch Point LLC will:

a. Implement and maintain the technical and organizational security measures in Annex B.

b. Ensure that personnel with access to Personal Data are bound by confidentiality obligations.

c. Provide assistance (at Customer’s cost) with Data Subject requests and Customer’s compliance duties, including impact assessments and regulatory consultations.

d. Notify Customer without undue delay upon becoming aware of a Personal Data Breach involving Customer Personal Data.

e. Delete or return Customer Personal Data upon Customer’s request or upon termination of the Agreement, unless legally required to retain it.

f. For European Data, assist Customer in meeting GDPR requirements under Articles 32–36 and allow reasonable audits to demonstrate compliance.

g. Maintain necessary records of Processing activities.

8. CCPA Service Provider Terms

If the CCPA applies:

Customer is a business
Launch Point LLC is a service provider

Launch Point LLC will not:

Sell or share California Personal Information
Use or retain it beyond what is necessary to perform the Services
Combine it with other datasets except as permitted

Launch Point LLC will provide compliance evidence upon Customer request.

9. Subprocessors

Customer provides general authorization for Launch Point LLC to use Subprocessors.

Launch Point LLC will:

Ensure Subprocessors are bound by similar data protection obligations
Remain responsible for Subprocessor actions
Notify Customer of Subprocessor changes (if Customer opts in)

A current list of Subprocessors is in Annex C.

10. European Data Transfers (SCCs)

a. Transfers to Countries Without Adequacy

Launch Point LLC will transfer European Data only where appropriate safeguards (e.g., SCCs, UK Addendum, Swiss modifications) are in place.

b. Incorporation of SCCs

The SCCs are incorporated by reference and apply as follows:

1. EEA Transfers

Customer = data exporter
Launch Point LLC = data importer
Module Two or Three applies depending on Customer’s role
Docking clause applies
Subprocessor changes: Option 2
Clause 11: deleted
Governing law: Ireland
Annexes completed via this DPA

2. UK Transfers

SCCs apply with the UK Addendum.

3. Swiss Transfers

SCCs apply with Swiss-specific modifications.

c. Suspension Rights

If Launch Point LLC cannot comply with SCC obligations, Customer may suspend transfers or terminate Services after reasonable cure period.

11. Amendments

Launch Point LLC may update this DPA to reflect legal developments or enhanced security practices, provided it does not materially reduce the level of protection.

ANNEX A — DETAILS OF PROCESSING

A. Parties

Data Exporter (Customer)

Name: As defined in the Agreement
Address: As provided in Customer’s account
Role: Controller or Processor

Data Importer (Launch Point LLC)

Address:
500 4th Street Northwest
Suite 102/3100
Albuquerque, New Mexico 87102
USA

Contact: Karen King, Founder
GDPR Email: [email protected]
Role: Processor

B. Description of Transfer

Data Subjects:
Customers, clients, leads, and contacts uploaded or collected by Customer.

Personal Data:
Name, email, phone number, date of birth, social media profiles, and any other data Customer chooses to collect.

Sensitive Data:
Not anticipated.

Frequency:
Ongoing and variable.

Nature of Processing:
Collection, storage, organization, transmission, CRM functionality, messaging, marketing automation, analytics.

Purpose:
To provide ESC Hub Services in accordance with the Agreement.

Retention:
For the duration of Customer’s use of the ESC Hub platform unless otherwise required by law.

C. Competent Supervisory Authority

Determined by the Customer’s jurisdiction as outlined in the SCCs.

ANNEX B — SECURITY MEASURES

Launch Point LLC implements the following measures:

Encryption: AES-256 at rest; TLS 1.2+ in transit
Access Controls: Role-based access, password protection, authorization tokens
Endpoint Protection: API protections and infrastructure monitoring
Backups: Regular encrypted backups via AWS/Google Cloud
Physical Security: Managed via cloud providers’ certified facilities
Event Logging: Logging and audit monitoring via Cloudwatch and Google Ops
System Hardening: Managed containers, vulnerability patching, and version-controlled configurations
Data Minimization: Minimum required data stored; optional fields flexible
Retention Controls: Customer admin control over retention
Data Portability: Export tools available to Customer
Erasure: Data deletion tools and support ticket process