Parties: Pier20 Ltd ("Pier20") and the person or entity that accepts the Terms and this DPA (the "Client"). Master Terms: This DPA forms part of and is incorporated by reference into the parties’ master agreement (the “Terms and any applicable Order or SOW”).

Purpose. This DPA sets out the data-protection terms governing Pier20’s processing of Personal Data on behalf of Client in connection with Pier20’s managed AI-driven sales development services (prospect discovery, outreach, and meeting scheduling). Precedence. If there is any conflict between this DPA and the Terms, this DPA prevails solely in respect of the processing of Personal Data and compliance with Applicable Data Protection Laws. The order of precedence is: (a) any Order or Statement of Work; (b) this DPA; and (c) the Terms.

Online publication & acceptance. This DPA is published at https://pier20.com/legal/dpa (the "Online DPA"). By (i) executing an Order/SOW, (ii) clicking “I agree” (or similar) presented with links to the Terms and this DPA, or (iii) accessing or using the Platform or Services (including continuing use after notice of this Online DPA or an update), Client agrees to the Terms and this Online DPA. If Client requires a signed copy, Pier20 will countersign upon request; the Online DPA is deemed pre‑signed by Pier20 as of the Version date above.

1. Definitions

Applicable Data Protection Laws means all laws and regulations relating to privacy and the processing of Personal Data applicable to a party, including the EU GDPR, the UK GDPR and the Data Protection Act 2018, and any national implementing or supplementing legislation. Client Personal Data means Personal Data processed by Pier20 on behalf of Client under the Terms and any applicable Order or SOW, including any Client-Supplied Data and any Client-Specific Working Copy. Controller, Processor, Data Subject, Personal Data, Processing have the meanings given in Applicable Data Protection Laws. Pier20 Baseline Data means information including business contact information that Pier20 obtains independently from third‑party sources for Pier20’s own databases and purposes; Pier20 acts as a separate Controller for this data. Client‑Specific Working Copy means the subset/derivatives of Pier20 Baseline Data that Pier20 compiles or enriches for a Client Campaign under an Order/SOW; Pier20 acts as Processor for this data. Sub‑processor means any Processor engaged by Pier20 to process Client Personal Data. Applicable Marketing Laws means direct‑marketing and e‑privacy laws applicable to outreach (e.g., PECR and analogous laws). Capitalised terms not defined here have the meanings in the Terms.

2. Roles & Scope

2.1 Roles. Client is Controller for the marketing of its products/services. Pier20 acts as Processor to execute outreach and scheduling on Client’s documented instructions (Orders and SOWs and approved messaging/parameters). Where Pier20 independently determines targeting criteria (e.g., segmentation rules derived from LinkedIn/website signals), the parties are Joint Controllers solely for that activity, with responsibilities set out in Annex J. For the avoidance of doubt, where Client provides its ideal customer profile and defines or approves targeting criteria (for example, industries, geographies, company size, job titles, and similar segmentation), Pier20 acts as Processor in implementing those criteria. Pier20 may propose refinements, but Client’s approval is required and such proposals do not of themselves change the parties’ roles.

2.2 Subject matter, duration, nature & purpose of Processing, the types of Personal Data and categories of Data Subjects are described in Annex I. Subject matter, duration, nature & purpose of Processing, the types of Personal Data and categories of Data Subjects are described in Annex I. 2.3 Relationship to Pier20 Baseline Data. Pier20 Baseline Data is processed by Pier20 as a separate Controller. When Pier20 derives a Client‑Specific Working Copy from Pier20 Baseline Data for a Campaign, Pier20 acts as Processor in respect of that Client‑Specific Working Copy.

3. Client Instructions & “Informer” Duty

3.1 Documented instructions. Pier20 will process Client Personal Data only on documented instructions from Client (including the Terms and any applicable Order or SOW and this DPA). For these purposes, documented instructions include configuration or settings made by Client within the Platform, Orders or SOWs, service tickets, emails, and oral instructions that are subsequently recorded by Pier20 in meeting notes or a ticket and shared with Client, or provided during a call that is recorded with the participants’ consent. 3.2 Client warranties on data. Client represents and warrants that all lists, contact data, and instructions it supplies or approves are collected and provided on a lawful basis for the intended direct‑marketing purposes, and that Client has provided all required notices and permissions. Pier20 is not obliged to audit Client’s compliance. 3.3 Compliance signal (narrow duty). To the extent Pier20 becomes aware that a specific instruction appears unlawful under Applicable Data Protection Laws, Pier20 will notify Client and may pause the affected Processing pending clarification.

4. Pier20 Obligations (as Processor)

4.1 Confidentiality. Pier20 will ensure that persons authorised to process Client Personal Data are subject to appropriate confidentiality obligations. 4.2 Security. Pier20 will implement appropriate technical and organisational measures as described in Annex S. 4.3 Sub‑processors. See Section 7 and Annex P. 4.4 Assistance. Taking into account the nature of Processing and the information available to Pier20, Pier20 will assist Client to: (a) respond to Data Subject requests; (b) conduct data protection impact assessments and consultations with regulators where required; and (c) demonstrate compliance with Article 28 GDPR/UK GDPR, as further outlined in Annex D (DSR & Notice Playbook). Such assistance will be provided on a reasonable efforts basis and may be chargeable on a time‑and‑materials basis at Pier20’s then‑current professional services rates, except to the extent the need for assistance was caused by Pier20’s breach of this DPA.

4.5 Records & audits. Pier20 will maintain records of Processing as required by law and, upon reasonable written request, make available information necessary to demonstrate compliance. Audits are addressed in Section 10. Records & audits. Pier20 will maintain records of Processing as required by law and, upon reasonable written request, make available information necessary to demonstrate compliance. Audits are addressed in Section 10. 4.6 Personal Data Breach. Pier20 will notify Client without undue delay (target within forty-eight (48) hours of confirmation) upon becoming aware of a Personal Data Breach affecting Client Personal Data, and will provide information reasonably available at the time, updates as more details emerge, mitigation steps, and a contact point.

5. Client Obligations (light‑touch, managed model)

5.1 Lawful basis & transparency. Client is responsible for determining the lawful basis for its direct‑marketing activities and for any transparency obligations toward its prospects/customers as Controller. At Client’s request, Pier20 will include in outreach a link to Client’s privacy notice and other disclosures supplied by Client to support Client’s transparency obligations. 5.2 Approvals. Client will promptly review/approve campaign messaging and parameters and provide timely instructions and access reasonably required for the Services. 5.3 Opt‑outs/suppression. Pier20 will include and honour unsubscribe mechanisms in outreach, maintain suppression lists on Client’s behalf, and, on request or termination, provide the Client‑specific suppression list for Client records.

6. International Data Transfers

Where Client Personal Data is transferred outside the UK/EEA, Pier20 will ensure an appropriate safeguard applies, including the EU Standard Contractual Clauses (Controller to Processor, Module 2; Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum (or IDTA), or reliance on an adequacy decision. The SCCs/UK Addendum are incorporated by reference, with annexes completed by reference to Annex I (description) and Annex S (security). Where required, Pier20 will conduct transfer risk assessments on a proportionate, good‑faith basis, which may rely on publicly available information, vendor assurances and contractual commitments, and Pier20 may charge reasonable, documented costs for bespoke assessments requested by Client. SCC key selections. The docking clause applies; Sub‑processors are subject to general authorisation with notice as set out in Section 7; the governing law and forum for the SCCs is Ireland; and the standard third‑party beneficiary rights apply.

7. Sub‑processors (low‑overhead and private)

7.1 General authorisation. Client grants Pier20 a general authorisation to appoint Sub‑processors in the categories listed in Annex P. 7.2 Private identification. Pier20 will maintain a non‑public, Client‑accessible list identifying Sub‑processors that will process Client Personal Data, available in‑product (or on written request) and treated as Pier20 Confidential Information. 7.3 Notice & objections. Pier20 will provide in‑product notice (or email) of intended additions/replacements five (5) Business Days before engagement where feasible, and otherwise promptly thereafter for urgent continuity. Client may object only on reasonable, documented data‑protection grounds within the notice period; the absence of a timely objection will be deemed to constitute no objection. 7.4 Outcome of objection. If Client objects, the parties will discuss in good faith. If no resolution is achieved, Client may disable the affected feature or terminate the affected SOW to the minimum extent necessary; fees and refunds are handled per the Terms. Client acknowledges that disabling a Sub‑processor may degrade or limit the functionality of the Services, and Pier20 does not warrant equivalent functionality or performance for the affected portions; any performance targets or service credits do not apply to the affected portions during such disablement. 7.5 Flow‑down. Pier20 will impose obligations on Sub‑processors providing at least the level of protection required by Article 28 GDPR/UK GDPR. 7.6 Not Sub‑processors. Vendors that do not process Client Personal Data (e.g., Pier20’s own payment providers, corporate communications/IT, HR, or facilities) are not Sub‑processors under this DPA.

8. Improvements & AI (Option B — limited anonymised learning)

Pier20 may use de‑identified or aggregated telemetry and performance metrics to improve and develop the Services. Pier20 will not use Personal Data to train foundation or generative models and will not attempt re‑identification.

9. Sending Identity & DNS

If sending from Client‑provided domains/mailboxes, Client is responsible for DNS records (SPF, DKIM, DMARC) and sender reputation for those domains (Pier20 will provide reasonable guidance). If sending from Pier20‑provisioned domains/mailboxes, Pier20 is responsible for DNS configuration and reputation management.

10. Audits & Information Requests

10.1 Provision of reports. Upon request no more than no more than once in any twelve (12) month period (and following a Personal Data Breach with impact to Client), Pier20 will make available information reasonably necessary to demonstrate compliance (e.g., policies/controls descriptions, responses to reasonable security questionnaires, third‑party assessments or penetration‑test summaries, risk/compliance reports), subject to confidentiality. 10.2 Targeted audit. If the information provided is insufficient to confirm material compliance, Client may conduct a targeted audit limited to Client Personal Data and relevant controls (remote document review by a mutually agreed independent auditor) on at least thirty (30) days’ notice, during normal business hours, without unreasonably disrupting operations, and subject to reasonable scope, security, and confidentiality restrictions. For clarity, audits will not require access to other customers’ data, proprietary source code, or facilities not used to process Client Personal Data. “On‑site” audits refer only to physical inspection of Pier20‑controlled premises where Client Personal Data is processed and are permitted only where required by a competent authority or where a remote audit is demonstrably inadequate.

10.3 Costs. Each party bears its own costs; if an audit reveals a material breach of this DPA, Pier20 will bear reasonable, documented auditor costs. Costs. Each party bears its own costs; if an audit reveals a material breach of this DPA, Pier20 will bear reasonable, documented auditor costs. 10.4 Regulators. Nothing limits a competent supervisory authority’s rights.

11. Return & Deletion

Within thirty (30) days of termination or on Client’s written request, Pier20 will return (in a commonly used, machine‑readable format) and then delete Client Personal Data, including any Client‑Specific Working Copy and Client‑supplied lists, except to the extent retention is required by law or routine backups (which are subsequently purged per policy). Pier20 may retain Pier20 Baseline Data and de‑identified/aggregated analytics for its own lawful purposes. Additional retention periods may be specified in Annex R.

12. Liability & Indemnity

Liability and indemnity are governed by the Terms. For the avoidance of doubt, the aggregate caps and exclusions in the Terms apply to this DPA. Nothing in this DPA limits liability that cannot lawfully be limited or excluded.

13. Governing Law & Jurisdiction

This DPA is governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales, without prejudice to the SCC‑mandated choices for EU transfers.

14. Order of Precedence & Miscellaneous

14.1 Order of precedence. The order of precedence is: (a) any Order or Statement of Work; (b) this DPA; and (c) the Terms. 14.2 Severability; counterparts; electronic signatures. If any provision is held invalid, the remainder remains in force. This DPA may be executed in counterparts and by electronic signature. 14.3 Updates. Pier20 may update this DPA to reflect changes in law or Sub‑processor categories. Material changes will be notified at least thirty (30) days in advance via in‑product notice or email to Client’s designated contact; immaterial changes take effect upon posting to the legal URL noted above. Client’s continued use of the Services after the effective date constitutes acceptance of the updated DPA. Where a material change materially prejudices Client, Client may terminate the affected Services before the change takes effect.

Execution (Online DPA)

This Online DPA becomes effective on the earlier of: (i) Client’s acceptance of the Terms or execution of an Order/SOW that references this DPA; (ii) Client’s clicking “I agree” (or similar) presented with links to the Terms and this DPA; or (iii) the accessing or use of the Platform or Services by or on behalf of Client following notice of this Online DPA. Pier20 may maintain reasonable acceptance records (e.g., timestamp, user ID, version, IP) for evidential purposes.

Annex I — Description of Processing

A. Parties & contacts Data Exporter (Controller): The Client identified in the applicable Order or Statement of Work, or otherwise the person or entity that accepts the Terms and this DPA via account registration, with contact details as provided by Client in the Order or Statement of Work or in the account profile. Data Importer (Processor): Pier20 Ltd, [address], Privacy Contact: [●], Email: [●].

B. Subject matter & duration Processing Client Personal Data to execute outreach and meeting‑scheduling campaigns and provide related analytics. Duration: the Term of the Order/SOW and thirty (30) days thereafter for return/deletion (unless longer retention is mandated by law or per Annex R).

C. Nature & purpose Prospect discovery and validation; AI‑assisted message generation; email sending and deliverability management; reply handling; meeting scheduling; campaign analytics and reporting; suppression management.

D. Categories of Data Subjects • Client’s prospective or existing B2B contacts. • Client’s authorised users/representatives who interact with the Platform.

E. Categories of Personal Data • B2B contact data: name, job title, employer, work email, work phone, LinkedIn URL/profile metadata, geography, function/seniority. • Message & engagement data: content of emails and replies, headers, timestamps, opens/clicks/bounces/complaints, thread IDs, scheduling details, calendar invite data. • Operational data: account identifiers, role/permissions, audit logs, IP/device metadata. (No special categories or children’s data are intended to be processed.)

F. Frequency of transfer Continuous and ad hoc as required to provide the Services.

G. Retention As set out in Section 11 and Annex R.

H. Competent supervisory authority (EU SCCs) For SCC purposes, the competent authority is determined by the exporter’s location in the EEA; where not determinable, the Irish supervisory authority.

Annex P — Sub‑Processor Categories (identity kept private)

This Annex lists categories of Sub‑processors engaged by Pier20. The identity of specific Sub‑processors used for Client’s Processing is available in‑product (or on request) as Pier20 Confidential Information. Categories:

1. Hosting / IaaS / PaaS (compute, storage, networking).
2. Email delivery infrastructure (transactional/marketing email, deliverability tooling).
3. Email warm‑up / reputation services.
4. Data enrichment / validation providers (B2B contact verification, enrichment, list hygiene).
5. CRM, calendar & scheduling connectors (integrations to Client‑authorised systems).
6. Monitoring, logging & analytics (performance/security telemetry).
7. AI model hosting/inference (if used for message generation or scoring).
8. Support tooling (ticketing, support chat) where it processes Client Personal Data.

Change notice & objections (summary). Pier20 will provide in‑product notice (or email) of intended additions/replacements five (5) Business Days before engagement where feasible (otherwise promptly). Objections are permitted only on reasonable, documented data‑protection grounds; unresolved objections may result in disabling the affected feature or termination of the affected SOW to the minimum extent necessary; fees/refunds per the Terms.

Annex S — Security Measures (high‑level)

Pier20 maintains technical and organisational measures appropriate to the risk, including:

• Access control & identity: MFA, least‑privilege, role‑based access, joiner/mover/leaver procedures.
• Encryption: encryption in transit and at rest; key management.
• Network & application security: secure development practices, dependency management, vulnerability management and patching cadence.
• Logging & monitoring: centralised logging, monitoring, and documented incident‑response runbooks.
• Vendor risk management: due diligence, contractual flow‑down of data‑protection obligations, and periodic reviews.
• Business continuity & disaster recovery: backups, tested restore procedures.
• Email authentication & abuse controls: SPF/DKIM/DMARC, rate limiting, bounce/complaint handling.
• Personnel: background checks where lawful; security and privacy training.

Annex D — Data Subject Request (DSR) & Notice Playbook

Scope. This Annex sets the operational flow for Data Subject requests and direct‑marketing notices related to Client Personal Data.

Intake & routing

• Primary contact: privacy@pier20.com (or via in‑product privacy request form).
• If Pier20 receives a request intended for Client: Pier20 will forward to Client within two (2) Business Days and log the event.

Allocation of responsibilities

• Client (Controller): leads on identity verification, legal assessment, and final response to the Data Subject.
• Pier20 (Processor): provides reasonable assistance, including extracting relevant data and suppression actions as instructed by Client.
• Pier20 Baseline Data (Pier20 as Controller): Pier20 responds directly to the Data Subject consistent with its own privacy notices.

Service levels

• Acknowledgement: Pier20 will acknowledge receipt of a request within two (2) Business Days and provide an estimated timeframe for completion based on complexity and scope.
• Forwarding of misdirected requests: within two (2) Business Days.
• Pier20 assistance on Client‑led requests (exports, deletions, suppression): within five (5) Business Days of a specific, documented instruction; urgent legal deadlines prioritised on request.

Data fields typically available for assistance

• Contact attributes (name, title, employer, business contact details), outreach messages sent, thread metadata (timestamps, headers), engagement metrics (opens/replies/bounces/complaints), scheduling records, relevant logs and system identifiers.

Unsubscribes & suppression

• Pier20 will apply suppression without undue delay across affected campaigns and ensure future outreach respects the suppression; Pier20 will provide a Client‑specific suppression list on request or at termination.

Transparency

• Pier20 will provide Client with information reasonably required for Client’s transparency records about the targeting activity and Sub‑processor categories upon request.

Annex J — Joint Controller Terms (targeting activity only)

Scope. Applies solely where Pier20 independently determines targeting criteria (segmentation/selection of prospects) for a Campaign.

A. Allocation of responsibilities

1. Purpose & essential means. Client determines the commercial objective and approves messaging/parameters; Pier20 determines targeting criteria for prospect selection.
2. Transparency & lawful basis. Client is responsible for its transparency obligations and lawful basis as Controller for its marketing; Pier20 will provide Client with information reasonably required for Client’s transparency records.
3. Data Subject rights. Requests received by either party relating to the targeting activity will be promptly shared with the other; the parties will cooperate in good faith to respond within statutory timelines.
4. Security & breach. Pier20 remains responsible for security of systems it controls and for notifying Client of Personal Data Breaches per Section 4.6; Client remains responsible for its own systems.
5. Contact point. Client acts as the primary point of contact for Data Subjects.

B. Liability. Each party is responsible for damage it causes by Processing that infringes Applicable Data Protection Laws; overall caps/exclusions are per the Terms.

Annex R — Retention & Deletion Schedule (defaults)

Unless otherwise agreed in an Order/SOW:

• Client‑Specific Working Copy & Client‑supplied lists: retained for the Term and thirty (30) days thereafter for return/deletion.
• Message content & threads: up to [eighteen (18) months] after send, for operational continuity and dispute resolution.
• Engagement metrics/telemetry (pseudonymised/aggregated): up to [twenty-four (24) months]; thereafter kept only in de‑identified form.
• Suppression lists: retained for the Term, and thereafter as required to respect opt‑outs when migrating data back to Client.
• Backups: retained per standard rotation policies, then purged.

EU/UK Transfer Mechanics (Incorporated by Reference)

EU SCCs. The parties incorporate the EU Commission Standard Contractual Clauses (Controller to Processor, Module 2) (2021/914) by reference for EU Personal Data transferred to third countries without adequacy. For Clause 7 the docking clause applies; for Clause 9 general authorisation applies with notice per Section 7; for Clause 17 the governing law is Ireland; for Clause 18 disputes are subject to the courts of Ireland. Annex I and Annex S of this DPA complete Annexes I and II of the SCCs; Sub‑processor categories in Annex P complete Annex III. UK Addendum/IDTA. For UK transfers, the ICO International Data Transfer Addendum to the EU SCCs (March 2022) (or the IDTA, as applicable) is incorporated by reference; the tables are completed by reference to this DPA’s Annexes and selections above; governing law/jurisdiction: England and Wales.