Data Processing Agreement (Template)

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between LVRS FRVR LLC, a Wyoming limited liability company located at 30 N Gould St. Ste. 58721, Sheridan, WY 82801 ("LVRS FRVR" or "Processor"), and the entity identified in the executed signature page ("Customer" or "Controller"). Together they are the "Parties."

This DPA is incorporated by reference into and forms part of the underlying services agreement, order form, or research data license between the Parties (the "Services Agreement"). In the event of conflict, this DPA controls solely with respect to the processing of Personal Data.

2. Definitions

Capitalized terms used and not defined herein have the meanings given them in Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), or the Washington My Health My Data Act ("MHMDA"), as applicable.

• Personal Data means any information relating to an identified or identifiable natural person processed under this DPA.
• Processing has the meaning given in GDPR Art. 4(2).
• Subprocessor means a third party engaged by Processor to process Personal Data on behalf of Customer.
• Personal Data Breach has the meaning given in GDPR Art. 4(12).
• Standard Contractual Clauses or SCCs means the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914.

3. Subject Matter, Duration, Nature, and Purpose

The subject matter of the processing is the Personal Data submitted to or generated through Customer's use of the Services. The duration of the processing is the term of the Services Agreement, plus any retention period required by applicable law or specified in Section 12 below.

The nature and purpose of the processing are to provide the Services described in the Services Agreement, including relationship health tracking, daily check-ins, sentiment analysis, repair velocity measurement, aggregate research outputs, and related functionality.

4. Categories of Data Subjects and Personal Data

Categories of Data Subjects may include: Customer's end users (including employees, members, research participants, or other individuals authorized by Customer), and the partners of those users.

Categories of Personal Data may include: account identifiers (email, name), device and session metadata, daily ritual responses, journal entries, sentiment-derived signals, partner-pairing data, payment metadata, and any optional demographic or research-profile fields the data subject elects to provide. Annex II describes the full inventory.

Special Category Data. Where Customer's configuration causes Processor to handle data revealing health, mental wellness, sexual orientation, or other special categories under GDPR Art. 9, the Parties agree such processing is performed only with the data subject's explicit consent and only for the purposes described in the Services Agreement.

5. Roles and Obligations of the Controller

Customer determines the purposes and means of the processing of Personal Data and is the "controller" (GDPR) or "business" (CCPA/CPRA). Customer represents and warrants that:

• It has all necessary rights, consents, and lawful bases to authorize the processing under this DPA.
• Its instructions to Processor will comply with applicable data protection laws.
• It will provide all data subject notices required by law and will not rely on Processor to do so.
• It will not transmit to Processor any Personal Data of children under 13 (or under 16 in jurisdictions where that is the age of digital consent) without verifiable parental consent.

6. Obligations of the Processor

Processor shall:

• Process Personal Data only on documented instructions from Customer, including with regard to transfers, unless required to do so by applicable law (in which case Processor shall inform Customer of that legal requirement before processing, unless prohibited by law).
• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures ("TOMs") as set forth in Annex I.
• Engage Subprocessors only in accordance with Section 7 below.
• Assist Customer, taking into account the nature of the processing, by appropriate technical and organizational measures, in fulfilling Customer's obligations to respond to Data Subject requests.
• Assist Customer in ensuring compliance with GDPR Art. 32 to 36 (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and information available.
• Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, in accordance with Section 11.

7. Subprocessors

Customer authorizes Processor to engage the Subprocessors listed at lvrsfrvr.com/subprocessors. Processor shall provide at least 30 days advance notice of any new Subprocessor or replacement of an existing Subprocessor by updating that page. Customer may object to a new Subprocessor on reasonable data-protection grounds within 30 days of notice; if the Parties cannot agree on an acceptable resolution, Customer may terminate the Services Agreement on written notice.

Processor shall enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those in this DPA. Processor remains liable to Customer for the acts and omissions of Subprocessors.

8. International Data Transfers

Where the processing involves a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not covered by an adequacy decision, the Parties incorporate the EU Standard Contractual Clauses (Module Two: controller to processor) into this DPA by reference. The UK International Data Transfer Addendum and the Swiss FADP supplement apply where relevant.

Annex III sets out the transfer mechanism details, including identification of the data exporter and importer, competent supervisory authority, and additional safeguards.

9. Data Subject Rights

Processor shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer's obligations to respond to requests from data subjects to exercise their rights under applicable data protection laws (including rights of access, rectification, erasure, restriction, portability, and objection).

If Processor receives a request from a data subject regarding Customer's Personal Data, Processor shall promptly forward the request to Customer and shall not respond to the data subject directly, except to confirm receipt and direct the data subject to Customer.

10. Personal Data Breach

Processor shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification shall, at minimum, describe the nature of the Breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the Breach.

Processor will cooperate with Customer's reasonable requests for information needed for Customer to fulfill its own breach notification obligations to regulators and data subjects. The full incident response process is set out in our internal Breach Response Playbook, available on request.

11. Audit Rights

Processor shall make available to Customer, on reasonable advance written notice, all information necessary to demonstrate compliance with this DPA. Customer may, at its own expense and no more than once per calendar year (unless required by a regulator or following a Personal Data Breach), conduct an audit of Processor's data protection practices. Such audit shall be conducted during regular business hours, with reasonable notice (no less than 30 days), and in a manner that does not unreasonably interfere with Processor's business.

Processor may satisfy this obligation by providing Customer with a current SOC 2 Type II report, ISO 27001 certificate, or comparable independent audit report covering the relevant Services.

12. Return or Destruction of Personal Data

Upon termination or expiration of the Services Agreement, Processor shall, at Customer's option, return all Personal Data to Customer or delete it, including all existing copies, unless retention is required by applicable law. Deletion shall be performed within 90 days of termination, with backup expiry following the rotation cycle described in our Data Retention Policy. Processor shall provide written confirmation of return or deletion within 14 days of completion.

13. Liability

Each Party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the "Limitations of Liability" section of the Services Agreement. Any reference in such section to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Services Agreement and this DPA together.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of Delaware, without regard to its conflict-of-laws provisions, except that the SCCs are governed by the law of the EU Member State specified in Annex III. Any dispute arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions of the Services Agreement.

15. Changes to this DPA

Processor may update this DPA from time to time to reflect changes in applicable law, Subprocessors, or technical and organizational measures. Material changes will be communicated to Customer in writing at least 30 days before they take effect. Customer's continued use of the Services after the effective date of a change constitutes acceptance of the updated DPA, except that any change which materially diminishes the protections afforded to Personal Data requires Customer's written consent.

Annex I: Technical and Organizational Measures (TOMs)

Processor implements and maintains the following measures:

• Encryption. Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent.
• Access controls. Role-based access, least-privilege principle, MFA for all administrative access.
• Pseudonymization. Where feasible, Personal Data is pseudonymized prior to use in research and analytics workflows.
• K-anonymity floor. Aggregate research outputs are not produced from cohorts smaller than 50 couples (100 individuals).
• Logging and monitoring. Application and infrastructure logs are retained, monitored for anomalies, and access is auditable.
• Incident response. Documented Breach Response Playbook with severity classification, GDPR 72-hour clock, and post-incident review procedure.
• Vendor management. All Subprocessors are subject to written data protection agreements and periodic review.
• Personnel. All personnel with access to Personal Data are subject to confidentiality obligations and receive privacy training.
• Backup and recovery. Encrypted backups with documented recovery procedures and tested restore process.
• Disaster recovery. Documented disaster recovery plan with defined RTO and RPO targets.

Annex II: Categories of Personal Data Inventory

The full inventory of Personal Data categories processed under this DPA is maintained in our Records of Processing Activities, available on request to Customer's privacy contact. High-level categories include:

• Account identifiers (email, name, phone, date of birth)
• Authentication metadata (hashed passwords, OAuth tokens, session tokens)
• Partner pairing and couple-level data (couple identifiers, relationship start date)
• Daily ritual responses, journal entries, sentiment-derived signals
• Pulse score, drift score, and other derived relationship-quality metrics
• Optional research-profile demographics (age range, country, relationship type)
• Payment metadata (Stripe customer ID; full payment details are tokenized at Stripe)
• Device, session, and log metadata

Annex III: International Transfer Mechanism

• Data Exporter: Customer (as identified in the Services Agreement)
• Data Importer: LVRS FRVR LLC, 30 N Gould St. Ste. 58721, Sheridan, WY 82801, United States
• Mechanism for EEA transfers: EU Standard Contractual Clauses Module Two (Controller to Processor), as adopted by Commission Implementing Decision (EU) 2021/914.
• Mechanism for UK transfers: UK International Data Transfer Addendum to the EU SCCs.
• Mechanism for Swiss transfers: EU SCCs supplemented for FADP compliance.
• Competent supervisory authority for SCCs purposes: The supervisory authority of the EU Member State of the data exporter, or where the data exporter is not established in the EU, the Irish Data Protection Commission as default.

Contact

To request a signed DPA, ask a question about this template, or report a privacy concern, contact privacy@lvrsfrvr.com.