Data Processing Agreement

GlueArrow Inc. — Data Processing Agreement

Document identifier: GA-DPA-1.0 · Effective date: 2026-04-24

---

1. Background

This Data Processing Agreement ("DPA") forms part of the agreement (the "Principal Agreement") between GlueArrow Inc. ("GlueArrow", acting as Processor) and the customer identified in the Principal Agreement ("Customer", acting as Controller) for the provision of the GlueArrow services and software (the "Services").

This DPA reflects the parties' commitments under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other equivalent laws (collectively, "Data Protection Laws").

In the event of a conflict between this DPA and the Principal Agreement, this DPA prevails with respect to processing of personal data.

2. Definitions

Capitalized terms not defined in this DPA have the meaning given in the GDPR. In addition:

• "Personal Data" means any information relating to an identified or identifiable natural person processed by GlueArrow on behalf of the Customer in connection with the Services.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by GlueArrow to process Personal Data on behalf of the Customer.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914.
• "UK Addendum" means the UK International Data Transfer Addendum to the Standard Contractual Clauses issued by the UK Information Commissioner.
• "Personal Data Breach" has the meaning given in Article 4(12) GDPR.

3. Roles and Subject Matter

The Customer is the Controller and GlueArrow is the Processor with respect to the Personal Data described in Schedule 1. The subject matter, duration, nature and purpose, types of Personal Data, and categories of Data Subjects are set out in Schedule 1.

4. Customer Instructions

GlueArrow shall process Personal Data only on documented instructions from the Customer, including instructions to transfer Personal Data to a third country, unless required by Union or Member State law to which GlueArrow is subject. The Principal Agreement, this DPA, and the use of the Services in accordance with the Documentation constitute the Customer's documented instructions.

GlueArrow shall immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

5. Confidentiality

GlueArrow shall ensure that any person authorized to process Personal Data is bound by appropriate confidentiality obligations, whether by contract or statutory duty.

6. Security of Processing

GlueArrow shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Schedule 3 (Technical and Organizational Measures).

7. Sub-processors

The Customer hereby provides general authorization for GlueArrow to engage Sub-processors, subject to the conditions in this Section.

The list of Sub-processors as of the Effective Date is set out in Schedule 2. GlueArrow maintains the current list at https://gluearrow.com/legal/dpa#schedule-2-sub-processors and will provide a notification mechanism to which the Customer may subscribe.

GlueArrow shall:

(a) impose on each Sub-processor data protection obligations no less protective than those in this DPA; (b) remain liable to the Customer for the acts and omissions of its Sub-processors as if they were GlueArrow's own; (c) provide at least 30 calendar days' prior notice of any intended change to the Sub-processor list (addition or replacement); and (d) consider in good faith reasonable objections raised by the Customer to a new Sub-processor, including offering reasonable workarounds or, failing agreement, allowing the Customer to terminate the affected Services without penalty.

8. Data Subject Requests

GlueArrow shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under Chapter III GDPR. Where GlueArrow receives a Data Subject request directly, it will promptly forward the request to the Customer and will not respond except on the Customer's instruction or as required by law.

9. Personal Data Breach Notification

GlueArrow shall notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA. Notification shall include:

• the nature of the breach, including the categories and approximate number of Data Subjects and records affected;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and mitigate its possible adverse effects;
• the name and contact details of GlueArrow's data protection point of contact for further information.

GlueArrow shall cooperate with the Customer in the investigation, mitigation, and remediation of any Personal Data Breach.

10. Data Protection Impact Assessments and Prior Consultation

GlueArrow shall provide reasonable assistance to the Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to GlueArrow.

11. Audit Rights

Once per calendar year, the Customer (or an independent third-party auditor mandated by the Customer and bound by appropriate confidentiality obligations) may, upon at least 30 days' prior written notice and during normal business hours, audit GlueArrow's compliance with this DPA. To minimize disruption, GlueArrow may satisfy audit requests by providing:

• the most recent independent third-party audit reports (when available, such as SOC 2 Type II or ISO 27001 reports), and
• responses to a reasonable security questionnaire.

For reasonable cause demonstrated by the Customer (such as a Personal Data Breach), additional audits may be conducted on reasonable terms agreed by the parties.

The Customer shall bear the costs of audits unless they reveal a material breach of this DPA by GlueArrow, in which case GlueArrow shall bear the reasonable audit costs.

12. Return or Deletion of Personal Data

Upon termination or expiry of the Principal Agreement, or upon written request from the Customer, GlueArrow shall, at the Customer's option, return all Personal Data to the Customer or delete all Personal Data in its possession, except to the extent retention is required by applicable law. Deletion shall be confirmed in writing on request.

For Personal Data forming part of the Customer's proof-of-play records, retention may be required for 7 years under broadcast and advertising regulations; this retention obligation survives termination.

13. International Transfers

Where GlueArrow processes Personal Data originating in the EEA, the United Kingdom, or Switzerland in a country that has not been determined by the European Commission, the UK Government, or the Swiss Federal Data Protection and Information Commissioner to ensure an adequate level of protection, the parties agree that:

(a) the Standard Contractual Clauses (Module Two: Controller-to-Processor) are incorporated by reference into this DPA, with the Customer as data exporter and GlueArrow as data importer; (b) for transfers from the United Kingdom, the UK Addendum is incorporated by reference; (c) for transfers from Switzerland, the SCCs are adapted as required by Swiss data protection law; (d) Schedule 1 constitutes Annex I of the SCCs (description of processing) and Schedule 3 constitutes Annex II (technical and organizational measures); (e) the optional docking clause is selected, the option for general written authorization for sub-processors is selected (with 30 days' notice as set out in Section 7), the supervisory authority is the lead authority of the Customer or, where none, the data protection authority of the Customer's establishment, and the governing law of the SCCs is the law of the Member State where the Customer is established or, where none in the EEA, the law of the Republic of Ireland.

14. Liability

The liability of each party under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Principal Agreement.

15. General

• Term. This DPA takes effect on the Effective Date and continues for the duration of the Principal Agreement, plus any period necessary to give effect to the post-termination obligations in Section 12.
• Order of precedence. This DPA prevails over any conflicting provision of the Principal Agreement with respect to Personal Data.
• Updates. GlueArrow may update this DPA from time to time, provided that such updates do not materially diminish the protections afforded to Personal Data. Material updates will be communicated to the Customer with at least 30 days' notice.
• Severability. If any provision is held invalid or unenforceable, the remaining provisions remain in full force.
• Governing law. Except as required for the SCCs, this DPA is governed by the laws specified in the Principal Agreement.

---

Schedule 1 — Description of Processing

Subject matter of processing: Provision of the Services described in the Principal Agreement, including broadcast operations, ad delivery, proof-of-play logging, music identification, identity verification, and related cloud functionality.

Duration of processing: For the duration of the Principal Agreement, plus any period required by Section 12.

Nature and purpose of processing: Hosting, transmission, storage, retrieval, organization, structuring, analysis, deletion, and other operations necessary to deliver the Services.

Categories of Data Subjects:

• Customer's authorized users (operators, presenters, station staff, administrators)
• End users of Customer's broadcast (where personally identifiable, such as listeners with accounts, calibrated speakers, advertisers)
• Counterparties in royalty distribution (rights holders, performers)

Categories of Personal Data:

• Identifiers: names, email addresses, phone numbers, account identifiers, IP addresses, device identifiers
• Authentication data: hashed passwords, session tokens, MFA factors
• Profile data: roles, organization affiliation, photo
• Voice samples (only when speaker calibration is enabled by Customer)
• Operational data: schedules, broadcast logs, ad approval records, message content where Customer uses the cloud-hosted communications features
• Financial data: billing addresses and royalty distribution records (no full payment card numbers stored on GlueArrow servers)

Special categories of Personal Data: None expected; biometric data (voice samples) is processed only where explicitly enabled by Customer for speaker calibration purposes.

Frequency of transfer: Continuous during the Term.

Period for retention: As specified in the Privacy Policy and Section 12 of this DPA.

---

Schedule 2 — Sub-processors

As of the Effective Date, GlueArrow uses the following Sub-processors:

Sub-processor	Services provided	Location of processing
Google Cloud Platform LLC (Google LLC)	Primary cloud infrastructure, including Cloud Run, Cloud SQL, Cloud Storage, Pub/Sub, Cloud Build, Secret Manager	Primary: us-central1 (Iowa, United States). Regional residency available on request for Enterprise tier.
Anthropic, PBC	Optional AI assistance features (script generation, conversational interfaces)	United States
AudD Tools FZ-LLC	Optional music identification fallback (third tier of music recognition chain)	United Arab Emirates
Restream, Inc.	Optional multi-destination RTMP aggregation	United States

GlueArrow may engage additional Sub-processors subject to the procedure in Section 7.

---

Schedule 3 — Technical and Organizational Measures

GlueArrow implements and maintains the following measures, in line with the more detailed description in the Security Whitepaper available at https://docs.gluearrow.com/security-whitepaper:

Access control

• Role-based access control with least-privilege principles for production systems
• Multi-factor authentication required for all administrator and engineering access
• Single sign-on through accounts.gluearrow.com with short-lived session tokens
• Audit logging of administrator actions

Encryption

• TLS 1.2 (minimum) for all data in transit, with TLS 1.3 preferred
• AES-256-CTR encryption for sensitive payloads at rest where applicable
• Operating system file permissions and disk encryption on production hosts

System security

• Hardened operating system (read-only root filesystem, A/B partitions on appliance)
• Systemd confinement of the on-premises engine (no privilege escalation, restricted filesystem write paths)
• Cryptographically verified over-the-air updates with automatic rollback on failure
• Software Bill of Materials produced per release, with critical-vulnerability patch SLA of 14 days from public disclosure

Operations

• Centralized logging with retention aligned to Schedule 1
• Continuous monitoring with alerting on operational and security signals
• Documented incident response process with named escalation contacts
• Vulnerability disclosure policy at https://docs.gluearrow.com/security-whitepaper#10-vulnerability-disclosure-and-incident-response

Personnel

• Confidentiality obligations for all personnel processing Personal Data
• Security and privacy training upon onboarding
• Background checks for personnel with privileged access, where permitted by law

Resilience

• Offline-first design ensures broadcast continuity independent of cloud availability
• Backup and disaster recovery procedures documented in the Security Whitepaper

GlueArrow regularly reviews these measures and updates them in response to evolving threats and technologies.

---

Schedule 4 — Standard Contractual Clauses

The Standard Contractual Clauses (Commission Decision (EU) 2021/914) are incorporated into this DPA by reference for the modules and options identified in Section 13. Where the Customer is a Processor and GlueArrow processes Personal Data as a Processor on behalf of the Customer's controller, Module Three of the SCCs applies in lieu of Module Two, with appropriate adjustments.

A pre-signed copy of the SCCs and the UK Addendum is available on request from legal@gluearrow.com.

---

Contact for DPA matters: legal@gluearrow.com and privacy@gluearrow.com

GlueArrow Inc. — 1111B S Governors Ave # 50266, Dover, DE 19904, United States