Data Processing Addendum.

Plain-English summary: You're the controller of the personal data in your animal-shelter records. We're the processor. We follow your instructions, we keep the data safe, we tell you 30 days before changing subprocessors, and we delete the data when the contract ends. Counsel can redline this; email mike@mkn.us for an editable copy.

1. Definitions

"Customer Data" means the data, including personal data, that Customer or its users upload to or generate in the Service. "Personal Data" has the meaning given in applicable Data Protection Laws. "Data Protection Laws" means the California Consumer Privacy Act (as amended by CPRA), the EU General Data Protection Regulation, the UK GDPR, and other US state comprehensive privacy laws applicable to a party's processing. "Processor," "Controller," and "Sub-processor" have the meanings given in the GDPR.

2. Roles

For purposes of this DPA, Customer is the Controller (or, where applicable, the Business) of Personal Data within Customer Data, and AnimalShelterIQ (a product of MKN Web Solutions, LLC, "Processor") is the Processor (or Service Provider). Processor will process Personal Data only on documented instructions from Controller, including those set out in the Order Form, the Terms of Service, and this DPA.

3. Subject matter, duration & scope

• Subject matter: provision of the AnimalShelterIQ Service
• Duration: the term of the Order Form, plus the wind-down period in Section 11
• Nature & purpose: hosting, processing, transmitting, and displaying Customer Data to provide the Service
• Categories of data subjects: Customer's staff, residents whose pets are licensed, citizens who submit complaints or lost-pet reports, adopters, foster volunteers, donors
• Categories of Personal Data: name, contact details, address, payment metadata, photographs of pets and (incidentally) people, behavioral notes, complaint narratives
• Special category data: not intentionally processed; Customer agrees not to upload special category data without prior written agreement

4. Confidentiality

Processor ensures that personnel authorized to process Personal Data are bound by written confidentiality obligations.

5. Security

Processor implements appropriate technical and organizational measures to protect Personal Data, including those described on the Trust page:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and per-endpoint authorization
• Full audit logging of mutations
• Tenant isolation at the database query layer
• Daily encrypted backups with tested monthly restores
• Vulnerability handling and coordinated disclosure

6. Sub-processors

Customer authorizes Processor to engage the sub-processors listed on the Trust page. Processor will:

• Notify Customer at least 30 days before engaging a new sub-processor or replacing an existing one
• Impose data protection obligations on each sub-processor materially equivalent to those in this DPA
• Remain liable for the acts and omissions of its sub-processors

Customer may object to a new sub-processor on reasonable, documented grounds within the notice period. The parties will work in good faith to resolve the objection; if unresolved, Customer may terminate the affected portion of the Service for convenience.

7. Data subject rights

Processor will assist Controller, taking into account the nature of processing, by providing appropriate technical and organizational measures for the fulfillment of Controller's obligation to respond to requests from data subjects exercising rights under Data Protection Laws.

8. Personal data breaches

Processor will notify Controller without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data breach affecting Customer Data, with the information required to assist Controller in meeting its own notification obligations under Data Protection Laws.

9. Data protection impact assessments

Processor will provide reasonable assistance to Controller with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and information available to Processor.

10. International transfers

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or another country not subject to an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Addendum, by reference, with Module 2 (Controller-to-Processor) selected.

11. Return & deletion of Customer Data

Upon termination of the Order Form, Processor will:

• Make Customer Data available for export in industry-standard formats for 30 days
• Delete production Customer Data within 30 days of contract end
• Purge Customer Data from backups within 90 days, except where retention is required by law
• Provide a written attestation of deletion on request

12. Audits

Processor will make available to Controller all information reasonably necessary to demonstrate compliance with this DPA, including by responding to security questionnaires and providing summaries of independent assessments. Controller may, no more than once per year and on at least 30 days' written notice, audit Processor's compliance — either through Controller's own personnel or an independent third party bound by appropriate confidentiality obligations.

13. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service or Order Form. This DPA does not increase or expand either party's liability beyond what is provided in those documents.

14. Conflict

In the event of any conflict between this DPA and the Terms of Service or Order Form with respect to the processing of Personal Data, this DPA controls.

15. Governing law

This DPA is governed by the same law as the Terms of Service or the Order Form, as applicable.

16. Execution

This DPA takes effect on the Effective Date of the Order Form between Customer and Processor and is incorporated by reference into that Order Form. No additional signature is required, though Processor will execute a counterpart on request.

17. Contact

MKN Web Solutions, LLC
Privacy / DPA: mike@mkn.us
Security incidents: security@mkn.us

This DPA is a template prepared in good faith. Customer counsel should review before execution. We will negotiate a customer-form DPA on reasonable request.