Data Processing Agreement

Effective Date: May 22, 2026

Data Processor: BigFork Media Marketing Inc. / BigFork SEO / BigFork CRM

Data Controller: Client (as identified in the accompanying Service Agreement)

This Data Processing Agreement ("DPA") is entered into between BigFork Media Marketing Inc., doing business as BigFork SEO and BigFork CRM ("Processor"), and the client entity identified in the accompanying service agreement, proposal, or statement of work ("Controller").

This DPA forms part of, and is incorporated into, the Terms of Service and any applicable service agreement between the parties (collectively, the "Agreement"). In the event of a conflict between this DPA and the Agreement with respect to data processing matters, this DPA shall control.

The parties enter into this DPA to reflect their respective obligations under applicable data protection laws, including but not limited to the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Texas Data Privacy and Security Act (TDPSA), and any other applicable federal, state, or international privacy laws.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the services provided under the Agreement.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, transmission, deletion, or destruction.
• "Data Subject" means any individual whose Personal Data is processed under this DPA, including the Controller’s customers, leads, patients, guests, subscribers, or contacts.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Security Incident" means any confirmed unauthorized access, acquisition, disclosure, destruction, or alteration of Personal Data.
• "Applicable Privacy Laws" means all applicable federal, state, and local privacy and data protection laws, as amended from time to time, including the CCPA, CPRA, TDPSA, and any other laws applicable to the Controller’s business or the Personal Data processed under this DPA.

2. Scope and Roles

2.1 The Controller determines the purposes and means of processing Personal Data and is responsible for ensuring that it has a lawful basis to share Personal Data with the Processor.

2.2 The Processor processes Personal Data solely on behalf of the Controller, in accordance with the Controller’s documented instructions, and as necessary to provide the services described in the Agreement.

2.3 The Processor shall not process Personal Data for its own purposes, sell Personal Data, or share Personal Data with third parties except as permitted under this DPA or the Agreement, or as required by law.

2.4 If the Processor reasonably determines that a Controller instruction would violate Applicable Privacy Laws, the Processor shall promptly notify the Controller. The Processor may suspend performance of the relevant instruction until the Controller provides a revised lawful instruction.

3. Nature, Purpose, Duration, and Types of Data

The following table describes the processing activities covered by this DPA:

Category

Description

Nature of Processing

Collection, storage, organization, use, transmission, and deletion of Personal Data in connection with the delivery of digital marketing, CRM, SMS/email marketing, automation, review management, and related services.

Purpose of Processing

To deliver the services described in the Agreement, including CRM setup, marketing automation, customer communications, lead management, review generation, and reporting.

Duration of Processing

For the term of the Agreement, plus any retention period required by law or as described in Section 9 of this DPA.

Types of Personal Data

May include: name, email address, phone number, mailing address, business information, customer transaction history, communication preferences, opt-in/opt-out records, device identifiers, and any other data provided by the Controller.

Categories of Data Subjects

Controller’s customers, prospective customers, leads, patients, guests, subscribers, and other contacts whose data is provided to or collected through the Processor’s services.

4. Processor Obligations

The Processor agrees to:

• Process Personal Data only in accordance with the Controller’s documented instructions, including as set out in the Agreement and this DPA, unless required to do otherwise by applicable law.
• Ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.
• Implement and maintain reasonable and appropriate technical and organizational security measures to protect Personal Data, as described in Section 7 of this DPA.
• Notify the Controller promptly, and in no event later than 72 hours after becoming aware, of a confirmed or reasonably suspected Security Incident affecting Personal Data processed under this DPA.
• Assist the Controller, to the extent reasonably practicable and at the Controller’s cost, in responding to Data Subject rights requests under Applicable Privacy Laws.
• Not sell, rent, disclose, or otherwise make Personal Data available to third parties except as permitted under this DPA or required by law.
• Upon termination or expiration of the Agreement, return or delete Personal Data in accordance with Section 9 of this DPA, unless retention is required by law.
• Maintain reasonable records of processing activities carried out on behalf of the Controller, to the extent required by Applicable Privacy Laws.

5. Controller Obligations

The Controller agrees to:

• Ensure it has a lawful basis under Applicable Privacy Laws to collect, use, and share Personal Data with the Processor, including obtaining all required consents from Data Subjects.
• Provide accurate and complete Personal Data and notify the Processor of any applicable restrictions, sensitivities, or special categories of data before processing begins.
• Comply with all Applicable Privacy Laws governing its collection, use, and disclosure of Personal Data.
• Maintain and publish its own privacy policy that accurately describes how it collects and uses Data Subject information.
• Honor and communicate to the Processor any opt-outs, unsubscribe requests, deletion requests, or other Data Subject rights exercises that require Processor action.
• Ensure that any special categories of Personal Data (including health information or data subject to HIPAA) are not transmitted to the Processor without prior written agreement and, where required, an executed Business Associate Agreement.
• Promptly notify the Processor of any changes to applicable legal or regulatory requirements that may affect the Processor’s processing activities under this DPA.

6. Sub-processors

6.1 The Controller authorizes the Processor to engage Sub-processors to assist in providing the services, subject to the requirements of this Section.

6.2 The Processor shall ensure that Sub-processors are bound by data protection obligations substantially equivalent to those in this DPA.

6.3 The Processor maintains a list of Sub-processors used in the delivery of services. Current Sub-processors include, but are not limited to, providers of CRM platforms, email and SMS delivery, web hosting, analytics, payment processing, and AI-assisted tools. A current list of Sub-processors is available upon written request to info@bigforkmediamarketing.com.

6.4 The Processor shall notify the Controller of any intended addition or replacement of a Sub-processor by updating its Sub-processor list or by direct written notice. The Controller may object to the use of a new Sub-processor within 14 days of notice by providing written notice to info@bigforkmediamarketing.com. If the parties cannot resolve the objection, either party may terminate the affected services upon 30 days’ written notice without penalty.

6.5 The Processor remains liable to the Controller for the performance of Sub-processors’ data protection obligations to the same extent as if the Processor were performing those obligations directly.

7. Security Measures

7.1 The Processor shall implement and maintain reasonable technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, alteration, or disclosure. These measures include, but are not limited to:

• Access controls limiting Personal Data access to authorized personnel on a need-to-know basis
• Use of secure transmission protocols (e.g., TLS/SSL) for data in transit
• Password policies and, where available, multi-factor authentication for platform access
• Vendor security assessments for key Sub-processors
• Reasonable measures to protect against malware, unauthorized access, and system compromise

7.2 The Processor does not guarantee absolute security. Security obligations under this DPA are obligations of reasonable effort, not absolute guarantees.

7.3 The Controller is responsible for the security of its own systems, credentials, and access controls. The Processor is not responsible for Security Incidents caused by the Controller’s failure to maintain appropriate security on its end.

8. Security Incident Response

8.1 In the event of a confirmed or reasonably suspected Security Incident affecting Personal Data processed under this DPA, the Processor shall:

• Notify the Controller without undue delay, and in no event later than 72 hours after the Processor becomes aware of the incident
• Provide the Controller with available information about the nature of the incident, the categories and approximate volume of Personal Data affected, the likely consequences of the incident, and measures taken or proposed to address it
• Cooperate with the Controller’s reasonable investigation and remediation efforts

8.2 Notification by the Processor under this Section does not constitute an admission of fault or liability.

8.3 The Controller is solely responsible for determining whether a Security Incident requires notification to Data Subjects, regulators, or other third parties under Applicable Privacy Laws, and for carrying out any such notifications.

9. Data Retention and Return or Deletion

9.1 The Processor shall retain Personal Data only for as long as necessary to provide the services under the Agreement or as required by applicable law.

9.2 Upon termination or expiration of the Agreement, the Controller may request an export of Personal Data within 30 days of the termination date. The Processor will use commercially reasonable efforts to provide such export in a standard format.

9.3 After 60 days following termination, the Processor may delete or archive Personal Data without further obligation to the Controller, except where retention is required by applicable law, regulation, or legitimate business necessity.

9.4 The Processor may retain anonymized or aggregated data derived from Personal Data that does not identify any individual, for internal analytics and service improvement purposes.

10. Data Subject Rights

10.1 The Controller is primarily responsible for responding to Data Subject rights requests (e.g., access, correction, deletion, portability, opt-out) under Applicable Privacy Laws.

10.2 If the Processor receives a Data Subject rights request directly, it shall promptly forward the request to the Controller and shall not respond to the Data Subject directly without the Controller’s authorization, except as required by law.

10.3 The Processor shall provide reasonable assistance to the Controller in fulfilling Data Subject rights requests, including by providing relevant data exports, deletion confirmations, or processing records, at the Controller’s reasonable request and cost.

11. CCPA / CPRA Service Provider Obligations

To the extent the CCPA or CPRA applies to the processing of Personal Data under this DPA, the parties agree that:

• The Processor is acting as a "Service Provider" as defined under the CCPA/CPRA, processing Personal Data on behalf of the Controller pursuant to a written contract.
• The Processor shall not sell or share Personal Data as those terms are defined under the CCPA/CPRA.
• The Processor shall not retain, use, or disclose Personal Data for any purpose other than performing the services specified in the Agreement or as otherwise permitted by the CCPA/CPRA.
• The Processor shall not combine Personal Data received from the Controller with Personal Data received from or collected in connection with other sources, except as permitted by the CCPA/CPRA.
• The Processor certifies that it understands and will comply with the restrictions set forth in this Section.

12. Texas Data Privacy and Security Act (TDPSA) Obligations

To the extent the TDPSA applies to the processing of Personal Data under this DPA, the Processor agrees to:

• Process Personal Data only in accordance with the Controller’s documented instructions
• Assist the Controller in meeting its obligations under the TDPSA, including data subject rights requests and security requirements
• Delete or return Personal Data to the Controller upon request at the end of the service relationship
• Make available to the Controller information reasonably necessary to demonstrate compliance with the TDPSA
• Allow for and contribute to reasonable audits and inspections by or on behalf of the Controller, subject to reasonable notice and confidentiality protections

The Controller acknowledges that it is responsible for determining whether the TDPSA applies to its business operations and for ensuring compliance with applicable Texas law requirements that govern the Controller as a data controller.

13. HIPAA and Protected Health Information

13.1 This DPA does not constitute a Business Associate Agreement (BAA) under HIPAA. The Processor is not a HIPAA Business Associate by default.

13.2 If the Controller is a Covered Entity or Business Associate under HIPAA, and the services under the Agreement may involve the processing of Protected Health Information (PHI), the Controller must notify the Processor prior to commencement of services and execute a separate BAA with the Processor before transmitting any PHI.

13.3 The Controller agrees not to transmit PHI through any Processor system or platform unless a BAA is in effect. The Controller shall indemnify and hold harmless the Processor from any claim, penalty, or liability arising from the Controller’s failure to comply with this Section.

13.4 To request a BAA, contact info@bigforkmediamarketing.com with the subject line: BAA Request.

14. Audits and Compliance Demonstration

14.1 Upon the Controller’s reasonable written request (no more than once per calendar year absent a documented Security Incident), the Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

14.2 Any audit or inspection conducted by or on behalf of the Controller shall be carried out with reasonable prior written notice of at least 30 days, during normal business hours, and in a manner that minimizes disruption to the Processor’s operations. Audits shall be subject to reasonable confidentiality protections.

14.3 The Controller shall bear the costs of any audit or inspection it requests.

15. Limitation of Liability

The liability of each party under this DPA shall be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA shall expand either party’s liability beyond the limits established in the Agreement.

The Processor’s total aggregate liability under this DPA shall not exceed the amounts paid by the Controller to the Processor in the three-month period immediately preceding the event giving rise to the claim.

16. Term and Termination

16.1 This DPA is effective as of the date the Controller first accepts the Agreement or engages the Processor’s services, whichever is earlier, and continues in effect for the duration of the Agreement.

16.2 This DPA automatically terminates upon expiration or termination of the Agreement.

16.3 Sections of this DPA that by their nature should survive termination (including data retention, deletion obligations, security incident procedures, and indemnification) shall survive termination of this DPA and the Agreement.

17. Governing Law

This DPA is governed by the laws of the State of California, without regard to conflict of law principles, consistent with the governing law provisions in the Agreement. To the extent required by applicable law, the parties acknowledge their obligations under the laws of other applicable jurisdictions, including Texas.



18. General Provisions

18.1 Amendment. This DPA may be amended only by a written instrument signed by authorized representatives of both parties.

18.2 Severability. If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.

18.3 Entire Agreement. This DPA, together with the Agreement and any applicable BAA, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior agreements or understandings on that subject.

18.4 No Waiver. Failure to enforce any provision of this DPA shall not constitute a waiver of future enforcement of that or any other provision.

18.5 Notices. Notices under this DPA shall be delivered in writing to the contact information set out in the Agreement or to info@bigforkmediamarketing.com for the Processor.

Signatures

By signing below, the parties agree to the terms of this Data Processing Agreement.

DATA PROCESSOR

BigFork Media Marketing Inc. / BigFork SEO

Authorized Signature

Printed Name and Title

Date

DATA CONTROLLER (CLIENT)

Business / Company Name: _______________________________________________

Authorized Signature

Printed Name and Title

Date

Note: This Data Processing Agreement is a template document intended to establish the data processing relationship between BigFork Media Marketing Inc. and its clients. It does not constitute legal advice. Both parties are encouraged to consult qualified legal counsel before executing this agreement to ensure it meets their specific legal and compliance requirements.