Data Processing Agreement

1. Subject Matter and Duration of Processing

The subject of this DPA is the processing of data by Hiro Analytics for the purpose of providing analytics and retention marketing services, including AI-assisted analytics features. This agreement is effective for the duration of the Controller's use of the services, including any backup retention periods necessary under legal obligations.

2. Nature and Purpose of Processing

The data processing activities involve collecting, storing, organizing, and analyzing:

• Klaviyo message and attribution data for email and SMS marketing performance evaluation.
• Shopify order data for customer behavior insights and sales analytics.

These processing activities are conducted solely to deliver the services contracted by the Controller, such as generating reports, tracking marketing attribution, analyzing sales trends, and providing AI-assisted analytics responses through Hiro's platform features. Data is never shared with any third party except for the sub-processors listed in Section 5.

3. Categories of Data Subjects and Types of Data Processed

• Data Subjects: Individuals associated with the Controller's Klaviyo or Shopify account, excluding personally identifiable information ("PII").
• Categories of Data: Klaviyo profiles without PII (no email addresses, phone numbers, names, or physical addresses), Shopify order data including transactional details, order numbers, order values, and product information.

4. Data Transfers and Locations

All data is processed in the United States. The Processor ensures that adequate measures are in place to protect the data transferred, in compliance with applicable data protection laws.

5. Sub-processors

The Processor engages the following sub-processors for data processing:

• Amazon Web Services (AWS): For data storage and infrastructure services.
• Retool: For internal tools used to access and process data for reporting and analysis.
• Anthropic, Inc.: For AI inference services powering Hiro's AI-assisted analytics features, including the Model Context Protocol (MCP) integration.
  Anthropic retains API inputs and outputs for up to 7 days for trust and safety purposes, after which they are automatically deleted. API data is never used by Anthropic to train AI models. Organizations requiring zero data retention may request a Zero Data Retention (ZDR) addendum directly from Anthropic. Anthropic's data practices are otherwise governed by Anthropic's applicable API terms of service and usage policies.

The Processor ensures that these sub-processors comply with data protection obligations consistent with this DPA.

6. Technical and Organizational Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption: Encryption of data at rest and in transit.
• Access Controls: Role-based access and multi-factor authentication for accessing data.
• Data Minimization: Only process the minimum amount of data necessary to fulfill the purposes.
• Regular Security Audits: Periodic security assessments and audits of sub-processors to ensure data protection standards.
• Incident Response Plan: Procedures for promptly identifying, assessing, and mitigating data breaches.

7. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects, in accordance with applicable data protection laws, including requests to access, correct, delete, or restrict processing of personal data.

8. Data Retention and Deletion

Upon termination of the service, the Processor shall, at the Controller's request, delete or return all personal data, except where retention is required by law. With respect to AI-assisted features, Anthropic retains API inputs and outputs for up to 7 days for trust and safety purposes before automatic deletion; Hiro does not retain query content beyond what is necessary to deliver the service response.

9. Liability

The Controller acknowledges that the use of the Service is at its own risk. The Service is provided in a competent and professional manner but is offered "AS IS." Hiro makes no representations, warranties, or guarantees, express or implied, regarding the Service, including but not limited to any implied warranties of fitness for a particular purpose, non-infringement, or quality.

To the fullest extent allowed by law, Hiro shall not be liable for any direct, indirect, incidental, special, or consequential damages, lost profits, or business interruptions arising from the Controller's use of, or inability to use, the Service, or any errors or omissions, even if Hiro has been advised of the possibility of such damages.

For the avoidance of doubt, Hiro shall not be liable for any claims, damages, or losses arising from or related to the independent data practices of any sub-processor, including without limitation any use of data by a sub-processor for artificial intelligence model training or improvement purposes.

10. AI-Assisted Features — Data Use Restrictions

Hiro does not use Controller data or End-Client data to train, fine-tune, benchmark, or otherwise improve any artificial intelligence or machine learning model operated by Hiro. Data processed through Hiro's AI-assisted features is used solely to generate real-time responses to the Controller's queries and for no other purpose.

Hiro engages third-party AI inference providers as sub-processors (see Section 5). While Hiro requires its sub-processors to comply with data protection obligations consistent with this DPA, Hiro does not accept liability for the independent data practices of sub-processors, including any use of data by a sub-processor for model training purposes. The Controller acknowledges that sub-processor data practices are governed by the sub-processor's own terms of service and data processing agreements, and that the Controller should independently review those terms prior to use of any AI-assisted feature.

11. Miscellaneous

• Governing Law: This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions.
• Amendments: Any amendments to this DPA must be agreed upon in writing by both parties or by the Controller's agreement to updated terms of service.

12. MCP Feature — How It Works

The MCP Feature allows Agency users to submit natural language queries about their clients' marketing and sales data. Queries are processed in real time by Anthropic, Inc. as AI inference sub-processor (see Section 5) and return analytical responses. Each Agency account is logically isolated — no client data is accessible to or shared with any other Agency account through the MCP Feature.

13. Agency Representations & Responsibilities

By activating or using the MCP Feature, Agency represents, warrants, and covenants to Hiro as follows:

13.1 Contractual Authority

Agency has reviewed its service agreements, statements of work, and any applicable data processing or confidentiality agreements with each end-client whose data may be queried through the MCP Feature. Agency has the contractual right and authority to access and process such data using third-party AI-assisted analytics tools.

13.2 Platform Terms of Service

Agency has assessed whether its use of AI-assisted tools to access data held within third-party marketing platforms (including without limitation Klaviyo and Shopify) on behalf of end-clients is consistent with those platforms' applicable terms of service and data use policies. Agency will not use the MCP Feature in a manner that causes a breach of any such platform terms.

13.3 Applicable Privacy Law

Agency is responsible for ensuring its use of the MCP Feature complies with all applicable data protection and privacy laws, including but not limited to:

• The General Data Protection Regulation (GDPR) and applicable EU/UK implementing legislation;
• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA);
• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA); and
• Any other applicable federal, state, or regional privacy legislation.

Where required, Agency shall ensure a valid legal basis exists for processing personal data through the MCP Feature and shall execute any required data processing agreements with end-clients prior to use.

13.4 No PII Submission

Consistent with Section 3 of this DPA, Agency shall not intentionally structure queries through the MCP Feature to retrieve, reconstruct, or expose personally identifiable information of end-client customers.

13.5 Client Disclosure

Where required by applicable law, contractual obligation, or end-client agreement, Agency shall disclose to its end-clients that AI-assisted analytics tools are used in connection with their data, and shall obtain any required consents or authorizations prior to use of the MCP Feature for that end-client's data.

14. Indemnification

Agency shall defend, indemnify, and hold harmless Hiro Analytics Inc., its officers, directors, employees, contractors, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to:

1. Agency's use of the MCP Feature in breach of any end-client contract, platform terms of service, or applicable law;
2. Any unauthorized processing of end-client data through the MCP Feature;
3. Any failure by Agency to obtain required consents or authorizations prior to use of the MCP Feature; or
4. Any material misrepresentation made by Agency in Section 13 of this DPA.

15. Disclaimer of Liability for MCP Feature