DATA PROTECTION ADDENDUM

Last Updated: Apr 5, 2026

This Data Protection Addendum, including Annex 1 (Description of Processing), Annex 2 (Security Measures), Annex 3 (Subprocessors) (collectively, “DPA”), is incorporated into and forms part of the Joy Labs Ventures LLC Terms of Service located at “(Terms of Service)” between Joy Labs Ventures LLC (“Joy Labs”) and Customer. This DPA applies to the extent Joy Labs Processes Personal Data on behalf of Customer in connection with the Services currently branded as “Laneful.” Capitalized terms not defined in this DPA have the meaning provided in the Terms of Service.

1. Order of Precedence. If there is a conflict between this DPA and the Terms of Service, this DPA controls solely with respect to the processing, security, and transfer of Personal Data.

2. Definitions

   1. “Data Protection Laws” means applicable U.S. federal and state laws relating to privacy, security, or Personal Data processing, including applicable U.S. state privacy laws.

   2. “Personal Data,” “Processing,” “Controller,” and “Processor.” These terms have the meanings given in Data Protection Laws and apply to data provided by Customer.

   3. “Subprocessor” means a third party listed in Annex 3 (Subprocessors) that are authorized under this DPA to Process Personal Data to assist Joy Labs in providing the Services.

   4. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Joy Labs on Customer’s behalf.

3. Roles and Processing Relationship

   1. Customer as Controller. Customer is the Controller (or “business”) of Personal Data contained in Customer Data, and Joy Labs is the Processor (or “service provider” or “processor”) that Processes such Personal Data on Customer’s behalf to provide the Services.

   2. Customer Instructions. Joy Labs will Process Personal Data only (a) to provide the Services in accordance with the Agreement and Documentation, (b) as otherwise instructed by Customer through the Services’ configuration and use (including API/SMTP requests, tracking settings, webhook settings, lane/track settings), and (c) as required by applicable law.

   3. No Independent Content Authorship. Customer acknowledges the Services provide infrastructure, analytics, and operational insights; Customer is responsible for email content, configuration, compliance, and decisions taken based on insights/alerts/recommendations, including those informed by AI-assisted processes.

   4. Aggregated/De-Identified Data. Joy Labs may create and use aggregated, anonymized, or de-identified data derived from Customer Data that does not identify Customer, End Users (as defined in the Joy Labs Ventures LLC Terms of Service), or any natural person, to operate, maintain, secure, and improve the Services, consistent with the Agreement. To the extent such data is de-identified and cannot reasonably be used to identify a natural person, it is not Personal Data and is not subject to this DPA.

4. Customer Obligations (Controller Responsibilities)

   1. Lawful Basis; Notices/Consents. Customer is responsible for providing required notices and obtaining necessary permissions/consents to enable Joy Labs to Process Customer Data, including Personal Data, to provide the Services.

   2. Email Compliance and List Hygiene. Customer is responsible for recipient consent, list hygiene, opt-outs/unsubscribes, disclosures, and compliance with applicable marketing and communications laws for emails sent using the Services.

   3. Domain Authentication. Customer must authenticate domains and configure required DNS records before sending where required by the Documentation (including to reduce security/deliverability/reputation risks).

   4. Sensitive Data Minimization. Customer will not provide or cause Joy Labs to Process Personal Data beyond what is necessary for Customer’s lawful use of the Services and will not use the Services to Process Sensitive Data except as expressly agreed in writing.

5. Joy Labs Personnel; Confidentiality

   1. Confidentiality. Joy Labs ensures its personnel authorized to Process Personal Data are subject to confidentiality obligations.

   2. Access Controls. Joy Labs will implement reasonable measures to limit access to Personal Data to authorized personnel and systems.

6. Security Measures

   1. Security Program. Joy Labs will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

   2. Baseline Measures. The measures include those described in Annex 2 (Security Measures), which are aligned to Laneful’s documented security and operational controls.

   3. Customer Security Responsibilities. Customer is responsible for securely managing API keys/credentials, securing its webhook endpoints, and configuring IP allowlists and other controls available in the Services.

7. Subprocessors

   1. Authorization. Joy Labs’ current list of Subprocessors is set forth in Annex 3 (Subprocessors), which forms a part of this DPA. Customer grants Joy Labs a general authorization to engage Subprocessors to Process Personal Data to provide the Services.

   2. List and Notice. Joy Labs may maintain the Subprocessor list via a webpage link or other written mechanism, and such list may be updated from time to time. Customer acknowledges the list may not include incidental service providers that do not Process Customer Personal Data (e.g., tools used for general corporate administration).

   3. Objection Right. Customer may object in writing to a new Subprocessor on reasonable and documented data protection grounds within 15 days after notice, where Customer demonstrates that the Subprocessor is likely to materially adversely impact the protection of Personal Data. If the parties cannot resolve Customer’s objection, Joy Labs may, at its option, (a) not use the Subprocessor for Customer’s Personal Data, (b) provide a commercially reasonable alternative, or (c) terminate the affected Services upon written notice and (where applicable) refund unused prepaid Fees for the terminated portion, consistent with the Agreement. This Section states Customer’s sole and exclusive remedy with respect to Subprocessor changes.

   4. Flow-Down. Joy Labs will impose data protection obligations on Subprocessors that are no less protective than this DPA for the nature of the services provided.

   5. Liability. Joy Labs remains responsible for Subprocessors’ performance of their obligations under this DPA to the extent required by Data Protection Laws, subject to the Agreement’s limitations.

8. Assistance with Data Subject Requests

   1. Requests. Customer is responsible for responding to requests from individuals to exercise their rights under Data Protection Laws.

   2. Joy Labs Assistance. Taking into account the nature of Processing, Joy Labs will provide commercially reasonable assistance to Customer to respond to Data Subject requests to the extent legally required, including by enabling Customer to access, delete, or export Personal Data through the Services where available. Joy Labs is not required to respond directly to Data Subjects, make legal determinations on Customer’s behalf, implement new features or custom development, or disclose information that would compromise Joy Labs’ security, confidentiality obligations, or other customers’ data.

   3. Limitations. Joy Labs may deny or limit assistance where (a) the request is manifestly unfounded or excessive, (b) Joy Labs is legally prohibited from acting, or (c) the request relates to data not Processed on Customer’s behalf (e.g., Joy Labs internal account, billing, or security logs), provided Joy Labs will reasonably explain the basis for denial where permitted by law.

   4. Costs. Customer will reimburse Joy Labs for reasonable costs arising from assistance that requires disproportionate effort, subject to advance notice.

9. Security Incident (Personal Data Breach) Notification

   1. Notification. Joy Labs will notify Customer without undue delay after Joy Labs becomes aware of a Security Incident involving Personal Data Processed on Customer’s behalf.

   2. Content of Notice. Customer acknowledges that Security Incident investigations may take time and that Joy Labs may provide information in phases as it becomes known or reasonably available. Joy Labs’ notification obligations do not require Joy Labs to determine root cause or provide information not reasonably available to Joy Labs at the time.

   3. No Admission. Notification under this Section is not an admission of fault or liability.

   4. Customer Responsibility. Customer is responsible for any legally required notifications to individuals, regulators, or other third parties, and for determining whether a Security Incident is reportable under Data Protection Laws.

10. Security Audit. At least once per year, Joy Labs shall engage an independent, third-party auditor to conduct an audit of Joy Labs’ controls relevant to the Services (e.g., a SOC 2 Type II examination). Upon Customer’s written request, and no more than once annually, Joy Labs shall provide Customer with a copy of Joy Labs’ most recent SOC 2 Type II report (the “Audit Report”), subject to the following terms:

    1. the Audit Report is Confidential Information of Joy Labs under the Agreement;

    2. Customer may use the Audit Report solely for the purpose of evaluating Joy Labs’ compliance with its obligations under this DPA and the Agreement, and not for any competitive or commercial purposes;

    3. Customer shall not disclose the Audit Report to any third party (other than Customer’s auditors, legal counsel, or regulatory authorities who are bound by confidentiality obligations at least as restrictive as those contained herein) without Joy Labs’ prior written consent; and

    4. Joy Labs may redact from the Audit Report (i) any information that is not directly relevant to the Services provided to Customer, (ii) any information that would compromise the security of Joy Labs’ systems or its other customers, and (iii) any findings or remediation plans that are marked as confidential by the auditor or Joy Labs.

11. Assistance with DPIAs and Regular Inquiries

    1. DPIAs. Joy Labs’ assistance with DPIAs and prior consultations is limited to information reasonably available to Joy Labs and does not include providing legal advice or creating new documentation or reports beyond those normally maintained by Joy Labs.

    2. Regulator Requests. If Joy Labs receives an inquiry from a regulator regarding Personal Data Processed on Customer’s behalf, Joy Labs will (to the extent legally permitted) notify Customer and provide reasonable cooperation, consistent with the Agreement’s compelled disclosure provisions.

12. Return/Deletion of Personal Data

    1. Deletion Upon Termination. Upon termination or expiration of the Agreement, Joy Labs will delete or return Personal Data within Customer Data in accordance with the Agreement, subject to permitted retention for legal compliance, backups, archives, and ordinary course deletion practices.

    2. Backups. Personal Data may remain in backups or disaster recovery systems until deleted in the ordinary course, during which it remains subject to confidentiality and security requirements.

    3. Self-Service Deletion. Where the Services provide deletion/export functionality (e.g., removing email addresses from unsubscribes/bounces via admin tooling where available), Customer may use those tools consistent with the Documentation.

13. Sensitive Data

    1. Default Restriction. Unless expressly agreed in writing, Customer will not use the Services to Process special categories of data under GDPR, including without limitation precise geolocation, government IDs, payment card data, credentials, PHI, or data subject to heightened security/regulatory requirements (“Sensitive Data”). Customer represents and warrants that it will not (and will not permit any user to) Process Sensitive Data using the Services unless expressly agreed in writing as described above. If Joy Labs reasonably believes Customer is Processing Sensitive Data in violation of this Section, Joy Labs may suspend the affected Processing and/or Services until the parties resolve the issue. Any unauthorized Processing of Sensitive Data is at Customer’s sole risk and responsibility.

    2. If the parties agree to permit Sensitive Data Processing, they must execute an Order Form or amendment that (a) describes the use case, (b) identifies additional security controls, (c) sets data minimization rules, and (d) allocates compliance responsibilities.

14. U.S. State Privacy/CCPA Service Provider Terms. To the extent U.S. state privacy laws apply and Joy Labs Processes Personal Data as a “service provider” or “processor”:

    1. Joy Labs will Process such data only to provide the Services and for other permitted business purposes consistent with the Agreement.

    2. Joy Labs will not “sell” or “share” Personal Data (as defined by applicable law) for cross-context behavioral advertising.

    3. Customer instructs Joy Labs to (a) Process Personal Data for the purposes described in Annex 1 and (b) retain, use, or disclose Personal Data only as permitted by applicable law.

    4. Customer is responsible for providing required notices and opt-out mechanisms and for honoring consumer requests, with Joy Labs providing reasonable assistance as described in Section 9.

    5. If Joy Labs de-identifies data, it will take reasonable measures to maintain and use it in de-identified form.

15. Third-Party Services/Mailbox Providers. Customer acknowledges certain Services rely on third-party email/SMTP providers, mailbox providers/ISPs, DNS hosting, and identity providers, which are not controlled by Joy Labs and are governed by Customer’s agreements with the applicable third parties. Customer remains responsible for its configuration choices and the data it transmits to and from such third parties using the Services.

16. Liability; No Expansion of Obligations

    1. No Additional Liability. This DPA does not create obligations or liabilities for Joy Labs beyond those in the Agreement, and all limitations of liability, exclusions of damages, and remedies limitations in the Agreement apply to this DPA to the maximum extent permitted by law.

    2. Customer Indemnities Preserved. Customer’s obligations (including for misuse, unlawful sending, and failures to obtain consents) remain in effect and are not reduced by this DPA.

    3. Service Scope. Joy Labs does not provide legal or regulatory advice through the Services (including AI-assisted insights), and Customer remains responsible for compliance decisions.

17. Term. This DPA remains in effect for the term of the Agreement and for so long as Joy Labs Processes Personal Data on Customer’s behalf.

ANNEX 1 to the DPA

Description of Processing

This Annex 1 describes the Processing of Personal Data under the Agreement.

A. Subject Matter

Provision of email delivery infrastructure and operational services, including:

• Receiving email send requests via API/SMTP; routing through lanes/tracks; queueing/retries; delivery analytics; bounce handling; unsubscribe handling; and event notifications via webhooks.

• Domain authentication support (DKIM/DMARC/SPF-related workflows) and deliverability monitoring.

• Access logging and security features (e.g., IP restrictions, audit trails).

B. Duration

The duration of Processing is the term of the Agreement, plus any period required for deletion/return and backup retention as described in the Agreement.

C. Nature and Purpose of Processing

Processing is necessary to:

• Transmit, route, and deliver Customer emails;

• Provide tracking (opens/clicks/unsubscribes) where enabled;

• Provide deliverability analytics and operational insights, including queue and lane capacity monitoring;

• Enforce unsubscribes and suppression lists;

• Provide access control, logging, and security monitoring.

D. Categories of Data Subjects

• Customer’s End Users who access the platform (e.g., administrators).

• Email recipients to whom Customer sends messages (including individuals in Customer’s contact lists).

• Individuals whose data appears in Customer email content, headers, metadata, or webhook payloads (as determined by Customer).

E. Categories of Personal Data

Depending on Customer configuration and content, may include:

• Recipient identifiers: email address, name, and related routing metadata.

• Message metadata: subject line; headers; tags; webhook_data; lane/track identifiers; timestamps; delivery/bounce/complaint events; unsubscribe status.

• Tracking data (if enabled): open/click/unsubscribe event data and related technical identifiers (e.g., device/browser details as captured by tracking mechanisms), and tracking URLs served over Customer’s custom domain via HTTPS.

• Access/security logs: user email (for authenticated actions), IP address, access type, and related audit trail items.

• DMARC-related data: authentication/aggregate reporting indicators and related domain authentication analytics.

F. Special Categories of Personal Data

Not intended to be Processed by default; permitted only if expressly agreed under Section 14 of the DPA.

ANNEX 2 to the DPA

Security Measures

Joy Labs implements measures aligned to Laneful’s documented security features and operational model, including:

1. Authentication controls (e.g., secure login approaches such as passkeys where offered).

2. Per-API-key IP allowlisting (restrict API key use to specific IPs/CIDR ranges).

3. Web interface IP restrictions (restrict dashboard access by IP ranges where configured).

4. Access logging and audit trails (API/web access logs, searchable and filterable).

5. HTTPS for tracking/unsubscribe/redirect URLs served on Customer’s custom domain with automated certificate issuance/renewal.

6. Webhook security including signed payloads and recommended signature verification to validate origin and integrity; HTTPS-only endpoints for webhooks.

7. Automatic suppression controls for unsubscribes and hard bounces to protect sender reputation and reduce repeated delivery to invalid addresses.

Customer is responsible for configuring these controls appropriately, securing credentials, and implementing webhook endpoint protections (verification, rate limiting, idempotency).