Data Processing Addendum

Last updated: June 25, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between DCWU, Inc., doing business as Letterbook ("Letterbook," "we," "us," or "our") and the customer that uses our Services ("Customer," "you," or "your") under our Terms of Service (the "Agreement"). This DPA reflects the parties' agreement on the processing of Personal Data in connection with the Services.

This DPA is incorporated into the Agreement by reference and applies to all Customers whose use of the Services involves our processing of Personal Data on their behalf. Where Customer requires a countersigned copy for its records, we will provide one on request. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data.

1. DEFINITIONS

Capitalized terms not defined in this DPA have the meaning given in the Agreement. For purposes of this DPA:

• "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including, where applicable, the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and US state privacy laws such as the California Consumer Privacy Act ("CCPA").
• "Controller," "Processor," "Data Subject," "Personal Data," and "Processing" have the meanings given in Applicable Data Protection Laws. For customers subject to US state privacy laws, "Controller" and "Processor" are read to include the equivalent terms "Business" and "Service Provider" (or "Processor") under those laws.
• "Customer Personal Data" means Personal Data that we process on Customer's behalf in connection with providing the Services.
• "Subprocessor" means a third party engaged by us to process Customer Personal Data in connection with the Services.

2. ROLES OF THE PARTIES

For Customer Personal Data, Customer is the Controller and Letterbook is the Processor. Where Customer acts as a Processor on behalf of a third-party Controller, Customer appoints Letterbook as its Subprocessor and confirms it has the authority to do so. We will process Customer Personal Data only as a Processor acting on Customer's behalf.

3. SCOPE AND PURPOSE OF PROCESSING

We process Customer Personal Data only to provide, maintain, secure, and support the Services in accordance with the Agreement, this DPA, and Customer's documented instructions. The Agreement, this DPA, and Customer's use and configuration of the Services constitute Customer's complete and documented instructions. The subject matter, nature, purpose, and duration of processing, the types of Personal Data, and the categories of Data Subjects are described in Annex A.

We will inform Customer if, in our reasonable opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited from doing so by law. We will not sell Customer Personal Data, retain, use, or disclose it for any purpose other than providing the Services, or combine it with other data except as permitted by Applicable Data Protection Laws.

4. CONFIDENTIALITY

We treat Customer Personal Data as confidential. We ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and are granted access only on a need-to-know basis.

5. SECURITY

We implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A description of these measures is set out in Annex B. We may update these measures over time provided that the level of protection is not materially decreased.

6. SUBPROCESSORS

Customer provides a general authorization for us to engage Subprocessors to process Customer Personal Data, subject to this section. We impose data protection obligations on each Subprocessor that are no less protective than those in this DPA, and we remain responsible for each Subprocessor's performance of its obligations.

Our current Subprocessors are listed in Annex C. We will notify Customer of any intended addition or replacement of a Subprocessor and give Customer a reasonable opportunity to object on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may terminate the affected Services as its exclusive remedy.

7. ASSISTANCE WITH DATA SUBJECT REQUESTS

Taking into account the nature of the processing, we provide reasonable assistance through appropriate technical and organizational measures to help Customer respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws. If we receive such a request directly, we will, where legally permitted, refer the Data Subject to Customer rather than respond ourselves.

8. PERSONAL DATA BREACH NOTIFICATION

We will notify Customer without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a "Personal Data Breach"). Our notification will describe, to the extent known and reasonably available, the nature of the breach, the likely consequences, and the measures taken or proposed to address it. We will reasonably cooperate with Customer to investigate and mitigate the breach.

9. AUDITS

We make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Upon Customer's reasonable written request, no more than once per twelve-month period (unless required by a supervisory authority or following a Personal Data Breach), we will respond to a reasonable audit request in the form of a security questionnaire or, where available, by providing relevant third-party reports, certifications, or summaries. Any audit is subject to confidentiality obligations and must not unreasonably disrupt our business operations.

10. INTERNATIONAL DATA TRANSFERS

Our Services are operated from the United States, and Customer Personal Data may be processed in the United States and other countries where we or our Subprocessors operate. Where Applicable Data Protection Laws require a transfer mechanism for cross-border transfers of Customer Personal Data (for example, the European Commission's Standard Contractual Clauses or the UK International Data Transfer Addendum), such mechanism is incorporated into this DPA by reference and applies to the relevant transfers, with the parties completing the required details consistent with Annexes A, B, and C.

11. RETURN AND DELETION OF DATA

Upon termination or expiration of the Agreement, and upon Customer's request, we will return or delete Customer Personal Data within a reasonable period, not to exceed thirty (30) days, unless retention is required by applicable law. Where Customer Personal Data remains in routine backup archives, we will isolate it from active processing and delete it in the ordinary course of our backup retention cycle.

12. LIABILITY

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not increase either party's aggregate liability beyond the limits stated in the Agreement.

13. GENERAL

Except as modified by this DPA, the Agreement remains in full force and effect. This DPA is governed by the same governing law and dispute resolution provisions as the Agreement. If any provision of this DPA is found to be unenforceable, the remaining provisions remain in effect. Questions about this DPA may be directed to hello@letterbook.ai.

ANNEX A — DETAILS OF PROCESSING

• Subject matter: Provision of the Letterbook AI-native customer support platform and contact center.
• Duration: The term of the Agreement, plus any period until deletion of Customer Personal Data in accordance with this DPA.
• Nature and purpose: Hosting, storing, processing, and transmitting Customer Personal Data as necessary to provide the Services, including AI-assisted handling of customer support interactions, and providing support to Customer.
• Types of Personal Data: Identifiers and contact details (such as names, email addresses, and phone numbers), the contents of support communications submitted to the Services, and any other Personal Data Customer or its end users choose to include in those communications.
• Categories of Data Subjects: Customer's end users and customers, and Customer's personnel who use the Services.

ANNEX B — TECHNICAL AND ORGANIZATIONAL MEASURES

We maintain technical and organizational measures designed to protect Customer Personal Data, including:

• Encryption of Customer Personal Data in transit and at rest.
• Logical separation of each Customer's data within the Services.
• Access controls that limit access to Customer Personal Data to authorized personnel on a need-to-know basis, with authentication controls.
• Use of reputable cloud infrastructure providers that maintain recognized security certifications for their facilities.
• Regular automated backups designed to enable restoration of Customer Personal Data.
• Logging and monitoring designed to detect and respond to security events.

ANNEX C — SUBPROCESSORS

We engage the following Subprocessors to process Customer Personal Data in connection with the Services: