SpotsNow Data Processing Agreement (DPA)

2.1 Drop Station’s Role.

In providing the SpotsNow Service, Drop Station acts as both:

• a Data Processor, when processing Personal Data on behalf of Publishers or Brands (for example, when facilitating introductions, transmitting messages, hosting uploaded contracts, or verifying deals for commission purposes and facilitating Brand payment workflows through third-party processors); and
• a Data Controller, when processing Personal Data for its own legitimate business purposes, such as platform analytics, security monitoring, fraud detection, and compliance with accounting or tax obligations.

In connection with Brand Marketplace Transactions, Drop Station processes limited payment-related Personal Data (such as transaction identifiers, authorization status, charge and refund information) through third-party payment processors (e.g., Stripe). Drop Station does not store full payment card details and does not act as a bank, money transmitter, or financial institution.

Drop Station processes Personal Data only to the extent necessary to operate the Platform and facilitate Campaign workflows, and does not independently determine the scope, content, or validity of contractual rights, obligations, or agreements between Buyers and Publishers.

2.2 Publisher and Brand Roles.

• Publishers act as independent Controllers of any personal data they submit to SpotsNow (e.g., listing data, demographic details, contact information, and communications with Brands).
• Brands act as independent Controllers of their own contact data, campaign information, and communications with Publishers.
• Drop Station does not control, monitor, or assume responsibility for any data processing conducted independently by Publishers or Brands outside the SpotsNow platform.
• For clarity, any personal data processed by Publishers or Brands pursuant to agreements executed outside the SpotsNow platform (including external insertion orders, side letters, or change orders) is processed solely under the responsibility of those parties acting as independent Controllers.

2.3 Data Ownership.

Each Party retains ownership of the Personal Data it provides or otherwise controls. Nothing in this Agreement transfers ownership of Personal Data between the Parties.

3.1 Purpose.

The purpose of this Agreement is to set out the terms under which Drop Station processes Personal Data in connection with the operation of the SpotsNow platform. Processing is performed solely to:

• (a)operate, maintain, and improve the SpotsNow Service;
• (b)facilitate introductions and communications between Publishers and Brands;
• (c)host and transmit messages, files, and contracts exchanged between users;
• (d)verify introductions, listings, and deals for commission calculation and compliance purposes;
• (e)detect and prevent fraud, unauthorized activity, and abuse of the Service; and
• (f)comply with applicable legal, tax, and regulatory obligations.

3.2 Nature of the Data.

The Personal Data processed by Drop Station may include:

• contact information (e.g., name, business name, email address);
• demographic and listing data voluntarily supplied by Publishers (e.g., audience size, geography, or pricing);
• Brand information (e.g., company, campaign title, budgets, or contact data);
• messages, attachments, and contracts exchanged between Publishers and Brands through the platform;
• platform logs and metadata (e.g., timestamps, device and usage data).

3.3 Duration.

Processing will continue for as long as a Publisher or Brand maintains an active account on SpotsNow or as required by law for record-keeping and compliance. Upon termination of an account, Drop Station will delete or anonymize Personal Data in accordance with Section 10 (Data Retention and Deletion).

3.4 Categories of Data Subjects.

The Personal Data processed may relate to:

• Publishers and their authorized representatives;
• Brands, agencies, and their authorized representatives; and
• Individuals whose data are contained within communications, contracts, or related documents transmitted through the Service.

3.5 Exclusions.

Drop Station does not intentionally collect or process end-user or audience data belonging to third parties, such as listener or viewer analytics unrelated to the SpotsNow platform. Each Publisher remains solely responsible for ensuring compliance with privacy laws in connection with any such external data.

3.6 Platform-Limited Processing and Independent Controllers

SpotsNow processes Personal Data only to the extent necessary to operate the Platform and facilitate Campaign workflows, and does not independently determine the scope, content, or validity of contractual rights, obligations, or agreements between Buyers and Publishers.

For clarity, any Personal Data processed by Buyers or Publishers pursuant to agreements executed outside the SpotsNow Platform (including external insertion orders, side letters, amendments, or change orders) is processed solely under the responsibility of those parties acting as independent Controllers. SpotsNow has no responsibility for, or control over, such processing.

4.1 Documented Instructions.

Drop Station shall process Personal Data only in accordance with:

• (a)this Agreement;
• (b)the SpotsNow Terms of Service and Privacy Policy; and
• (c)the documented instructions of the Controller (Publisher or Brand), except to the extent required by applicable law.

4.2 Lawfulness of Instructions.

Each Controller represents and warrants that its instructions to Drop Station comply with applicable Data Protection Legislation and do not require processing that would violate such laws. Drop Station will inform the Controller if, in its opinion, an instruction infringes applicable Data Protection Legislation.

4.3 Limitations.

Drop Station shall not:

• (a)process Personal Data for any purpose other than those expressly permitted under this Agreement;
• (b)sell, rent, or otherwise disclose Personal Data to third parties except as authorized by the Controller or required by law; or
• (c)retain Personal Data longer than necessary for the purposes of the Agreement or as required by law.

4.4 Controller Responsibilities.

Each Controller (Publisher or Brand) is responsible for:

• (a)ensuring the accuracy, quality, and legality of Personal Data provided to SpotsNow;
• (b)establishing a lawful basis for collecting and sharing such data; and
• (c)complying with all applicable Data Protection Legislation, including by providing appropriate notices and obtaining necessary consents from Data Subjects.

4.5 Processor Responsibilities.

When acting as a Processor, Drop Station will:

• (a)process Personal Data only as necessary to provide and improve the Service;
• (b)ensure that its personnel are bound by confidentiality obligations;
• (c)implement appropriate Technical and Organizational Measures to protect Personal Data; and
• (d)assist Controllers in fulfilling their obligations with respect to Data Subject rights, data security, and breach notifications.

5.1 Confidentiality Obligations.

Drop Station shall treat all Personal Data and any information disclosed in connection with this Agreement as confidential and shall not disclose such data to any third party except as permitted by this Agreement or required by law.

5.2 Personnel Access.

Drop Station shall ensure that access to Personal Data is limited to employees, agents, or Subprocessors who require such access to perform their job duties in connection with providing the Service. All such individuals are bound by written confidentiality obligations consistent with this Agreement and Data Protection Legislation.

5.3 Survival.

The confidentiality obligations set forth in this Section 5 shall survive termination of this Agreement and remain in effect for as long as Drop Station retains any Personal Data on behalf of the Controller.

6.1 Implementation.

Drop Station shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures shall be proportionate to the risk of the processing and comply with applicable Data Protection Legislation.

6.2 Security Practices.

Without limiting the foregoing, Drop Station maintains the following minimum security measures:

• (a)Encryption of Personal Data in transit and at rest using industry-standard protocols (TLS 1.2+ or equivalent).
• (b)Access Controls limiting internal access to Personal Data based on role and necessity.
• (c)Authentication and Logging to track administrative actions and access to systems processing Personal Data.
• (d)Regular Security Testing including vulnerability assessments and system audits.
• (e)Incident Response Procedures to promptly identify, contain, and remediate any suspected or actual breach of security.
• (f)Physical Safeguards at data-center locations managed by industry-certified providers (e.g., AWS, GCP, or similar).
• (g)Business Continuity and Backup Measures ensuring data integrity and availability in the event of hardware failure or disaster.

6.3 Data Breach Notification.

In the event Drop Station becomes aware of a Personal Data Breach affecting data processed under this Agreement, Drop Station shall:

• (a)notify the affected Controller without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the breach;
• (b)provide sufficient information to allow the Controller to meet any reporting obligations under Data Protection Legislation; and
• (c)cooperate reasonably with the Controller to investigate and mitigate the effects of the breach.

6.4 Controller Responsibilities.

Each Controller (Publisher or Brand) is responsible for using the Service in a secure manner and for implementing appropriate security measures for Personal Data under its own control, including encryption of files or communications transmitted through SpotsNow when required by law or good practice.

7.1 Authorized Subprocessors.

The Controller authorizes Drop Station to engage Subprocessors for the purposes of providing the SpotsNow Service, including cloud hosting, analytics, messaging, and infrastructure support.

7.2 List of Subprocessors.

A current list of Subprocessors engaged by Drop Station is available at https://dropstation.io/subprocessors. This list may be updated from time to time. Drop Station will provide notice of any new Subprocessor engagements through this webpage or via email.

7.3 Subprocessor Obligations.

Drop Station shall ensure that all Subprocessors are bound by written agreements imposing data-protection obligations substantially similar to those set out in this Agreement. Drop Station remains responsible and liable for the performance of its Subprocessors to the same extent as if it performed the processing itself.

7.4 Objection Right.

If a Controller has a reasonable objection to a new Subprocessor that materially impacts its ability to comply with Data Protection Legislation, the Controller may notify Drop Station in writing within fifteen (15) days of the update. Drop Station will work in good faith to address the objection, including by proposing alternative arrangements or allowing termination of the affected services without penalty if resolution is not feasible.

8.1 Assistance with Data Subject Requests.

Taking into account the nature of the processing, Drop Station shall assist Controllers (Publishers or Brands) by implementing appropriate technical and organizational measures, insofar as possible, to fulfill their obligations to respond to Data Subject requests under applicable Data Protection Legislation.

8.2 Types of Requests.

This includes, without limitation, requests to:

• (a)access, rectify, or erase Personal Data;
• (b)restrict or object to processing;
• (c)obtain a portable copy of Personal Data; or
• (d)withdraw consent (where applicable).

8.3 Procedure.

If a Data Subject contacts Drop Station directly with a request relating to Personal Data controlled by a Publisher or Brand, Drop Station will not independently respond but will promptly notify the applicable Controller and provide reasonable cooperation and assistance to enable that Controller to respond to the request in compliance with applicable law, except where Drop Station is the Data Controller for the relevant processing activity, in which case Drop Station will respond in accordance with applicable law.

8.4 Costs.

To the extent legally permitted, the Controller shall reimburse Drop Station for reasonable costs incurred in connection with providing assistance under this Section 8, when such assistance requires significant effort beyond Drop Station’s standard processes.

9.1 Transfers Outside the EEA and UK.

Drop Station is headquartered in the United States, and Personal Data may be transferred to and processed in the United States and other jurisdictions that may not provide the same level of protection as the EEA, UK, or Switzerland.

9.2 Transfer Mechanisms.

Where the transfer of Personal Data is subject to cross-border data-transfer restrictions under Data Protection Legislation, Drop Station shall ensure that such transfers are conducted in accordance with an appropriate lawful mechanism, which may include:

• (a)Drop Station’s participation in the EU–U.S. Data Privacy Framework and UK/Swiss extensions, where certified;
• (b)the European Commission’s Standard Contractual Clauses (Controller–Processor module), as amended by any UK or Swiss Addenda; or
• (c)another lawful transfer mechanism recognized under applicable Data Protection Legislation (such as explicit consent).

9.3 Documentation and Assurance.

Drop Station shall make available documentation reasonably necessary to demonstrate compliance with applicable transfer requirements and, upon request, provide a copy of the relevant transfer mechanism to the Controller (subject to redaction of confidential information).

10.1 Retention.

Drop Station retains Personal Data only for as long as necessary to provide the SpotsNow Service, to verify introductions and commissions, or as required by law, regulation, or contractual obligation.

10.2 Deletion upon Termination.

Upon termination of a Controller’s account or upon written request, Drop Station shall delete or anonymize all Personal Data processed on behalf of that Controller within a commercially reasonable period, not to exceed ninety (90) days, unless retention is required by law or necessary for legitimate business purposes (e.g., accounting or dispute resolution).

10.3 Backup and Archival Data.

Personal Data stored in automated backups may be retained for a limited period consistent with Drop Station’s backup policies, after which it is securely deleted through automated processes.

10.4 Certification of Deletion.

Upon written request, Drop Station shall confirm in writing that Personal Data has been deleted or anonymized in accordance with this Section.

11.1 Audit Rights.

Upon reasonable written notice, Drop Station shall make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this Agreement and, where required by law, allow for and contribute to reasonable audits or inspections by the Controller or an independent auditor mandated by the Controller.

11.2 Scope and Limitations.

Audits shall:

• (a)be limited to once per calendar year unless otherwise required by law;
• (b)be conducted during normal business hours and in a manner that does not unreasonably interfere with Drop Station’s operations; and
• (c)exclude any information that would compromise the confidentiality or security of other users’ data or Drop Station’s proprietary systems.

11.3 Costs.

The Controller shall bear its own costs and expenses associated with any audit, and shall reimburse Drop Station for any time and materials expended in connection with audits that require significant assistance beyond standard documentation responses.

11.4 Alternative Documentation.

To satisfy audit requirements, Drop Station may provide written certifications, summaries of security assessments, or copies of third-party audit reports (e.g., SOC 2 Type II or equivalent), which the Controller agrees will fulfill its right to audit, absent a specific legal requirement for on-site inspection.

12.1 Mutual Liability.

Each Party shall be liable for and indemnify the other against any damages, fines, or losses arising from its own breach of this Agreement or applicable Data Protection Legislation.

12.2 Drop Station’s Limitation of Liability.

To the maximum extent permitted by law, Drop Station’s total aggregate liability arising from or related to this Agreement, whether in contract, tort, or otherwise, shall not exceed the greater of (a) one hundred U.S. dollars (US $100), or (b) the total amount of commissions or fees paid by the Controller to Drop Station in the twelve (12) months preceding the event giving rise to the claim.

12.3 Exclusion of Certain Damages.

Neither Party shall be liable for indirect, incidental, consequential, special, or punitive damages, including loss of profits, revenue, or business opportunities, even if advised of the possibility of such damages.

12.4 Indemnification.

Each Party shall defend, indemnify, and hold harmless the other Party, its affiliates, officers, and employees against any claims, damages, or expenses arising out of a breach of this Agreement or violation of applicable data-protection laws by that Party.

13.1 Term.

This Agreement shall commence upon the creation of a SpotsNow account or the use of the Service and remain in effect for as long as Drop Station processes Personal Data on behalf of the Controller.

13.2 Termination.

Either Party may terminate this Agreement at any time upon written notice if the other Party materially breaches its terms and fails to remedy the breach within thirty (30) days of written notice.

13.3 Effect of Termination.

Upon termination, Drop Station shall cease processing Personal Data on behalf of the Controller and shall delete or anonymize such data in accordance with Section 10 (Data Retention and Deletion). Termination shall not relieve either Party of obligations accrued prior to termination, including payment or indemnity obligations.

13.4 Survival.

Sections 5 (Confidentiality), 6 (Security Measures), 10 (Data Retention and Deletion), 11 (Audits and Inspections), 12 (Liability and Indemnification), and 14 (Governing Law and Miscellaneous) shall survive termination of this Agreement.

14.1 Governing Law.

This Agreement shall be governed by and construed in accordance with the laws of the State of Tennessee, U.S.A., without regard to its conflict-of-law principles.

14.2 Jurisdiction.

Any dispute arising under or in connection with this Agreement shall be subject to the exclusive jurisdiction of the state and federal courts located in Chattanooga, Tennessee, U.S.A.

14.3 Entire Agreement.

This Agreement, together with the SpotsNow Terms of Service and Privacy Policy, constitutes the entire understanding between the Parties relating to the subject matter herein and supersedes all prior or contemporaneous agreements, whether written or oral.

14.4 Amendments.

Drop Station may update this Agreement from time to time to reflect changes in legal or operational requirements. Material updates will be communicated via email or platform notice. Continued use of the Service after such updates constitutes acceptance of the revised Agreement.

14.5 Severability.

If any provision of this Agreement is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

14.6 No Waiver.

Failure by either Party to enforce any provision shall not constitute a waiver of that or any other provision.