Data Processing Addendum (DPA)

Effective date: March 1, 2026

Introduction

This Data Processing Addendum ("DPA") is entered into by and between BaseMonkeys LLC, doing business as BaseQR.ai ("Company" or "Processor"), and the client ("Client" or "Controller"). This DPA forms part of and supplements the Master Services Agreement ("MSA") between the parties.

1. Roles and Scope

Client is the Data Controller. Company is the Data Processor. Company processes Personal Data solely on behalf of Client and in accordance with the MSA and this DPA.

2. Nature and Purpose of Processing

Company provides a platform for dynamic QR code routing, campaign management, and analytics. Processing activities are limited to: • Routing users to Client-defined destinations • Generating aggregated analytics and reporting • Supporting platform functionality and performance

3. Categories of Personal Data

Processing may include: • IP address • Device and browser information • Approximate geolocation (city/region level) • Timestamp of interactions • Referrer or source data (where available) Company does not intentionally collect sensitive personal data.

4. Data Subjects

Personal Data may relate to: • End users interacting with QR codes • Client personnel using the Services

5. Client Responsibilities

Client is solely responsible for: • Establishing a lawful basis for processing • Providing required notices and obtaining consent where applicable • Ensuring compliance with applicable data protection laws • All content, destinations, and data submitted through the Services

6. Processor Obligations

Company will: • Process Personal Data only as necessary to provide the Services • Implement commercially reasonable technical and organizational safeguards • Ensure personnel are subject to confidentiality obligations Company will not: • Sell Personal Data • Use Personal Data for its own marketing purposes

7. Subprocessors

Client authorizes Company to engage subprocessors to support the Services (e.g., cloud infrastructure, content delivery, payment processing). Company will use reasonable diligence in selecting subprocessors and require appropriate data protection obligations.

8. International Data Transfers

Personal Data may be processed in the United States or other jurisdictions where Company or its subprocessors operate. Client consents to such transfers.

9. Data Subject Requests

Client is responsible for responding to data subject requests. Company will provide reasonable assistance where feasible.

10. Data Retention and Deletion

Company retains Personal Data only as necessary to provide the Services and meet legal obligations. Upon termination: • Data may be deleted after fourteen (14) days • Limited data may be retained for security, compliance, or audit purposes

11. Security

Company implements commercially reasonable safeguards to protect Personal Data. Client acknowledges that no system is completely secure.

12. Data Breach Notification

In the event of a confirmed breach of Personal Data under Company's control, Company will notify Client without undue delay.

13. Limitation of Liability

This DPA is subject to the limitations of liability set forth in the MSA.

14. Order of Precedence

In the event of conflict: DPA → MSA → Order

15. Modifications

Company may update this DPA from time to time. Continued use of the Services constitutes acceptance of the updated DPA.

16. Contact

BaseQR.ai A subsidiary of BaseMonkeys LLC Raleigh, North Carolina