This Data Processing Addendum ("DPA") forms part of the agreement between Run With Ops Ltd, a company registered in England and Wales with company number 16939192 and registered office at Flat 2 Bluebolt House, 4 Bickerton Road, London N19 5JR ("RWO", "Processor") and the Customer identified in the underlying agreement (the "Controller") for the provision of The Run System ("Service") (the "Agreement").

This DPA supplements the Agreement and reflects the parties' agreement on the processing of Personal Data by RWO on the Customer's behalf in connection with the Service. In the event of any conflict between the Agreement and this DPA on the subject of personal data processing, this DPA prevails.

1. Definitions

In this DPA:

"Applicable Data Protection Laws" means the UK GDPR (the retained EU Regulation 2016/679 as it forms part of UK law), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), the EU General Data Protection Regulation (Regulation (EU) 2016/679), and any other data protection law applicable to the Processing.

"Personal Data", "Controller", "Processor", "Data Subject", "Processing", "Special Categories of Personal Data" and related terms have the meanings given in Applicable Data Protection Laws.

"Customer Personal Data" means Personal Data Processed by RWO on behalf of the Customer in connection with the Service.

"Sub-processor" means any third party engaged by RWO to Process Customer Personal Data.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for international transfers of personal data adopted by the European Commission in Decision (EU) 2021/914.

"UK IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner (or, where the parties so elect, the UK Addendum to the SCCs).

2. Roles and scope

For the purposes of this DPA, in respect of Customer Personal Data, the Customer is the Controller (or where the Customer is itself a Processor for an end-customer, a Processor on behalf of another controller) and RWO is the Processor.

Each party will comply with its respective obligations under Applicable Data Protection Laws. The subject matter, duration, nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects are set out in Annex I.

3. Customer instructions

RWO will Process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country, except where required to do so by law (in which case RWO will inform the Customer of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest).

The Agreement (including this DPA), the Service configuration the Customer chooses, and any other reasonable instructions the Customer gives via the Service or in writing constitute the Customer's documented instructions.

If RWO believes that an instruction infringes Applicable Data Protection Laws, RWO will inform the Customer without undue delay.

4. Confidentiality

RWO will ensure that personnel authorised to Process Customer Personal Data are subject to a duty of confidentiality (whether contractual or statutory) of an equivalent standard to that set out in this DPA, and that access is limited to those who need it to perform their duties.

5. Security

RWO will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures RWO has in place are set out in Annex II. RWO will keep the measures in Annex II under review and may update them provided they do not materially reduce the level of protection.

6. Sub-processors

The Customer authorises RWO to engage Sub-processors to Process Customer Personal Data. A current list is published at therunsystem.com/sub-processors. By signing the Agreement the Customer is taken to have given general authorisation to the Sub-processors on that list.

RWO will give the Customer at least 30 days' prior notice of any intended addition or replacement of a Sub-processor. The Customer may object to a new Sub-processor on reasonable data protection grounds within 30 days of notice. If the parties cannot agree a solution, the Customer may terminate the affected element of the Service on written notice, and RWO will refund any Fees pre-paid for the unused period after termination.

RWO will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Customer for the acts and omissions of each Sub-processor as if they were RWO's own.

7. International transfers

The Customer authorises RWO and its Sub-processors to transfer Customer Personal Data outside the United Kingdom and the European Economic Area, subject to this clause.

Where any such transfer would otherwise be prohibited under Applicable Data Protection Laws, the parties will rely on one or more of the following safeguards (in this order of preference): an adequacy regulation made by the UK government (including, where applicable, the UK Extension to the EU-US Data Privacy Framework); the UK IDTA; the SCCs (Controller-to-Processor or Processor-to-Sub-processor modules as applicable), supplemented by the UK Addendum where the transfer originates from the UK; or another lawful transfer mechanism agreed between the parties.

Annex III sets out the parties' selections for the SCCs and the UK IDTA / Addendum as required by those instruments.

8. Data subject rights

Taking into account the nature of the Processing, RWO will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws.

If RWO receives a Data Subject request that relates to Customer Personal Data, RWO will not respond directly to the Data Subject other than to acknowledge receipt or refer them to the Customer, and will notify the Customer without undue delay so the Customer can respond.

9. Assistance to the Customer

Taking into account the nature of the Processing and the information available to it, RWO will assist the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, communication of breach to data subjects, data protection impact assessments and prior consultation).

10. Personal data breaches

RWO will notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach affecting Customer Personal Data. The notification will, to the extent then known, describe the nature of the breach, likely consequences, measures taken or proposed to address it, and the name and contact details of RWO's contact point for further information.

RWO will provide further information as it becomes known. RWO will not make any public statement or notification about the breach without the Customer's prior agreement, except where required by law.

11. Records and audits

RWO will maintain records of its processing activities sufficient to demonstrate compliance with Applicable Data Protection Laws. On reasonable prior written notice, and no more than once per year (except in the event of a personal data breach or as required by a regulator), the Customer may carry out an audit of RWO's compliance with this DPA, either by itself or through an independent third-party auditor (subject to confidentiality undertakings reasonably acceptable to RWO).

RWO may satisfy the audit obligation by providing the Customer with relevant third-party certifications, audit reports (such as ISO 27001 or SOC 2 Type II once obtained), and written responses to a reasonable security questionnaire.

12. Deletion or return on termination

Within 30 days of termination or expiry of the Agreement, at the Customer's choice (expressed in writing), RWO will return all Customer Personal Data to the Customer in a structured, commonly used and machine-readable format, or delete all Customer Personal Data and certify deletion in writing.

RWO may retain Customer Personal Data to the extent and for as long as required by law, in which case it will continue to be protected in accordance with this DPA.

13. Liability

The parties' respective liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. Nothing in this DPA increases either party's liability beyond the limits in the Agreement.

14. Order of precedence

To the extent of any conflict between this DPA and the Agreement on the subject of Processing of Personal Data, this DPA prevails. The SCCs and UK IDTA (where applicable) prevail over this DPA in respect of international transfers to the extent of any conflict.

15. General

This DPA does not relieve either party of any of its independent obligations under Applicable Data Protection Laws. Variation of this DPA must be in writing signed by both parties or made by RWO on at least 30 days' notice (in respect of changes required to address changes in Applicable Data Protection Laws or guidance).

Annex I — Details of Processing

Subject matter: Provision of The Run System SaaS platform.

Duration: The term of the Agreement plus any retention period set out in this DPA.

Nature and purpose of Processing: Hosting, ingesting, structuring, analysing and outputting paid-media planning, trafficking, reporting, compliance and activation data through AI agents operated by RWO; providing access to the Service and related support.

Type of Personal Data:

• contact data of Customer's personnel and Authorised Users (name, business email, job title, business phone);
• account data (login credentials, IP addresses, device IDs, log data);
• communications data (support tickets, emails, recorded calls where consented);
• ad-platform credential metadata (OAuth tokens — passwords are not Processed);
• limited personal data within Customer-supplied media plans, taxonomies and creative matrices (typically business contact data of approvers, stakeholders and creators).

Categories of Data Subjects:

• Customer's personnel and Authorised Users;
• Customer's clients' personnel and stakeholders;
• where applicable, business contacts referenced in Customer-uploaded plans or matrices.

Sensitive data: None Processed in the ordinary course. The AUP prohibits the upload of Special Categories of Personal Data without prior written agreement.

Frequency: Continuous during the term.

Retention: As set out in clause 12 and the Service Documentation.

Sub-processors: As published at therunsystem.com/sub-processors.

Annex II — Technical and Organisational Measures

Access controls. Role-based access control on all production systems. Multi-factor authentication required for all administrative access to production and all key SaaS tools. Joiner/mover/leaver process with documented timelines for revoking access. Single sign-on offered for enterprise customers on request.

Encryption. TLS 1.2+ for all data in transit. Encryption at rest for production data stores and object storage using provider-managed AES-256. Application-layer encryption for PII columns (AES-128-CBC + HMAC-SHA256). Ad-platform OAuth tokens encrypted at rest.

Hosting and infrastructure. Production environment hosted on Railway (EU-West, Amsterdam) with network isolation, infrastructure-level DDoS protection and provider-managed patching. Separate environments for development, staging and production. Infrastructure as code with peer review on all changes to production.

Logging and monitoring. Centralised application and infrastructure logging. Alerting on security-relevant events (authentication failures, privilege escalations, unusual data exports). Append-only audit log with cryptographic hash chain, retained for 7 years.

Software development. Source control with mandatory code review on all changes to production code. Dependency vulnerability scanning on every build. Secrets are never committed to source control.

Personnel. Confidentiality obligations in all employment and contractor agreements. Security awareness training on joining and at least annually thereafter. Background checks where lawful and proportionate.

Vendor risk. Documented due-diligence before any Sub-processor is engaged. Written data processing terms in place with each Sub-processor.

Incident response. Documented incident response procedure with named on-call contact. Personal data breach notification process aligned with clause 10. Post-incident review on every reportable incident.

Business continuity. Automated backups of production data at least daily. Restore testing performed at least annually.

Customer controls. Authorised Users can delete or export their own data via the Service. Customer-controlled access provisioning and revocation for connected Third-Party Platforms. Data deletion on Customer request within 30 days of termination unless retention is required by law.

Annex III — SCCs and UK Transfer Mechanism Selections

For transfers from the UK to a third country lacking an adequacy regulation:

• Selected mechanism: UK IDTA (or, where the parties so elect, EU SCCs supplemented by the UK Addendum).
• Module: Controller-to-Processor (where the Customer is itself a Controller); Processor-to-Sub-processor (between RWO and its Sub-processors).
• Clause 7 (docking clause): not enabled.
• Clause 11 redress: Data Subject may lodge a complaint with the supervisory authority and seek judicial redress in line with the UK GDPR.
• Clause 13 (supervision): UK Information Commissioner's Office.
• Clause 17 governing law: laws of England and Wales.
• Clause 18 forum and jurisdiction: courts of England and Wales.

For transfers from the EEA to a third country lacking an adequacy decision (where the Customer is established in the EEA):

• Selected mechanism: EU SCCs.
• Module: Module 2 (Controller-to-Processor) between the Customer and RWO; Module 3 (Processor-to-Sub-processor) between RWO and its Sub-processors.
• Optional clause 7 (docking clause): not enabled.
• Clause 11 option: Data Subject choice between supervisory authority complaint and judicial redress.
• Clause 17 governing law: Republic of Ireland (or as otherwise agreed in the Agreement).
• Clause 18 forum and jurisdiction: Courts of Ireland.
• Annex I: as set out in Annex I to this DPA. Annex II: as set out in Annex II to this DPA. Annex III: list of Sub-processors as published at therunsystem.com/sub-processors.

Signatures

This DPA does not need to be separately signed if incorporated by reference into the Agreement; signing the Agreement constitutes acceptance of this DPA. Where the Customer requires a signed copy, contact [email protected].

---

Questions about this document? Email [email protected].