Annex 1 — Data Processing Agreement (DPA)

# Preamble

This Data Processing Agreement ("DPA") is annexed to and forms an integral part of the Merchant Terms of Service ("ToS") concluded between:

• FLIZ, a French SAS with share capital of €1,000, registered office at 18 Rue Masséna, Bureau 3, 06000 Nice, RCS Nice 977 626 118, hereinafter the "Processor" or "Fliz",
• and the Client signatory to the ToS, hereinafter the "Controller" or the "Client".

This DPA is established pursuant to Article 28 of Regulation (EU) 2016/679 of April 27, 2016 on data protection (hereinafter the "GDPR") and supplementary provisions of French Law No. 78-17 of January 6, 1978 as amended ("Data Protection Act").

It defines the conditions under which Fliz processes personal data on behalf of the Client in connection with the provision of the Affilane Service.

---

# Article 1 — Purpose and Scope

# 1.1 Purpose

This DPA aims to frame the processing of personal data that Fliz carries out on behalf of the Client for the performance of the ToS and the provision of the Affilane Service.

# 1.2 Scope

This DPA covers processing for which Fliz acts as processor within the meaning of Article 4(8) GDPR. It does not cover:

• processing for which Fliz acts as an independent controller (Client account management, billing, commercial marketing, anti-fraud for own account) — governed by the Affilane Privacy Policy;
• processing for which the Parties act as joint controllers within the meaning of Article 26 GDPR (collection and transmission via the Tag) — governed by Annex 2 (Joint Controller Arrangement).

# 1.3 Hierarchy

In case of contradiction between this DPA and the ToS, the DPA prevails with respect to personal data processing carried out as processor.

---

# Article 2 — Description of Processing (Article 28.3 GDPR)

# 2.1 Subject Matter of Processing

Management of an affiliate marketing program on behalf of the Client, including: Affiliate management, click and conversion tracking, commission calculation and payment, reporting.

# 2.2 Duration of Processing

Throughout the duration of the ToS, plus retention periods stipulated in Article 6.

# 2.3 Nature of Processing Operations

Collection, recording, organization, structuring, storage, consultation, use, communication by transmission, making available, combination, erasure.

# 2.4 Purpose of Processing

Provision of the Affilane Service to the Client, in accordance with the ToS.

# 2.5 Categories of Data Subjects

• Affiliates registered by the Client, whether:
  • by manual entry in the Platform;
  • by CSV import or via API;
  • by submission of an embedded registration form (iframe or JavaScript script provided by Fliz) integrated on the Client's site or on another domain authorized by the Client;
• Visitors to the Client's website (via the Tag)
• Final clients of the Client whose orders trigger commissions

# 2.6 Categories of Personal Data

• Identification data: first name, last name, email, pseudonym
• Contact data: email, phone (optional)
• Professional data: company name, registration number, legal status, website
• Financial data: IBAN/BIC, payment details transmitted via Stripe
• Tax data: EU VAT number, franchise status, tax residence country
• Performance data: clicks, conversions, commissions, performance rates
• Connection data: credentials, access logs, timestamp
• Technical data: IP address, User-Agent, anonymized fingerprint, cookie identifiers

# 2.7 Categories of Sensitive Data

Fliz processes no sensitive data within the meaning of Article 9 GDPR (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, sexual orientation), nor criminal convictions data within the meaning of Article 10 GDPR. The Client undertakes not to transmit such data.

---

# Article 3 — Obligations of the Processor (Fliz)

# 3.1 Processing on Documented Instructions (Art. 28.3.a)

Fliz processes personal data only on documented instruction from the Client, including regarding transfers outside the European Union, except when required to do so by Union or Member State law to which Fliz is subject. In that latter case, Fliz informs the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The ToS and this DPA, together with the Client's configuration of the Service, constitute the baseline documented instructions. Additional instructions may be transmitted by the Client to hello@affilane.com. Fliz immediately informs the Client if, in its analysis, an instruction violates the GDPR or other Union or Member State data protection provision.

# 3.2 Confidentiality (Art. 28.3.b)

Fliz ensures that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Employees and subcontractors are trained in data protection.

# 3.3 Security (Art. 28.3.c → Art. 32)

Fliz takes all measures required under Article 32 GDPR. Technical and organizational measures implemented are detailed in Annex 4 of the ToS and include:

• TLS 1.2 minimum encryption in transit
• AES-256 encryption of data at rest
• multi-factor authentication (MFA) for administrator access
• separation of production/development environments
• access rights management following the least privilege principle
• access logging retained for 12 months
• daily encrypted backups retained for 30 days
• annual penetration testing
• documented internal security policy
• business continuity plan
• for the embedded registration form: CORS whitelisting of domains authorized by the Client, anti-abuse rate limiting (5 submissions/IP/hour), honeypot detection, strict input validation, timestamped logging of consent to the Terms compliant with Article 7.1 GDPR

These measures are regularly reviewed and updated according to the evolution of threats and state of the art.

# 3.4 Sub-processing (Art. 28.2 and 28.4)

General prior authorization. The Client authorizes Fliz to engage sub-processors for the provision of the Service, subject to compliance with the conditions below.

List of sub-processors. The updated list of Fliz's sub-processors is published at affilane.com/legal/subprocessors and communicated upon request.

As of the date of this DPA, sub-processors are:

Modification of the list. Any modification of the list (addition or replacement) is subject to notification to the Client with thirty (30) days' notice before effect, by email or notification in the Service. The Client has a period of fifteen (15) days from notification to formulate in writing, to hello@affilane.com, a reasoned objection (e.g., risk of transfer outside the EU not properly framed, sub-processor's history of violations).

In case of reasoned objection that Fliz cannot reasonably address, the Client may terminate the contract without penalty, effective on the date of sub-processor change.

Contractual equivalence. Fliz concludes with each sub-processor a written contract imposing data protection obligations at least equivalent to those of this DPA (Art. 28.4 GDPR).

Liability. Fliz remains fully liable for the performance by the sub-processor of its data protection obligations (Art. 28.4 GDPR).

# 3.5 Assistance With Data Subjects' Rights (Art. 28.3.e)

Fliz assists the Client, through appropriate technical and organizational measures, in fulfilling the Client's obligation to respond to requests from data subjects exercising their rights (Articles 15 to 22 GDPR).

In practice, Fliz makes available in the Service features allowing the Client to export, rectify, or delete data relating to a specific person. In case of complex request requiring Fliz's intervention, it is processed within a timeframe compatible with the Client's response deadlines (Article 12.3 GDPR: one month extendable by two months).

If a data subject directly addresses Fliz with a request relating to processing carried out on behalf of the Client, Fliz forwards the request to the Client within 5 business days and refrains from responding directly, unless otherwise instructed.

# 3.6 Assistance in Security, Breaches, and DPIAs (Art. 28.3.f)

Personal data breach (Art. 33-34). Fliz notifies the Client without undue delay and, in any event, within a maximum of 48 hours after becoming aware, of any personal data breach affecting processing carried out on behalf of the Client. This notification contains:

• description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and records concerned;
• name and contact details of Fliz's contact point;
• description of likely consequences;
• description of measures taken or proposed to address the breach and, where appropriate, to mitigate its adverse effects.

Fliz assists the Client in notifications to the supervisory authority (72h, Art. 33) and to data subjects (Art. 34), to the extent of information available in its capacity as processor.

Data Protection Impact Assessment (DPIA, Art. 35). Fliz assists the Client in conducting DPIAs upon request, providing necessary technical information on processing carried out and security measures implemented.

Prior consultation (Art. 36). Fliz assists the Client in case of prior consultation with the CNIL, providing relevant technical information.

# 3.7 Return or Deletion (Art. 28.3.g)

At the end of the contract, at the Client's written choice:

• Return: data is made available to the Client in a structured, commonly used, and machine-readable format (CSV, JSON) for a period of 30 days from the end of the contract;
• Deletion: data is deleted within a maximum of 30 days.

At the end of this period, all copies of data are deleted, subject to legal retention obligation (notably accounting obligations 10 years under Article L.123-22 of the French Commercial Code, AML-CFT obligations 5 years under Article L.561-12 of the French Monetary and Financial Code). In such case, Fliz informs the Client of the nature and duration of this residual retention.

Existing backups are purged as part of the normal rotation cycle (maximum 30 days).

Upon request, Fliz provides written certification of effective deletion.

# 3.8 Audit and Inspection (Art. 28.3.h)

Fliz makes available to the Client all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Client or another auditor mandated by the Client.

Audit terms:

• Frequency: one (1) audit per calendar year, except for legitimate additional reason (significant security incident, major change in processing, supervisory authority request);
• Notice: thirty (30) days, reduced to eight (8) days in case of incident;
• Duration: maximum five (5) business days;
• Costs: borne by the Client, unless the audit reveals significant breach by Fliz;
• Scope: compliance of processing with the provisions of this DPA;
• Confidentiality: the auditor signs a prior confidentiality agreement.

Fliz may satisfy this obligation by making available to the Client:

• external audit reports (ISO 27001, SOC 2 Type II where applicable), summaries of penetration tests, relevant internal policies;
• written responses to a due diligence questionnaire.

The Client accepts these documents as substitutes for on-site audits when adequate and up to date.

# 3.9 Records of Processing Activities (Art. 30.2)

Fliz maintains a record of all categories of processing activities carried out on behalf of the Client, compliant with Article 30.2 GDPR. This record is made available to the supervisory authority upon request.

# 3.10 Data Protection Officer

Fliz designates hello@affilane.com (subject: "[GDPR]") as internal contact point for data protection matters. Fliz has not designated a DPO within the meaning of Article 37 GDPR, as such designation is not mandatory given the nature of its processing.

---

# Article 4 — Transfers of Data Outside the European Union

# 4.1 Principle

Some sub-processors may process data in the United States or other third countries. These transfers are framed in accordance with Articles 44 to 49 GDPR.

# 4.2 Applicable Transfer Mechanisms

Adequacy decisions (Art. 45):

• EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of July 10, 2023), applicable to DPF-certified US sub-processors. This decision was confirmed by the General Court of the EU on September 3, 2025 (T-553/23, Latombe v. Commission).
• Other adequacy decisions: United Kingdom, Switzerland, Japan, South Korea, Canada (commercial sector), Israel, Argentina, New Zealand, Uruguay, Faroe Islands, Andorra, Guernsey, Jersey, Isle of Man.

Standard Contractual Clauses (Art. 46.2.c): When no adequacy decision applies, Fliz implements the SCCs 2021/914 adopted by Commission Implementing Decision (EU) 2021/914 of June 4, 2021, according to the appropriate module:

• Module 2: controller to processor (Client → Fliz to sub-processors);
• Module 3: processor to sub-processor (Fliz to non-EU sub-sub-processors).

SCCs are signed with each concerned sub-processor and available upon request.

# 4.3 Transfer Impact Assessment (TIA)

Fliz conducts a Transfer Impact Assessment in accordance with EDPB Recommendations 01/2020 of June 18, 2021 (version 2.0), including analysis of third-country legislation, public authority access requests, and supplementary measures to implement.

# 4.4 Supplementary Measures

When necessary, Fliz implements supplementary measures such as: pseudonymization, end-to-end encryption with keys held in the EU, minimization of transferred data, geographic segmentation of processing.

# 4.5 List of Countries Concerned by Transfer

The updated list of countries receiving transfers is published at affilane.com/legal/subprocessors.

---

# Article 5 — Obligations of the Controller (Client)

The Client undertakes to:

1. Lawfulness: have a valid legal basis within the meaning of Article 6 GDPR for each processing entrusted to Fliz, and, where necessary, consent collected in accordance with Article 7 GDPR.

2. Information: provide data subjects with information required by Articles 13 and 14 GDPR upon data collection, including the identity of the Client, purposes, categories of recipients (including Fliz as processor), international transfers, retention periods, data subjects' rights.

3. Documented instructions: give lawful and documented instructions to Fliz. By using the Service in accordance with the ToS, the Client is deemed to give instructions resulting from the chosen configuration.

4. Records: maintain their own records of processing activities in accordance with Article 30.1 GDPR.

5. Cookie consent: collect prior consent from visitors to their site for the placement of the Fliz Tag under the conditions described in Article 7.2 of the ToS and Annex 2.

6. Sensitive data: not transmit to Fliz data falling under special categories within the meaning of Article 9 GDPR nor data relating to criminal convictions within the meaning of Article 10 GDPR.

7. Cooperation: cooperate with Fliz in case of requests from data subjects, authority audits, or data breaches.

---

# Article 6 — Duration and Retention

# 6.1 Duration

This DPA applies throughout the duration of the ToS. Obligations relating to confidentiality, security, and data deletion survive the end of the contract.

# 6.2 Retention Periods

Retention periods applied by Fliz correspond to the purpose of the processing:

At the expiration of applicable periods, data is irreversibly deleted or anonymized.

---

# Article 7 — Liability

# 7.1 Liability

Each Party is liable, towards data subjects, for damages caused by its own failure to comply with its obligations, in accordance with Article 82 GDPR.

# 7.2 Recourse Between Parties

In relations between them, the Parties agree that:

• Fliz bears the consequences of damages resulting from breach of its processor obligations;
• The Client bears the consequences of damages resulting from its own breaches (notably: unlawful instruction, failure to inform, lack of consent, sensitive data wrongly transmitted).

# 7.3 CNIL Sanctions

If a sanction is issued by the supervisory authority against one Party for a breach attributable to the other Party, the latter shall bear the amount of the sanction and reasonably incurred defense costs.

# 7.4 Cap

The liability cap applicable to this DPA is the one defined in Article 13 of the ToS, it being specified that monetary sanctions issued under the GDPR and passed between the Parties pursuant to Article 7.3 are not subject to this cap.

---

# Article 8 — General Provisions

# 8.1 Modification

Fliz may modify this DPA according to the procedure in Article 15.1 of the ToS (15 days' notice, right of termination during the notice period).

# 8.2 Governing Law and Jurisdiction

This DPA is governed by French law. Competent jurisdictions are those designated in Article 22 of the ToS (Commercial Court of Paris).

# 8.3 Partial Nullity

The nullity of one provision does not affect the validity of others.

---

# Article 9 — DPA Annexes

# DPA Annex 1 — Detailed Description of Processing

Refer to Article 2 of this DPA.

# DPA Annex 2 — Technical and Organizational Security Measures

Refer to Annex 4 of the ToS.

# DPA Annex 3 — List of Sub-processors

Updated list published at affilane.com/legal/subprocessors and incorporated in Article 3.4 of this DPA.

# DPA Annex 4 — International Transfers

List of recipient countries published at affilane.com/legal/subprocessors.

---

Data Processing Agreement established in compliance with:

• Regulation (EU) 2016/679 of April 27, 2016 (GDPR), notably Articles 28, 30.2, 32, 33, 44-49
• Commission Implementing Decision (EU) 2021/914 of June 4, 2021 (Standard Contractual Clauses)
• Commission Implementing Decision (EU) 2021/915 of June 4, 2021 (Intra-EU C→P SCCs, optional application)
• Commission Implementing Decision (EU) 2023/1795 of July 10, 2023 (EU-US Data Privacy Framework)
• French Law No. 78-17 of January 6, 1978 as amended (Data Protection Act)
• EDPB Guidelines 07/2020 on the concepts of controller and processor (v. 2.1 of July 7, 2021)
• EDPB Recommendations 01/2020 on supplementary measures for transfers (v. 2.0 of June 18, 2021)
• Case law: CJEU July 16, 2020, Schrems II, C-311/18; CJEU July 29, 2019, Fashion ID, C-40/17; General Court of the EU September 3, 2025, T-553/23, Latombe
• Reference CNIL Article 28 sanctions: SAN-2021-020 SlimPay (€180k); decision April 15, 2022 Dedalus Biologie (€1.5M); decision November 10, 2022 Discord (€800k); decision October 12, 2023 Canal+ (€600k)