1. Parties to the Agreement This Data Processing Agreement pursuant to Art. 28 of the General Data Protection Regulation (GDPR) is entered into between JoMoCo UG (haftungsbeschränkt) i. G. Wiesenblick 5 87466 Oy-Mittelberg Germany hereinafter referred to as "Processor" and the respective customer acting as the Controller within the meaning of Art. 4 No. 7 GDPR (hereinafter referred to as "Controller" or "Client") collectively also referred to as "Parties". This Agreement is an integral part of the Terms of Service existing between the Parties or the respective main contract regarding the use of the digital platform and services provided by the Processor. It applies to all processing of personal data carried out by the Processor on behalf of the Controller within the scope of using the platform. 2. Subject Matter and Duration of Processing (1) The subject matter of this Agreement is the processing of personal data by the Processor on behalf of the Controller within the scope of using the cloud-based platform of the Processor as well as the associated digital functions and services. (2) The processing takes place exclusively for the fulfillment of the contractually owed services. (3) The duration of the processing corresponds to the term of the respective contractual relationship. After its termination, the regulations on data deletion pursuant to Section 11 of this Agreement apply.

3. Nature and Purpose of Processing The purpose of the processing is the provision, use, management, and operation of digital functions, particularly in the areas of social media planning, communication, automation, workflow control, analysis, and customer management.

4. Types of Personal Data Within the scope of using the platform, the following categories of personal data may be processed in particular: -Names -Email addresses -Phone numbers -Account and profile data -Social media account data -Content data such as texts, images, and posts -Communication data -Usage, meta, and log data

5. Categories of Data Subjects The data processing may affect in particular: -Customers of the Client -Prospects and leads -Employees of the Client -Communication partners -Other third parties involved by the Client

6. Right of Instruction of the Controller (1) The Processor processes personal data exclusively upon documented instruction of the Controller, which may be issued in text form, particularly via email or through the provided platform, unless the Processor is required to process such data by Union or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. (2) The Processor shall inform the Controller immediately if it is of the opinion that an instruction infringes data protection regulations.

7. Technical and Organizational Measures (1) The Processor takes appropriate technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk. (2) These measures include in particular: -Access control (physical) -Access control (logical/system) -Transmission control -Input control -Availability control -Separation rule -Encryption -Data backup -Logging (3) The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The current technical and organizational measures are documented by the Processor and made available to the Controller upon request in an appropriate form.

8. Use of Sub-Processors (1) The Controller hereby grants the Processor general authorization to engage sub-processors within the meaning of Art. 28 Para. 2 GDPR for the fulfillment of the contractually owed services. (2) The Processor uses sub-processors particularly in the areas of platform operation, hosting, automation, communication, integration, monitoring, and security. Engagement occurs exclusively to the extent necessary for the proper provision of services. (3) The Processor currently uses, among others, the following sub-processors: Bluesky Social PBC (USA) – Decentralized social media platform for text-based communication, CleverReach GmbH & Co. KG (Germany) – Email marketing and communication services, Google Ireland Ltd. (YouTube Creative Studio) (EU) – Video management, analysis, and monetization functions, Hetzner Online GmbH (Germany) – Hosting and infrastructure services, HighLevel Inc. (USA) – Operation of parts of the platform including hosting, automation, and communication functions, HubSpot Inc. (USA) – CRM system for marketing, sales, and service automation, Instantly Inc. (USA) – Email outreach and communication automation, IONOS SE (Germany) – Server and cloud infrastructure, Leadconnector (USA) – Communication and automation services within the platform, LinkedIn Ireland Unlimited Company (LinkedIn Business) (EU) – Social media management, company pages, ads, and analysis functions, LinkedIn Ireland Unlimited Company (LinkedIn Campaign Manager) (EU) – Management, control, and analysis of advertising campaigns, LinkedIn Ireland Unlimited Company (LinkedIn Creator Tool) (EU) – Tools for creator content, analysis, and community management, LinkedIn Ireland Unlimited Company (LinkedIn Page Admin Tool) (EU) – Management of company pages, roles, permissions, and content, Mailgun Technologies Inc. (USA) – Email delivery service for transactional messages and automated email communication, Make (Celonis SE or Make.com) (EU) – Integration and automation services, Meta Platforms Ireland Ltd. (Facebook Studio) (EU) – Social media management, analysis, and content control, Meta Platforms Ireland Ltd. (Meta Business Suite) (EU) – Central management of Facebook and Instagram pages, messages, content, and ads, Meta Platforms Ireland Ltd. (Meta Suite) (EU) – Extended services for management, analysis, and ad control, Meta Platforms Ireland Ltd. (Threads) (EU) – Text-based social media communication and community interaction, n8n GmbH or n8n.io – Workflow and process automation, Onepage.io (EU) – Landing page, website, and marketing tools for creating and managing websites, OVHcloud (EU) – European cloud infrastructure, Pipedrive OÜ (EU) – CRM system for sales control and pipeline management, Pinterest Europe Ltd. (Pinterest) (EU) – Visual social media platform, content publishing, reach analysis, and ads, Pinterest Europe Ltd. (Pinterest Business Hub) (EU) – Management of business accounts, ad statistics, and content performance, Reddit Inc. (USA) – Community platform for content, discussion, and reach building, Salesforce Inc. (USA) – CRM system for sales, marketing, and customer management, Sentry Inc. – Error analysis and system monitoring, SendGrid Inc. (USA) – Transactional emails, system notifications, and delivery management, Sendinblue GmbH (EU) – Transactional and marketing emails, Snap Inc. (USA) – Social media platform for visual communication, stories, and ads, The Rocket Science Group LLC (Mailchimp) (USA) – Email communication and campaigns, TikTok Technology Limited (TikTok Business Center) (EU) – Management of ads, campaigns, analysis, and business accounts, TikTok Technology Limited (TikTok Creator Tools) (EU) – Content creation, video analysis, and community management, Twilio Inc. (USA) – Communication services for SMS, Voice, WhatsApp, and API-based messaging, UptimeRobot Inc. – Availability monitoring, X Corp. (formerly Twitter) (USA) – Microblogging platform, content publishing, and interaction, Zapier Inc. (USA) – Interfaces and automation services, Zoho Corporation Pvt. Ltd. (EU and third countries) – CRM system as well as business and customer management applications (4) The processing of personal data by sub-processors takes place exclusively on the basis of a corresponding contract pursuant to Art. 28 GDPR. The Processor ensures that sub-processors comply with at least the same data protection obligations as set out in this Agreement. (5) If sub-processors process personal data in third countries, particularly in the USA, the Processor ensures that appropriate safeguards exist pursuant to Art. 44 et seq. GDPR, in particular through the conclusion of Standard Contractual Clauses of the European Commission or other permissible transfer mechanisms. (6) The Processor shall inform the Controller of significant changes regarding the employed sub-processors. A separate right of objection exists if the change is unreasonable for the Controller. (7) The Processor is entitled to replace sub-processors or engage further sub-processors, provided that this does not impair the level of data protection. (8) The Processor is liable to the Controller for compliance with the data protection obligations of the employed sub-processors to the extent of the statutory requirements of Art. 28 Para. 4 GDPR.

9. Third Country Transfer (1) Processing of personal data may take place in third countries, particularly in the USA. (2) The transfer takes place exclusively in compliance with the legal requirements of Art. 44 et seq. GDPR, in particular on the basis of Standard Contractual Clauses of the European Commission or other appropriate safeguards. (3) The Controller is aware that despite appropriate safeguards, a residual risk may exist when processing personal data in third countries.

10. Obligations of Support The Processor shall assist the Controller to a reasonable extent, taking into account the nature of processing and the information available to it, in fulfilling the obligations pursuant to Art. 12 to 22 and Art. 32 to 36 GDPR, in particular regarding: The exercise of data subject rights Ensuring an appropriate level of security Notification of personal data breaches Carrying out data protection impact assessments Prior consultation of supervisory authorities Insofar as support services go beyond the usual scope or cause significant additional effort, these may be remunerated separately.

11. Deletion and Return of Data (1) Upon termination of the contractual relationship, the Processor shall delete all personal data or return it at the choice of the Controller, unless statutory retention obligations exist. Statutory retention obligations remain unaffected. (2) Upon request of the Controller, the Processor shall support the backup or return of the data.

12. Control Rights The Controller is entitled, after prior reasonable notice and during normal business hours, to verify compliance with this Agreement or to have it verified by a third party bound to confidentiality, provided that this does not create disproportionate burdens for the Processor and business and trade secrets remain protected. 13. Liability The liability regulations of the Terms of Service concluded between the Parties apply.

14. Final Provisions (1) Amendments and additions to this Agreement require text form. (2) Should individual provisions of this Agreement be invalid, the validity of the remaining regulations remains unaffected. (3) The laws of the Federal Republic of Germany shall apply.