Data Processing Addendum

Effective Date: October 1, 2025

This Data Processing Addendum (“DPA”) forms part of the Terms & Conditions / Terms of Service (the “Agreement”) between the Customer (“Controller”) and Stratford Berkshire Group, LLC d/b/a Berkara (“Processor”). This DPA reflects the parties’ agreement on the processing of personal data in connection with the Services provided by Processor.

1. Definitions

“Applicable Data Protection Laws” means all laws and regulations relating to privacy and data protection, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the California Consumer Privacy Act as amended (“CCPA/CPRA”). “Personal Data,” “Controller,” “Processor,” and “Data Subject” have the meanings given under those laws.

2. Role of the Parties

The Controller determines the purposes and means of processing Personal Data and retains ownership of such data. The Processor acts solely as a service provider processing Personal Data on behalf of the Controller and only in accordance with Controller’s documented instructions, this DPA, and the Agreement.

3. Subject Matter and Duration

This DPA applies to the processing of Personal Data necessary for Processor to provide the Services under the Agreement. Processing commences on the Effective Date and continues for the term of the Agreement or until all Personal Data is deleted or returned to Controller as described herein.

4. Nature and Purpose of Processing

Processor processes Personal Data solely to perform the Services described in the Agreement, including hosting, storage, transmission, analytics, and communications tools necessary for CRM operations. Processor shall not process Personal Data for its own purposes or for the benefit of any third party.

5. Type of Data and Data Subjects

The Personal Data processed may include contact information, account records, communications, and business metadata relating to the Controller’s clients or employees. Data Subjects may include Controller’s customers, employees, contractors, and end users.

6. Processor Obligations

Processor shall (a) process Personal Data only on Controller’s documented instructions; (b) ensure persons authorized to process Personal Data are subject to confidentiality obligations; (c) implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access; (d) assist Controller in responding to Data Subject requests and in complying with security and breach-notification obligations; and (e) upon termination of Services, delete or return Personal Data as directed by Controller.

7. Sub-Processors

Controller authorizes Processor to engage sub-processors necessary to deliver the Services, including cloud and infrastructure providers (e.g., Stripe for payments, Google for analytics and hosting). Processor shall enter into a written agreement with each sub-processor imposing data-protection obligations no less protective than those in this DPA. Processor will remain liable for the acts and omissions of sub-processors.

8. Cross-Border Transfers

Where Personal Data originates from the EEA or UK, Processor will ensure appropriate safeguards for such transfers, including Standard Contractual Clauses or other approved transfer mechanisms. Controller acknowledges that data may be processed in the United States and that Processor maintains measures to ensure adequate protection consistent with Applicable Data Protection Laws.

9. Audits and Compliance

Upon reasonable request, Processor shall make available information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws. Processor shall permit and contribute to reasonable audits or inspections conducted by Controller or an independent auditor appointed by Controller, provided that such audits do not interfere with Processor’s operations and are subject to appropriate confidentiality agreements.

10. Security Incidents

Processor shall notify Controller without undue delay after becoming aware of a confirmed personal-data breach affecting Controller Data. The notification will describe the nature of the incident, the likely consequences, and measures taken to mitigate its effects. Processor shall cooperate with Controller in satisfying any legal notification obligations.

11. Data Subject Requests

If Processor receives a request from a Data Subject relating to Personal Data for which Controller is the Controller, Processor will promptly forward the request to Controller and shall not respond except on Controller’s documented instructions.

12. Retention and Deletion

Upon termination or expiry of the Agreement, Processor shall, at Controller’s option, delete or return all Personal Data and certify deletion unless retention is required by law. Processor may retain non-identifiable, aggregated data for statistical or security purposes.

13. Liability and Indemnity

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement. Controller will indemnify Processor for any losses arising from Controller’s violation of Applicable Data Protection Laws or instructions that cause Processor to be in breach of law.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of Colorado, United States, without regard to conflict-of-law rules. Where mandatory EU or UK data-protection requirements apply, those shall prevail to the extent of any inconsistency.

15. Miscellaneous

This DPA supersedes any prior data-processing terms between the parties and forms part of the Agreement. If there is a conflict between this DPA and the Agreement, the DPA shall prevail to the extent of the conflict with respect to the processing of Personal Data. No modification of this DPA will be effective unless in writing and signed by both parties.

Questions regarding this DPA should be directed to support@berkara.com.
Stratford Berkshire Group, LLC d/b/a Berkara
Based in Colorado, United States.