Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

Last Updated — 10 / 17 / 25

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (“Agreement”) between Synergy Wellness Solutions Inc, dba Kor Solutions (“Company,” “Processor,” or “Service Provider”) and the individual or entity that has executed an Order Form referencing the Agreement (“Client,” “Controller,” or “Business”).

By continuing to use the Services or executing an Order Form that references this DPA, the Parties agree to be bound by its terms. This DPA is intended to mirror and maintain downstream compliance with the standards set forth in 247Intent’s Data Processing Addendum (https://legal.247intent.com/dpa), as Kor Solutions operates as a fulfillment and service partner.

1. Definitions

All capitalized terms not defined here have the meanings given in the Agreement.

“Applicable Data Protection Laws” means all data-protection and privacy laws applicable to a Party’s processing of Personal Data under this DPA, including the California Consumer Privacy Act (CCPA/CPRA), EU General Data Protection Regulation (GDPR), UK GDPR, and any implementing or successor legislation.

“Personal Data” means any information relating to an identified or identifiable natural person or household that is processed by Company on behalf of Client.

“Processing,” “Controller,” “Processor,” “Business,” and “Service Provider” have the meanings given in the Applicable Data Protection Laws.

“Sub-processor” means any third party engaged by Company to process Personal Data on behalf of Client.

2. Roles and Scope

a. Roles. Client acts as the Controller/Business; Company acts as the Processor/Service Provider.
b. Purpose. Company processes Personal Data solely to provide, maintain, and improve the Services described in the Agreement and in accordance with Client’s documented instructions.
c. Duration. Processing continues for the term of the Agreement and until deletion of all Personal Data as described below.

3. Client Instructions

Company will process Personal Data only:

on documented instructions from Client (including via the Agreement, Order Forms, and use of the Services);

to comply with legal obligations; or

to maintain, secure, or improve the Services in a manner that does not identify Client or data subjects.

If Company is required by law to process Personal Data beyond Client’s instructions, it will notify Client (unless prohibited by law).

4. Confidentiality and Security

a. Company ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations. Company follows substantially the same security and data-protection controls described in 247Intent’s current Data Processing Addendum.
b. Company implements and maintains appropriate technical and organizational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
c. At a minimum, these measures include access-control policies, encryption in transit, regular system monitoring, and secure data-center hosting with SOC-2 or ISO 27001 certification.

5. Sub-processors

a. Client authorizes Company to use Sub-processors to fulfill the Services. Current Sub-processors may include cloud-hosting, analytics, and data-delivery vendors.
b. Company will maintain a list of authorized Sub-processors with it’s partner at https://legal.247intent.com/subprocessors and provides notice of any new Sub-processors at least 10 business days before engagement.
c. Company will ensure each Sub-processor is bound by written terms providing data-protection obligations no less protective than those in this DPA.

6. Cross-Border Data Transfers

a. If Company transfers Personal Data originating from the EEA, UK, or Switzerland to a country that does not provide an adequate level of protection, Company will use appropriate safeguards such as the EU Standard Contractual Clauses (2021/914/EU) or the UK International Data Transfer Addendum.
b. Client authorizes such transfers subject to these safeguards. Where Company relies on 247Intent or its authorized Sub-processors for data processing or storage, such transfers are subject to equivalent safeguards under the EU Standard Contractual Clauses.

7. Assistance to Client

Taking into account the nature of the processing, Company will assist Client in meeting its legal obligations, including by:

responding to data-subject requests (access, deletion, correction, etc.);

implementing appropriate security and breach-notification procedures; and

providing information necessary to demonstrate compliance with this DPA.

8. Data Breach Notification

Company will notify Client without undue delay (and no later than 72 hours after confirmation) upon becoming aware of a Personal-Data Breach affecting Client’s data. The notice will include available details to help Client comply with its own notification obligations.

9. Audits and Assessments

Upon written request once per year, and subject to confidentiality obligations, Company will provide summaries of relevant third-party audits or certifications demonstrating compliance (e.g., SOC 2 Type II or ISO 27001). On-site audits by Client are permitted only if legally required and with 30-day prior written notice.

10. Return or Deletion of Data

Within 30 days after termination or expiry of the Agreement, Company will delete or return all Personal Data and copies thereof unless retention is required by law. Upon request, Company will certify completion of deletion.

11. CCPA/CPRA Specific Terms

To the extent the CCPA/CPRA applies:
a. Company acts as a Service Provider and will not:
• sell or share Personal Data;
• retain, use, or disclose Personal Data for purposes other than performing the Services; or
• combine Personal Data with other data except as permitted by the CCPA/CPRA or the Agreement.
b. Client certifies that it provides Personal Data to Company only for valid business purposes consistent with the CCPA/CPRA.

12. Liability and Governing Law

The limitations of liability and governing-law provisions of the Agreement apply to this DPA. This DPA is governed by the laws of the State of Utah, U.S.A., without regard to conflict-of-law rules.

13. Order of Precedence

If there is any conflict between this DPA and the Agreement, this DPA will control to the extent of that conflict with respect to the Processing of Personal Data.

14. Miscellaneous

a. Each Party will comply with this DPA and the Agreement in good faith.
b. This DPA may be executed electronically and in counterparts.
c. Older versions will be archived at https://kokorocreators.com/korsolutions-archives.

IN WITNESS WHEREOF, this Data Processing Addendum is entered into as of the Effective Date of the Agreement.

Synergy Wellness Solutions Inc, dba Kor Solutions
(“Processor / Service Provider”)

Signature: _______________________
Name:
Title:

Client (“Controller / Business”)

Signature: _______________________
Name:
Title: