Data Processing Agreement

This Data Processing Agreement, including the Standard Contractual Clauses attached hereto (collectively, the "DPA"), is made and entered into as of the effective date of the applicable Customer's acceptance of the Terms of Service between The Plain Works Co., Ltd. (주식회사 더플레인웍스) ("Company" or "Reshot") and Customer to which this DPA is attached and incorporated (the "Agreement"). All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement.

This DPA shall become legally binding upon Customer entering into the Agreement or upon execution of this DPA.

1. Definitions

1.1. "Affiliate" means an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, or an entity which is under common control with a party, but only so long as such ownership exists.

1.2. "Customer Data" means any content, data, information, or other materials submitted or shared by or for Customer to or through the Service, including Personal Data.

1.3. "Personal Data" means information relating to a living individual who can be identified, directly or indirectly, from that information, which is processed by the Company on behalf of the Customer through the Service.

1.4. "Authorized Sub-Processor" means a third party authorized to access or process Customer's Personal Data to enable Company to perform its obligations under this DPA or the Agreement.

1.5. "Company Account Data" means personal data that relates to the Company's relationship with Customer, including names, contact information, and billing information of individuals associated with Customer's account.

1.6. "Company Usage Data" means Service usage data collected and processed by the Company in connection with the provision of the Service, including activity logs, performance data, and data used to investigate and prevent system abuse.

1.7. "Data Protection Laws" means any applicable laws and regulations relating to the processing of Personal Data, including: (i) the California Consumer Privacy Act ("CCPA"); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR"); (iii) the EU GDPR as retained by the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iv) the Swiss Federal Act on Data Protection ("FADP"); (v) the UK Data Protection Act 2018; and (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended, or replaced from time to time. The terms "Data Subject," "Personal Data," "Personal Data Breach," "processing," "processor," "controller," and "supervisory authority" shall have the meanings set forth in the EU GDPR.

1.8. "Standard Contractual Clauses" means the EU SCCs and the UK SCCs.

1.9. "EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection.

1.10. "UK SCCs" means the EU SCCs, as amended by the UK Addendum issued by the ICO under section 119A(1) of the UK Data Protection Act 2018.

2. Relationship of the Parties; Processing of Data

2.1. The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this DPA or the Agreement, Company is a processor. Customer shall, in its use of the Service, process Personal Data and provide instructions for the processing of Personal Data in compliance with Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company, (ii) the means by which Customer acquired such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data.

2.2. Company shall not process Personal Data (i) for purposes other than those set forth in the Agreement and Exhibit A, (ii) in a manner inconsistent with this DPA or any other documented instructions provided by Customer, or (iii) in violation of Data Protection Laws. If an instruction, in Company's opinion, infringes Data Protection Laws, Company shall immediately notify Customer. Customer hereby instructs Company to process Personal Data in accordance with the foregoing and as part of any processing initiated by Customer in its use of the Service.

2.3. The subject matter, nature, purpose, and duration of processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A.

2.4. Following completion of the Services, at Customer's choice, Company shall return or delete Customer's Personal Data, unless further storage is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, Company shall take measures to block such Personal Data from further processing and shall continue to protect it. Company will confirm deletion upon Customer's written request.

2.5. CCPA. Except with respect to Company Account Data and Company Usage Data, the parties acknowledge and agree that Company is a "Service Provider" for the purposes of the CCPA (to the extent it applies) and is receiving Personal Data from Customer in order to provide the Service, which constitutes a business purpose. Company shall not sell or share any such Personal Data. Company shall not retain, use, or disclose any Personal Data except as necessary for performing the Service or as permitted by the CCPA. Company certifies that it understands the restrictions of this Section 2.5.

3. Confidentiality

3.1. Company shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Company's confidentiality obligations in the Agreement.

4. Authorized Sub-Processors

4.1. Customer acknowledges and agrees that Company may engage Affiliates and Authorized Sub-Processors to access and process Personal Data in connection with the Service. By way of this DPA, Customer provides general written authorization to Company to engage sub-processors as necessary to perform the Service.

4.2. A list of Company's current Authorized Sub-Processors is available at reshot.dev/subprocessors. Company shall specifically inform Customer in writing of any intended changes to that list through the addition or replacement of sub-processors at least thirty (30) days in advance.

4.3. If Customer reasonably objects to an engagement in accordance with Section 4.2, and Company cannot provide a commercially reasonable alternative within a reasonable period, Customer may discontinue the use of the affected Service by providing written notice to Company. Company will refund prepaid fees for the unused portion of the terminated Service.

4.4. If Customer does not object within fourteen (14) days of notice, the third party will be deemed an Authorized Sub-Processor.

4.5. Company will enter into a written agreement with each Authorized Sub-Processor imposing data protection obligations no less protective than those imposed on Company under this DPA. Company remains liable to Customer for the performance of each Authorized Sub-Processor's obligations.

5. Security of Personal Data

5.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. Exhibit C sets forth additional information about Company's technical and organizational security measures.

6. Transfers of Personal Data

6.1. The parties agree that Company may transfer Personal Data processed under this DPA outside the EEA, the UK, or Switzerland as necessary to provide the Service. Customer acknowledges that Company's processing operations involve infrastructure located in the United States. If Company transfers Personal Data to a jurisdiction for which no adequacy decision has been issued, Company will ensure that appropriate safeguards are in place.

6.2. Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into and incorporated into this DPA by reference, completed as follows:

6.2.1. Module Two (Controller to Processor) of the EU SCCs applies when Customer is a controller and Company is processing Personal Data as a processor.

6.2.2. Module Three (Processor to Sub-Processor) of the EU SCCs applies when Customer is a processor and Company is processing Personal Data as a sub-processor.

6.3. For each module, where applicable:

6.3.1. The optional docking clause in Clause 7 is included;

6.3.2. In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 4.2 of this DPA;

6.3.3. In Clause 11, the optional language does not apply;

6.3.4. In Clause 17 (Option 1), the EU SCCs will be governed by the law of Ireland;

6.3.5. In Clause 18(b), disputes will be resolved before the courts of Ireland;

6.3.6. Exhibit A to this DPA contains the information required in Annex I of the EU SCCs;

6.3.7. Exhibit B to this DPA contains the information required for the List of Parties;

6.3.8. Exhibit C to this DPA contains the information required in Annex II of the EU SCCs;

6.3.9. By entering into this DPA, the parties are deemed to have signed the EU SCCs incorporated herein.

6.4. Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this DPA by reference, and amended and completed in accordance with the UK Addendum (version B1.0, issued by the ICO).

6.5. Transfers from Switzerland. The parties agree that transfers from Switzerland are made pursuant to the EU SCCs, with references to the GDPR interpreted to include the Swiss FADP, and with the FDPIC having authority over data transfers governed by the FADP.

6.6. Korea adequacy. The EU's adequacy decision for Korea (December 2021) and the UK's adequacy regulations for Korea (December 2022) permit transfers of Personal Data to Korea without additional safeguards. The SCCs described above apply as a fallback in the event any applicable adequacy decision is invalidated or suspended.

6.7. Government requests. If Company receives a government or law enforcement request for Customer Personal Data, Company will, where permitted by law, notify Customer before disclosure and make reasonable efforts to redirect the requesting authority to seek the data directly from Customer.

7. Rights of Data Subjects

7.1. Company shall, to the extent permitted by law, notify Customer upon receipt of a Data Subject Request. If Company receives a Data Subject Request in relation to Customer's data, Company will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding. Company shall, at Customer's request, provide reasonable assistance in responding to Data Subject Requests, taking into account the nature of the processing.

8. Audits and Data Protection Impact Assessments

8.1. Company shall, taking into account the nature of the processing and the information available, provide Customer with reasonable cooperation and assistance where necessary for Customer to conduct a data protection impact assessment and/or to demonstrate compliance, provided that Customer does not otherwise have access to the relevant information.

8.2. Company shall maintain records sufficient to demonstrate its compliance with this DPA, and retain such records for a period of three (3) years after the termination of the Agreement.

8.3. Upon Customer's written request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall either (i) make available copies of certifications or reports demonstrating compliance with prevailing data security standards, or (ii) allow Customer's independent third-party representative to conduct an audit of Company's data security infrastructure, provided that (a) Customer provides at least 30 days' prior written notice; (b) audits occur no more than once per calendar year, during business hours; and (c) audits are restricted to data relevant to Customer. Customer bears the costs of any audit unless a material breach is found.

9. Personal Data Breach

9.1. In the event of a Personal Data Breach, Company shall, without undue delay and in any event within 72 hours, inform Customer and take such steps as Company deems necessary and reasonable to remediate the violation (to the extent within Company's reasonable control).

9.2. Company shall, taking into account the nature of the processing, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with obligations to notify (i) the relevant supervisory authority and (ii) affected Data Subjects.

9.3. Notification shall include, to the extent known: (a) the nature of the breach, including the categories and approximate number of Data Subjects and records affected; (b) contact details; (c) likely consequences; and (d) measures taken or proposed.

10. Company's Role as a Controller

10.1. The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent controller, not a joint controller with Customer. Company will process such data (i) to manage the relationship with Customer; (ii) for core business operations such as accounting, audits, tax, and compliance; (iii) to detect fraud and security incidents; (iv) for identity verification; (v) to comply with legal obligations; and (vi) as otherwise permitted under Data Protection Laws and in accordance with this DPA. Any processing by Company as a controller shall be in accordance with the Company's Privacy Policy at reshot.dev/privacy.

11. Conflict and Precedence

11.1. In the event of any conflict among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this DPA; (3) the Agreement; and (4) the Company's Privacy Policy.

11.2. Any claims brought in connection with this DPA will be subject to the terms and conditions, including the exclusions and limitations, set forth in the Agreement.

12. General

This DPA is governed by the law specified in the Agreement, except where Data Protection Laws require otherwise.

---

Exhibit A — Details of Processing

Categories of Data Subjects: End users, employees, contractors, and other individuals whose personal data may appear in the software interfaces that Customer configures the Service to capture. Also, representatives of Customer who access the Service.

Categories of Personal Data: Depending on Customer's use: names, email addresses, profile images, or other personal data visible in captured screenshots; IP addresses and user agent strings from CLI execution; hashed API keys; account and billing information.

Sensitive data: Not applicable. The Service is not designed to process special category data (GDPR Article 9). Customer is responsible for ensuring captured screenshots do not contain such data without appropriate safeguards.

Frequency of transfer: Continuous, for the duration of the Agreement.

Nature of processing: Capturing, storing, comparing, versioning, and serving screenshots of software user interfaces; CLI and webhook integration; visual change detection and notification.

Purpose of processing: To enable Customer to automate documentation screenshot management.

Retention period: Customer data is processed for the duration of the Agreement. Upon termination, Customer data is available for export for 30 days, then deleted.

---

Exhibit B — List of Parties

Data Exporter (Customer):

• Name: As specified in the Agreement.
• Contact: As specified in the Agreement.
• Role: Controller (or Processor, as applicable).

Data Importer (Company):

• Name: The Plain Works Co., Ltd. (주식회사 더플레인웍스)
• Address: Cheonan, Chungcheongnam-do, Republic of Korea
• Contact: privacy@reshot.dev
• Role: Processor

By entering into the Agreement, the parties are deemed to have signed the Standard Contractual Clauses incorporated into this DPA.

---

Exhibit C — Technical and Organizational Security Measures

Company maintains the following safeguards designed for protection of the security, confidentiality, and integrity of Personal Data processed through the Service.

1. Security Governance. Company maintains an information security program designed to (a) protect Customer data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable risks to security and unauthorized access, and (c) minimize security risks through risk assessment and regular review.

2. Access Control.

2.1. Third-party hosting and processing. The Service is hosted with third-party cloud infrastructure providers (Vercel, Supabase, Cloudflare). Company relies on contractual agreements and vendor compliance programs to protect data processed or stored by these vendors.

2.2. Authentication. Customers are required to authenticate before accessing non-public data. API access requires API keys, which are transmitted over encrypted channels and stored in hashed form. Session tokens expire after periods of inactivity.

2.3. Authorization. Customer Content is stored in isolated, multi-tenant storage systems accessible only via application interfaces. Customers do not have direct access to underlying infrastructure.

2.4. Limitations of privilege. A limited subset of Company personnel have access to production systems and Customer data via controlled interfaces, solely for the purpose of customer support, troubleshooting, and security incident response. Personnel are bound by confidentiality obligations.

3. Encryption.

3.1. In transit. All data transmitted between Customer and the Service is encrypted using TLS 1.2 or higher.

3.2. At rest. Customer Data stored in databases and object storage is encrypted at rest using AES-256 or equivalent.

4. Monitoring and Incident Response.

4.1. Detection. Infrastructure logs extensive information about system behavior and traffic. Error tracking uses Sentry with IP address anonymization. Anomalous activity is investigated.

4.2. Response. Company maintains a security incident response process that includes identification, containment, eradication, recovery, and post-incident review. Personal Data Breaches are reported in accordance with Section 9 of this DPA.

5. Vulnerability Management. Dependencies are monitored for known vulnerabilities. Critical security patches are applied promptly.

6. Network Security. Infrastructure is protected by DDoS mitigation (Cloudflare) and platform-level network isolation. Multi-factor authentication is required for all administrative access to infrastructure dashboards.

7. Data Deletion and Portability. Company enables Customers to request deletion or export of their account and data in a manner consistent with the functionality of the Service.

8. Availability. Customer Data is backed up regularly. Backup integrity is verified. Infrastructure is designed to minimize single points of failure.