Data Processing Addendum

• "Controller" means you, the customer, who determines the purposes and means of processing of personal data through the Service.
• "Processor" means Launchpad / OpenLoop Healthcare Partners PC, who processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person that you submit to the Service.
• "Processing" has the meaning given in the GDPR.
• "GDPR" means the EU General Data Protection Regulation 2016/679.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries, as approved by the European Commission.

This DPA commences on the date you accept the Terms of Service and continues until the termination or expiration of your subscription, at which point the Processor will delete or return Personal Data as described in Section 9 below.

The Processor processes Personal Data on behalf of the Controller solely to provide the Compass analytics and operations platform, including:

• Storing and displaying growth analytics data uploaded or generated through use of the Service
• Running analytical computations on Customer Data to generate reports and insights
• Providing the Service infrastructure, security monitoring, and technical support

The Processor shall not process Personal Data for any purpose other than fulfilling its obligations under the Terms of Service without the Controller's prior written consent.

The categories of Personal Data processed depend on the customer's tier:

• Free tier: Only de-identified, aggregated data. No personal data is processed.
• Insights tier: May include pseudonymized patient identifiers, acquisition channel attribution data, subscription/order IDs, and pharmacy SLA records linked to patient cohorts. Direct identifiers (name, email, DOB, address) should not be uploaded unless required and explicitly agreed in a separate BAA.

The data subjects may include:

• The Controller's customers (patients or health product consumers)
• The Controller's employees or team members using the Service

The Controller authorizes the Processor to engage subprocessors to assist in providing the Service. A current list of approved subprocessors is available at joincompass.ai/legal/subprocessors.

The Processor will provide at least 30 days' prior notice before engaging a new subprocessor or making material changes to existing subprocessors, giving the Controller the opportunity to object. All subprocessors are bound by data protection obligations consistent with this DPA.

The Processor implements and maintains appropriate technical and organizational security measures to protect Personal Data, including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest, managed via AWS Key Management Service (KMS)
• Role-based access control with principle of least privilege
• Regular vulnerability scanning and penetration testing
• Incident response plan with 72-hour breach notification capability (as required by GDPR)
• Employee training on data protection and security

Details are available at joincompass.ai/trust.

The Processor is based in the United States. Transfers of Personal Data from the EEA or UK to the US are made pursuant to the Standard Contractual Clauses (Module Two: Controller-to-Processor) adopted by the European Commission Decision 2021/914. By accepting this DPA, the Controller agrees to the SCCs as incorporated herein. A copy of the applicable SCCs is available upon request at privacy@joincompass.ai.

The Processor will assist the Controller in fulfilling data subject rights requests (access, correction, deletion, portability) within 30 days of receiving a request from the Controller.

Upon termination of the agreement, the Processor will, at the Controller's choice, delete or return all Personal Data within 30 days. Backups containing Personal Data will be deleted within 90 days of termination.

The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.

Audit requests must be submitted with at least 30 days' written notice to privacy@joincompass.ai. Audits will be conducted during normal business hours at no more than once per calendar year, unless a security incident requires otherwise.

The Processor will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach affecting Controller's data. Notification will include all information required under GDPR Article 33(3) that is available at the time of notification.