Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of and supplements the agreement between you and WarpSite that governs your use of the WarpSite platform (the "Terms"). It applies where WarpSite processes personal data on your behalf in connection with the services. By accepting the Terms, or by using the services where WarpSite processes personal data for you, you agree to this DPA.

Last updated: June 11, 2026

This DPA is entered into between you, the customer that has accepted the Terms ("Customer"), and WarpSite, the platform operated by Andrew Lee Jenkins LLC, a limited liability company formed in the Commonwealth of Virginia, United States ("Processor", "we", "us", or "our").

WarpSite is a self-hosted, white-label client-site platform that agencies use to build, host, and manage websites for their own end clients. Because of this structure, the roles of the parties can vary:

• Customer as controller. Where Customer determines the purposes and means of processing personal data (for example, the data Customer collects through its own account, its team members, and the website visitors of the sites it builds), Customer acts as the controller and WarpSite acts as the processor.
• Customer as processor; WarpSite as sub-processor. Where Customer is itself a processor acting on behalf of its own end clients (who are the controllers), Customer acts as the processor and WarpSite acts as a sub-processor. In that case, Customer is responsible for ensuring that the terms of this DPA are consistent with, and authorized by, its agreements with those end clients.

Each party is responsible for complying with the obligations that apply to it in its respective role under Applicable Data Protection Law.

Capitalized terms not defined here have the meaning given in the Terms or in Applicable Data Protection Law. For the purposes of this DPA:

• "Applicable Data Protection Law" means all data protection and privacy laws that apply to the processing of personal data under the Terms, including, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR and Data Protection Act 2018, and United States state privacy laws such as the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act, and comparable laws of other US states.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by WarpSite on behalf of Customer under the Terms. Under US state laws, this includes "personal information" and "personal data" as those terms are defined in the applicable statute.
• "Processing" means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, storage, use, disclosure, transmission, or deletion.
• "Controller" means the entity that determines the purposes and means of the processing of Personal Data. Under US state laws this includes a "business".
• "Processor" means the entity that processes Personal Data on behalf of the Controller. Under US state laws this includes a "service provider" or "processor".
• "Sub-processor" means any third party engaged by WarpSite to process Personal Data in connection with the services.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates, including a "consumer" under US state laws.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by WarpSite.
• "Standard Contractual Clauses" means the standard data protection clauses adopted by the European Commission or the equivalent transfer mechanism issued by a competent authority (such as the UK International Data Transfer Addendum), as applicable.

The subject matter of the processing is the provision of the WarpSite services to Customer under the Terms. The nature and purpose of the processing is to host, build, manage, and publish websites and related content on Customer's behalf, including operating the visual page builder, the multi-tenant CMS, AI-assisted generation features, and one-click publishing to static hosting, together with the storage, transmission, and routine support activities needed to deliver those services.

WarpSite processes Personal Data only to provide and support the services and as otherwise instructed by Customer in accordance with this DPA. WarpSite does not sell Personal Data, does not share it for cross-context behavioral advertising, and does not retain, use, or disclose Personal Data for any purpose other than performing the services, except as permitted by Applicable Data Protection Law. You can review how WarpSite handles personal data more generally in our Privacy Policy.

The processing continues for the term of the Terms and for as long as WarpSite provides the services to Customer. On expiry or termination, WarpSite will delete or return Personal Data as described in the section on deletion or return below.

The types of Personal Data and categories of Data Subjects are determined and controlled by Customer through its use of the services. They typically include the following.

Types of Personal Data:

• Account and contact details of Customer's team members, such as names, email addresses, and login credentials.
• Content that Customer uploads or generates within the platform, which may contain Personal Data about Customer's end clients and their staff (for example, names, business contact details, images, and biographical content).
• Personal Data submitted by website visitors through forms or other interactive features on the sites Customer builds and publishes, such as names, email addresses, messages, and any other information those visitors choose to provide.
• Technical and usage data such as IP addresses, device and browser information, and analytics data generated when visitors interact with published sites.

Categories of Data Subjects:

• Customer's personnel and authorized users.
• Customer's end clients and their personnel.
• Visitors and users of the websites that Customer builds, hosts, or publishes through the services.

When processing Personal Data on Customer's behalf, WarpSite will:

• Process only on documented instructions. Process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law that applies to WarpSite, in which case WarpSite will inform Customer of that legal requirement before processing, unless the law prohibits such notice. Customer's instructions are set out in the Terms, this DPA, and Customer's configuration and use of the services. WarpSite will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
• Ensure confidentiality. Ensure that personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality and have received appropriate training on their data protection responsibilities.
• Limit access. Limit access to Personal Data to personnel who need it to provide and support the services.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, WarpSite will implement and maintain appropriate technical and organizational measures consistent with Article 32 of the GDPR and comparable US requirements. These measures include:

• Encryption of Personal Data in transit using current industry-standard protocols (such as TLS).
• Access controls and authentication designed to restrict access to Personal Data to authorized personnel, including multi-tenant isolation between Customer accounts.
• Logical separation of Customer data within the platform's multi-tenant architecture.
• Measures to help ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• Procedures for restoring availability of and access to Personal Data following an incident, and for regularly reviewing the effectiveness of these measures.

WarpSite may update its security measures from time to time, provided that any update does not materially reduce the overall level of protection of Personal Data. Further detail on our safeguards is available on our Security page.

Customer provides WarpSite with a general authorization to engage Sub-processors to process Personal Data in connection with the services. The current list of Sub-processors is available at /sub-processors and includes the infrastructure and service providers we rely on to host, deliver, secure, and operate the platform.

WarpSite will:

• Provide prior notice of changes. Give Customer notice before adding or replacing a Sub-processor by updating the list at /sub-processors, so that Customer has a reasonable opportunity to object.
• Honor a right to object. Allow Customer to object on reasonable, data-protection-related grounds to a new Sub-processor. The parties will work in good faith to resolve the objection. If the parties cannot reach a resolution, Customer may, as its sole remedy, terminate the affected services by providing written notice to WarpSite.
• Flow down obligations. Impose on each Sub-processor, by written contract, data protection obligations that are substantially the same as those set out in this DPA, in particular obligations to provide sufficient guarantees to implement appropriate technical and organizational measures.
• Remain responsible. Remain responsible to Customer for the performance of each Sub-processor's data protection obligations.

Taking into account the nature of the processing, WarpSite will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, correction, deletion, portability, restriction, and objection.

If WarpSite receives a request directly from a Data Subject relating to Personal Data processed on Customer's behalf, WarpSite will, unless legally prohibited, promptly inform Customer and will not respond to the request itself except on Customer's documented instructions or as required by law. Where the services provide self-service tools that allow Customer to access, correct, or delete Personal Data, Customer may use those tools to respond to such requests directly.

Taking into account the nature of the processing and the information available to WarpSite, WarpSite will provide reasonable assistance to Customer in ensuring compliance with Customer's obligations under Applicable Data Protection Law with respect to:

• Security of processing.
• Notification of Personal Data Breaches to supervisory authorities and affected Data Subjects.
• Data protection impact assessments (DPIAs) and any prior consultation with a supervisory authority.

WarpSite may charge a reasonable fee for assistance that goes beyond what the services provide by default or beyond what is required by Applicable Data Protection Law, and will inform Customer in advance where a fee applies.

WarpSite will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed on Customer's behalf. The notification will, to the extent then known and reasonably available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

WarpSite will provide reasonable assistance and information to help Customer meet its own breach notification obligations to supervisory authorities and Data Subjects. Customer is responsible for determining whether a breach requires notification to authorities or Data Subjects and for making any such notifications, except where WarpSite is independently required by law to do so.

WarpSite will make available to Customer information reasonably necessary to demonstrate compliance with the obligations set out in this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer.

To minimize disruption and protect the confidentiality and security of WarpSite's systems and the data of its other customers, the parties agree that: (a) Customer will give reasonable prior written notice of any audit; (b) audits will be conducted no more than once in any twelve-month period, except where required by a supervisory authority or following a Personal Data Breach; (c) WarpSite may satisfy audit requests by providing existing documentation, security summaries, or third-party reports or certifications where available; (d) audits will take place during normal business hours, will not unreasonably interfere with WarpSite's operations, and will be subject to appropriate confidentiality obligations; and (e) Customer will bear its own costs and any reasonable costs incurred by WarpSite in supporting an on-site audit.

WarpSite and its Sub-processors host and process Personal Data primarily in the United States. Where Customer's use of the services involves a transfer of Personal Data from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction that restricts cross-border transfers, to a country that has not been recognized as providing an adequate level of data protection, the parties will rely on an appropriate transfer mechanism.

To the extent the Standard Contractual Clauses (and, for UK transfers, the UK International Data Transfer Addendum, and for Swiss transfers, the Swiss adaptations) are required for such a transfer, those clauses are incorporated into this DPA by reference and apply to the affected processing, with Customer (or its end client) acting as data exporter and WarpSite acting as data importer. Where there is a conflict between this DPA and the Standard Contractual Clauses with respect to a restricted transfer, the Standard Contractual Clauses prevail.

On expiry or termination of the services, WarpSite will, at Customer's choice, delete or return all Personal Data processed on Customer's behalf, and delete existing copies, unless retention is required by law that applies to WarpSite.

Customer may export or retrieve its data using the tools available in the services prior to termination. Following termination, WarpSite may retain Personal Data only for as long as required by applicable law or for the period necessary to complete deletion from backups in the ordinary course, during which time the data remains subject to the protections of this DPA and will not be actively processed for any other purpose.

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms. This DPA does not increase the aggregate liability of either party beyond the limits stated in the Terms, except to the extent Applicable Data Protection Law requires otherwise.

This DPA supplements the Terms. In the event of a conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA prevails. In the event of a conflict between this DPA and the Standard Contractual Clauses regarding a restricted transfer, the Standard Contractual Clauses prevail. Except as expressly modified by this DPA, the Terms remain in full force and effect.

Except where Applicable Data Protection Law or an applicable transfer mechanism requires otherwise, this DPA is governed by the same governing law and dispute resolution provisions as the Terms, which are the laws of the United States and the Commonwealth of Virginia.

If Customer requires a signed or countersigned copy of this DPA for its records or to satisfy its own compliance obligations, Customer may request one by emailing [email protected] with the legal entity name and account details to be referenced. We will provide an executable copy reflecting the terms set out here. The processing parties for the purposes of any executed copy are Customer and Andrew Lee Jenkins LLC, operator of WarpSite.

Questions about this DPA, or about how WarpSite processes Personal Data, can also be sent to [email protected] or by mail to Andrew Lee Jenkins LLC, 8401 Mayland Dr #10872, Richmond, VA 23294, United States.

This DPA is provided for general information and to govern the processing of Personal Data under the Terms. It is not legal advice and does not create an attorney-client relationship. Customer is responsible for assessing whether the services and this DPA meet its own legal and regulatory obligations, and should consult its own legal counsel where appropriate.