Data Processing Agreement

2.1 Role of the Parties

LoyalBase acts as a Processor with respect to Personal Data of Customer's Members. Customer acts as the Controller, determining the purposes and means of processing Member Data through the LoyalBase platform. LoyalBase acts as an independent Controller for its own business operations and for Tenant account data, as described in the Privacy Policy.

2.2 Subject Matter

LoyalBase processes Personal Data solely to provide and support the Services as described in the Terms of Service, including: operating Customer's branded loyalty program, managing Member accounts and loyalty activity, enabling push notification and email communications configured by Customer, generating analytics and reports for Customer, and processing reward redemptions.

2.3 Categories of Personal Data

LoyalBase may process the following categories of Personal Data on behalf of Customer:

• Identity data: Member first and last name, date of birth (if provided)
• Contact data: email address, phone number (if provided)
• Loyalty program data: points balance, tier status, transaction history, reward redemptions, visit records
• Technical data: device identifiers, IP addresses, push notification tokens, browser/OS information
• Preference data: language settings, notification opt-in/opt-out status, communication preferences
• Referral data: referral source, referred contact information (only where Member provides explicit consent)

2.4 Special Categories of Data

LoyalBase does not intentionally collect or process special categories of Personal Data (such as data revealing racial or ethnic origin, health information, biometric data, or financial account numbers). Customer must not configure the Services to collect or process such data without prior written consent from LoyalBase and implementation of appropriate additional safeguards.

2.5 Duration of Processing

Processing will continue for the duration of the active subscription plus thirty (30) days following termination, unless Customer requests earlier deletion. Upon written request within this period, Customer may receive a full data export. After thirty (30) days post-termination, all Personal Data will be permanently and irrecoverably deleted from LoyalBase systems and those of its Sub-processors, except where retention is required by applicable law.

3.1 Documented Instructions

LoyalBase shall process Personal Data only in accordance with Customer's documented instructions as set forth in this DPA, the Terms of Service, and any written instructions provided by Customer through the platform interface or via email to legal@loyalbase.dev. The Services themselves constitute Customer's primary processing instructions.

3.2 Restrictions

LoyalBase shall not: (a) process Personal Data for any purpose other than providing the Services; (b) sell, rent, or commercially exploit Personal Data; (c) combine Personal Data with data from other customers or third-party sources for profiling purposes; or (d) disclose Personal Data to third parties except as authorized under this DPA.

3.3 Conflicting Legal Requirements

If LoyalBase is required by applicable law to process Personal Data in a manner inconsistent with Customer's instructions, LoyalBase shall inform Customer of that legal requirement before processing (unless prohibited by law from doing so), and shall limit processing to what is strictly required by that legal obligation.

5.1 Implemented Measures

LoyalBase implements and maintains appropriate technical and organizational security measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include:

• Encryption in transit: All data transmitted between users and LoyalBase is encrypted using TLS 1.2 or higher
• Encryption at rest: All Personal Data stored in the LoyalBase database infrastructure is encrypted at rest using AES-256
• Database isolation: Row Level Security (RLS) at the database engine level enforces strict logical tenant separation — no tenant can access another tenant's Member Data
• Access controls: Role-based access control (RBAC) and multi-factor authentication (MFA) required for all administrative access to production systems
• Principle of least privilege: Personnel access is limited to the minimum data and systems required for their role
• Monitoring and alerting: Continuous automated monitoring of production systems for anomalous activity
• Vulnerability management: Regular security reviews and prompt remediation of identified vulnerabilities
• Backup and recovery: Regular automated backups with tested restoration procedures
• Physical security: Data hosted in SOC 2 Type II certified data center infrastructure (via Supabase and Vercel)

5.2 Security Updates

LoyalBase shall review and update its security measures on a regular basis to account for changes in technology and risks. LoyalBase may update these measures over time, provided that updates do not materially decrease the overall level of protection of Personal Data.

5.3 Customer Responsibility

Customer is responsible for implementing and maintaining appropriate security measures on its own systems and for ensuring that any access credentials or API keys provided by LoyalBase are kept confidential and are not shared with unauthorized parties.

6.1 Authorized Sub-processors

Customer grants LoyalBase general authorization to engage the following Sub-processors to assist in delivering the Services. LoyalBase has entered into or will enter into written agreements with each Sub-processor imposing data protection obligations no less protective than those in this DPA:

• Supabase, Inc. (USA) — Database infrastructure, authentication, and file storage. Data hosted in the Eastern United States region (AWS us-east-1) by default.
• Vercel, Inc. (USA) — Web hosting, serverless computing, and content delivery. Operates globally via edge network.
• Stripe, Inc. (USA) — Payment processing. Stripe acts as an independent data controller for payment card data, which LoyalBase never stores or accesses.
• Resend, Inc. (USA) — Transactional email delivery for system notifications and loyalty communications.
• OneSignal, Inc. (USA) — Push notification delivery for Member-facing loyalty communications.

6.2 New Sub-processors

LoyalBase shall notify Customer at least thirty (30) days in advance of engaging any new Sub-processor that will process Personal Data, by updating this page and sending notice to the email address associated with Customer's account. Customer may object to the engagement of a new Sub-processor within fourteen (14) days of such notice by sending written objection to legal@loyalbase.dev. If Customer objects and the parties cannot resolve the objection, Customer may terminate its subscription without penalty upon written notice, with a pro-rated refund of prepaid but unused fees.

6.3 Sub-processor Liability

LoyalBase shall remain liable to Customer for the acts and omissions of its Sub-processors to the same extent LoyalBase would be liable if performing the services of each Sub-processor directly, subject to the limitations of liability in the Terms of Service.

7.1 Customer Obligations

Customer is solely responsible for providing privacy notices to its Members and obtaining all legally required consents for the processing of Member Data through the Services. Customer must maintain a lawful basis for all processing it instructs LoyalBase to perform.

7.2 LoyalBase Assistance

LoyalBase shall provide Customer with reasonable technical and organizational assistance to fulfill Customer's obligations to respond to Data Subject requests to exercise rights under Applicable Data Protection Law, including rights of access, correction, deletion, portability, restriction, and objection. LoyalBase will make available in the platform dashboard the following self-service tools: Member account deletion, Member data export, and Member consent management.

7.3 Direct Requests

If LoyalBase receives a Data Subject rights request directly from a Member, LoyalBase shall promptly notify Customer (where legally permissible) and shall not respond to such request without Customer's written authorization, except as required by applicable law.

8.1 Notification Obligation

LoyalBase shall notify Customer of any confirmed Security Incident involving Personal Data without undue delay and, where feasible, no later than seventy-two (72) hours after LoyalBase becomes aware of the incident. Notification will be sent to the email address associated with Customer's account.

8.2 Notification Content

The breach notification shall include, to the extent available at the time of notice:

• A description of the nature of the Security Incident, including categories and approximate number of Data Subjects and Personal Data records affected
• Contact details of LoyalBase's data protection point of contact (security@loyalbase.dev)
• A description of the likely consequences of the Security Incident
• A description of the measures taken or proposed to address the Security Incident and mitigate its effects

8.3 Cooperation

LoyalBase shall cooperate with Customer and provide Customer with further information necessary for Customer to meet its own breach notification obligations to Data Subjects and supervisory authorities under Applicable Data Protection Law. LoyalBase shall take all reasonable measures to contain and mitigate the Security Incident.

8.4 Customer Obligations

Customer is solely responsible for determining whether the Security Incident triggers any notification obligations to Data Subjects or regulatory authorities, and for fulfilling those obligations. LoyalBase's notification to Customer under this Section does not constitute an admission of fault or liability.

10.1 Information and Documentation

LoyalBase shall make available to Customer, upon written request, all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA, including summaries of relevant security certifications, audit reports, or penetration testing results, subject to appropriate confidentiality restrictions.

10.2 Audits

Customer may request an audit of LoyalBase's processing activities covered by this DPA no more than once per calendar year, with at least thirty (30) days' prior written notice. Customer audits shall be conducted during regular business hours, in a manner that minimizes disruption to LoyalBase's operations, and at Customer's sole expense. LoyalBase may satisfy its audit obligations by providing Customer with reports prepared by qualified independent third parties. Any audit findings are confidential information of both parties.

16.1 Precedence

In the event of any conflict or inconsistency between this DPA and the Terms of Service with respect to the subject matter of data protection, this DPA shall prevail. In all other respects, the Terms of Service shall govern.

16.2 Severability

If any provision of this DPA is found to be unenforceable, the remaining provisions shall remain in full force and effect.

16.3 Entire Agreement

This DPA, together with the Terms of Service, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior agreements, understandings, and representations regarding the same subject matter.

16.4 Amendments

LoyalBase may update this DPA from time to time. Material changes will be communicated to Customer by email at least thirty (30) days in advance. Customer's continued use of the Services after the effective date of any change constitutes acceptance of the updated DPA. If Customer does not accept the changes, Customer may terminate its subscription as provided in the Terms of Service.