Partner.io (“Processor”), a SaaS platform operated by Unbeatable Group LLC, registered in California, USA, with principal offices at 2211 Michelson Dr, Irvine, CA 92612, and the Client (“Controller”), each a “Party” and together the “Parties.”

‍1. Purpose and Scope
‍1.1 This DPA forms part of the main service agreement (“Agreement”) between the Parties and governs Partner.io’s processing of personal data on behalf of the Controller.
1.2 Partner.io provides partner relationship management software (“Services”), through which Controller’s users, partners, and customers’ personal data may be processed.
1.3 The Parties agree to comply with applicable data protection laws, including the UK GDPR, EU GDPR, Data Protection Act 2018, and California Consumer Privacy Act (CCPA).

‍2. Roles and Responsibilities
‍2.1 Controller determines the purposes and means of processing personal data.
2.2 Processor (Partner.io) processes personal data only on documented instructions from the Controller, except where required by law.
2.3 Partner.io shall ensure all personnel authorized to process personal data are bound by confidentiality obligations.

‍3. Nature and Purpose of Processing
To provide, maintain, and improve the Partner.io SaaS platform, including analytics, reporting, and communication. Duration of Agreement + 90 days (for deletion and backup cycles)

‍4. Security Measures
‍Partner.io shall implement and maintain appropriate technical and organizational measures to protect personal data, including but not limited to:Encryption in transit (TLS 1.2+) and at rest (AES-256); Role-based access controls and MFA;Regular vulnerability scanning and penetration testing;Logging, monitoring, and incident response procedures;Data segregation and secure backups;SOC 2 (Type II) aligned controls.

‍5. Sub-Processors
‍5.1 Partner.io may engage sub-processors to deliver its Services.
5.2 Partner.io maintains an up-to-date list of sub-processors at partner.io/legal/subprocessors.
5.3 Partner.io shall ensure each sub-processor is bound by equivalent data protection obligations as those set out in this DPA.
5.4 The Controller may object to a new sub-processor within 14 days of notification if it has reasonable grounds relating to data protection.

‍6. Data Subject Rights
‍Partner.io shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable data protection laws (access, rectification, erasure, portability, restriction, objection).

‍7. International Transfers
‍7.1 Partner.io may transfer personal data outside the UK, EEA, or Switzerland, provided it ensures adequate safeguards are in place under Articles 44–49 GDPR.
7.2 These safeguards may include Standard Contractual Clauses (SCCs), the UK Addendum, or reliance on adequacy decisions.

‍8. Data Breach Notification
‍In the event of a personal data breach, Partner.io shall: Notify the Controller without undue delay (within 72 hours where feasible);Provide all relevant details to support investigation and mitigation;Cooperate with the Controller and regulatory authorities as required.

‍9. Data Retention and Deletion
‍9.1 Upon termination of the Agreement, Partner.io shall delete or return all personal data within 90 days, unless legal obligations require retention.
9.2 Backup copies shall be securely erased within standard rotation cycles.

‍10. Audits and Compliance
‍10.1 Partner.io shall make available all necessary documentation to demonstrate compliance.
10.2 Controller may request an independent audit or SOC 2 Type II report annually, subject to reasonable notice and confidentiality obligations.

‍11. Liability and Indemnification
‍11.1 Each Party’s liability under this DPA is subject to the limitations of liability in the main Agreement.
11.2 Partner.io shall not be liable for compliance failures resulting from Controller’s unlawful instructions.

‍12. Governing Law and Jurisdiction
‍This DPA shall be governed by: UK GDPR and English law, if the Controller is based in the UK or EEA; or California law, if the Controller is based in the United States.
‍
Any disputes shall be resolved in the courts of London, UK, or California, USA, as applicable.

‍13. Miscellaneous
‍This DPA supersedes any prior agreements regarding data processing.Amendments must be made in writing and signed by both Parties. If any provision is held invalid, the remaining terms shall remain in full effect.