Data processing Agreement

This data processing agreement (the "Data Processing Agreement") constitutes the processing agreement applicable to the processing of personal data that ILOVEPDF ("ILOVEPDF"), with CIF B66921552 and registered office at Calle Sabino de Arana, 60, 08028 Barcelona, carries out on your behalf in relation to the personal data that it processes in accordance with the provisions below.

In this regard, ILOVEPDF will provide you with certain services delivered through the software or computer programs owned by ILOVEPDF. The use of these services will require access to and processing by ILOVEPDF, as a processor (hereinafter referred to as the "processor") of certain personal data for which you act as a controller (hereinafter referred to as the "controller").

This Processing Agreement forms part of the ILOVEPDF Terms and Conditions and will apply upon acceptance of the Terms and Conditions. In the event of any conflict, opposition or contradiction between the Terms and Conditions and the Processing Contract, the Processing Contract shall prevail over the Terms and Conditions.

That, in order to comply with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR"), the controller and the processor sign this Processing Contract in accordance with the following

CLAUSES

Clause 1

Purpose and scope

1. The purpose of the Processing Agreement is to ensure compliance with Article 28(3) and (4) of the GDPR.
2. The controller and the processor have consented to be bound by this Agreement in order to ensure compliance with Article 28(3) and (4) of the GDPR.
3. This Processing Agreement applies to the processing of personal data specified in Annex I.
4. Annexes I and II are part of the Processing Agreement.
5. These terms and conditions are without prejudice to the obligations to which the controller is subject by virtue of the GDPR.
6. These terms and conditions do not by themselves ensure compliance with the obligations related to international transfers in accordance with Chapter V of the GDPR.

Clause 2

Interpretation

1. When terms defined in the GDPR are used in this Processing Agreement, they are understood to have the same meaning as in the GDPR.
2. This Processing Agreement shall be read and interpreted in the light of the provisions of the GDPR.
3. This Data Processing Agreement shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GDPR and/or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 3

Hierarchy

In the event of a contradiction between this Processing Agreement and the provisions of related agreements between the Parties existing at the time when these terms and conditions are agreed or entered into thereafter, this Processing Agreement shall prevail.

Clause 4

Description of processing(s)

Annex I specifies the details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller.

Clause 5

Obligations of the Parties

5.1. Instructions

1. The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law that to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement prior to processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of the personal data. These instructions shall always be documented.
2. The processor shall immediately inform the controller if, in the processor's opinion, instructions given by the controller infringe the GDPR or the applicable Union or Member State law on data protection provisions.

5.2. Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out indicated in Annex I, unless it receives further instructions from the controller.

5.3. Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex I.

5.4. Security of processing

1. The processor shall, at least implement, the technical and organisational measures specified in Annex II to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
2. The processor shall grant access to the personal undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.5. Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person's sex life or sexual orientation, or data relating to criminal convictions and offences ("sensitive data"), the processor shall apply specific restrictions and/or additional safeguards.

5.6. Documentation and compliance

1. The Parties shall be able to demonstrate compliance with this Data Processing Agreement.
2. The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with this Processing Agreement.
3. The processor shall make available to the controller or an independent third party all information necessary to demonstrate compliance with the obligations that are set out in this Processing Agreement and that stem directly from the GDPR. At controller's request, the processor shall also permit and contribute to audits of the processing activities covered by this Data Processing Agreement. The audits will be limited materially and temporally to what is strictly necessary so that the controller can carry out the necessary checks in the event of suspicion - duly justified in advance in writing - of non-compliance with any of the points of this Data Processing Agreement by the data processor. In any case, the audits will have the exclusive purpose of verifying the circumstances of the non-compliance, will be limited to a maximum of one (1) audit per year and must be notified at least one (1) month in advance. In any case, the audits will be carried out at the expense of the data controller.
4. The parties shall make available to the competent supervisory authorities, at their request, the information referred to in this clause and, in particular, the results of the audits.

5.7. Use of sub-processors

The processor has the controller's general authorisation for the engagement of sub-processors. The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object. Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject under this Processing Agreement and the GDPR.

The processor shall remain fully responsible to the controller for the performance of the sub-processor's obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil in contractual obligations.

5.8. International transfers

1. Data transfers to a third country or to an international organisation by the processor will be carried out in accordance with Chapter V of the GDPR.
2. The controller agrees that where the processor engages a sub-processor in accordance with clause 5.7 for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, the processor and the sub-processor can ensure compliance with Chapter V of the GDPR by: (i) transferring personal data to countries for which the European Commission has adopted an adequacy decision pursuant to Article 45 of the GDPR; or (ii) using standard contractual clauses adopted by the Commission in accordance with Article 46(2) of the GDPR, provided the conditions for the use of those standard contractual clauses are met. As a general rule, and except the controller has selected otherwise, the processor process your personal data within the European Economic Area. Notwithstanding the above, and for controllers from outside European Economic Area, in order to optimize the performance and efficiency of our services, the processor may process your personal data in geographic areas closer to your location, provided that the foregoing safeguards are implemented.
3. In addition, if there is a communication of personal data from the processor to the controller that entails a transfer of personal data within the meaning of Chapter V of the GDPR, the processor and the controller shall enter into the standard contractual clauses (module 4) attached as Appendix II.

Clause 6

Assistance to the controller

1. The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
2. The processor will forward to the controller any requests for the exercise of rights of the data subjects that it receives and whose response corresponds to the controller because they refer to personal data for which the controller acts as the data controller.
3. In addition to the processor's obligation to assist the controller pursuant to Clause 6(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
4. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data ('a data protection impact assessment') where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
5. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
6. the obligation to ensure that personal data is accurate and up to , by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
7. the obligations in Article 32 of the GDPR.
8. The Parties shall set out in Annex II the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this clause, as well as the scope and the extent of the assistance required.

Clause 7

Notification of personal data breach

1. In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of the GDPR, taking into account the nature of processing and the information available to the processor.
2. In the event of a breach of the security of personal data processed by the processor on behalf of the controller, the processor shall notify the controller without undue delay once the processor is aware of it. Such notification shall include at least:
3. 1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
   2. the details of a contact point where more information concerning the personal data breach can be obtained;
   3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
   4. Where and to the extent that not all information can be provided at the same time, the information then available shall be provided in the initial notification and, as it is collected, additional information shall be provided without undue delay.

Version control: 4^th February, 2026

ANNEX I: DESCRIPTION OF THE PROCESSING

Categories of data subjects whose personal data is processed
Those categories of data subjects whose data is contained in the files that the controller uploads when using the services provided by ILOVEPDF (for example, employees, customers, suppliers, etc.).

Categories of personal data processed
Those categories of personal data that are included in the files that the controller uploads when using the services provided by ILOVEPDF.

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Special categories of personal data will be processed to the extent that the files that the controller uploads when using the services provided by ILOVEPDF contain such special categories of personal data.

Nature of the processing
The processor will carry out all actions that are necessary to provide the services (e.g. conversion, editing and compression of the document containing the personal data).

Purpose(s) for which the personal data is processed on behalf of the controller
To provide the services on behalf of ILOVEPDF.

Duration of the processing
To the extent strictly necessary to provide the services.

Sub-processors and type of services provided

• In the context of providing its services, ILOVEPDF uses third-party service providers acting as sub-processors of personal data. Among them, ILOVEPDF has OVHcloud, a provider of web hosting and cloud computing solutions, which provides technological infrastructure services to ensure the secure storage of data and the operational continuity of the platform.Sub-processor's identity: OVH Groupe SA (OVHcloud).
• Services provided: Cloud hosting infrastructure and data centers.
• Server Location: Within the European Economic Area (France).
• Object of processing: storage and management of data within the cloud infrastructure environment used by ILOVEPDF.
• Nature of the processing: hosting data on dedicated, virtual and cloud servers, in order to guarantee the availability, security and operability of the ILOVEPDF platform.
• Duration of processing: during the contractual relationship between ILOVEPDF and OVHcloud, and in any case, until the effective deletion of the data in accordance with applicable regulations and ILOVEPDF's data retention policies.

OVHcloud acts as a sub-processor in accordance with ILOVEPDF's instructions, applying appropriate technical and organisational measures to ensure the protection of personal data in accordance with Regulation (EU) 2016/679 (GDPR) and other applicable data protection regulations.

ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The processor shall apply the following technical and organizational security measures to the processing activities carried out under this Processing Agreement:

• Technical measures to protect against interception, copying, modification, routing errors and destruction of the transferred information.
• Technical procedures and internal policies to detect, protect and mitigate malicious applications (malware) that could be transmitted through electronic communications.
• Technical protection of sensitive information when transmitted as attachments.
• Internal policy on the acceptable use of communication resources.
• Organisational measures to ensure the responsibility of all users (staff and third parties) with authorised access to the processor's resources with respect to their own information.
• Use of cryptographic techniques to protect the confidentiality, integrity and authenticity of information.
• Organizational guidelines for the retention and disposal of all business correspondence, including messages, in accordance with relevant national and local laws and regulations.
• Recurring information and establishment of internal policies for staff regarding the non-disclosure of confidential information, for purposes such as: not leaving messages containing sensitive information on answering machines, not having confidential conversations in public places, not using insecure communication channels, not having confidential conversations in open offices, etc.