Data Processing Addendum (DPA)

1. Definitions

• “Cometly”: Comet LLC d/b/a Cometly, organized under the laws of the Commonwealth of Pennsylvania (USA) with an address at 41 University Drive, Suite 400, Newtown, Pennsylvania 18940 United States.
• “Controller” (or “Customer”): The natural or legal person who determines the purposes and means of processing Personal Data; here, you.
• “Processor”: Cometly, processing Personal Data on behalf of Controller.
• “Personal Data”: Any information relating to an identified or identifiable natural person that you provide or make available to Cometly for processing under the Agreement and this DPA.
• “Sub-Processor”: A third party authorized by Cometly to process Personal Data on its behalf.
• “Data Protection Laws”: All applicable laws and regulations regarding data protection and privacy, including GDPR, UK GDPR, CCPA, CPRA, and similar laws.
• “Data Subject”: An individual who is the subject of Personal Data.
• “Processing”: Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Personal Data Breach”: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Scope and Roles

• Roles: Cometly acts as a Processor, and you (Customer) act as the Controller for any Personal Data processed under the Agreement.
• Processing Instructions: Cometly will process Personal Data only according to your documented instructions, which include the Agreement, this DPA, and any other written instructions Cometly acknowledges.
• Compliance: Cometly commits to processing Personal Data in compliance with all applicable Data Protection Laws and maintaining the confidentiality and security of Personal Data.

3. Controller’s Obligations

3.1 Lawful Basis

You must ensure that you have all necessary consents or other lawful bases to collect and provide Personal Data to Cometly for processing under this DPA.

3.2 Restrictions on Personal Data

You shall not supply Cometly with sensitive or special categories of Personal Data unless expressly agreed in writing and in full compliance with applicable Data Protection Laws.

3.3 Accuracy of Personal Data

You are responsible for the accuracy, quality, and legality of Personal Data and the means by which you acquired it.

3.4 Compliance with Data Protection Laws

You shall comply with all applicable Data Protection Laws in your use of the Services, including obligations related to data subject rights, data security, and data breach notifications.

Consent Management Responsibilities:

• Implementation: If your use of the Licensed Software involves the collection of personal data through tracking scripts, cookies, or similar mechanisms, you are solely responsible for obtaining valid end-user consent where required by applicable laws. This includes implementing and maintaining appropriate consent mechanisms (e.g., cookie banners, consent management platforms) to ensure compliance with local requirements. For a technical guide on gating Cometly behind your cookie banner, see our user consent cookie banner help article in our help center.
• Maintenance: While Cometly may provide tools or guidance to assist with integration, you retain full responsibility for configuring and maintaining such mechanisms to meet the requirements of all jurisdictions where you operate.
• Compliance: You acknowledge that you are solely responsible for ensuring that your use of the Licensed Software, including consent management, complies with all applicable legal and regulatory requirements as outlined in our Privacy Policy and Terms of Service (TOS). For a technical guide on gating Cometly behind your cookie banner, see our user consent cookie banner help article in our help center.

4. Processor’s Obligations

4.1 Confidentiality

Cometly ensures that individuals authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Security Measures

Cometly implements and maintains industry-standard technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include, but are not limited to:

• Encryption: Personal Data is encrypted in transit (using TLS 1.2+ protocols) and at rest (using AES-256 or equivalent encryption standards).
• Access Controls: Role-based access controls, multi-factor authentication (MFA) for administrative accounts, and strict access protocols to limit access to Personal Data to authorized personnel only.
• Data Minimization: Personal Data processed is limited to what is necessary for the purposes defined in the Agreement.
• Regular Audits: Periodic security assessments and audits to ensure compliance with security policies and identify potential vulnerabilities.

4.3 Data Subject Requests

Cometly will provide assistance, as feasible, to help you respond to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (e.g., access, rectification, erasure, restriction of processing, data portability, objection).

4.4 Breach Notification

In the event of a Personal Data Breach, Cometly will notify you without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. The notification will include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected.
• The likely consequences of the breach.
• The measures taken or proposed to be taken by Cometly to address the breach and mitigate its potential adverse effects.

4.5 Return or Deletion of Personal Data

Upon termination of the Agreement, Cometly will, at your choice, delete or return all Personal Data processed on your behalf, and delete existing copies unless retention is required by applicable law. If deletion is not feasible, Cometly will restrict further processing of the Personal Data.

4.6 Sub-Processors

Cometly may engage Sub-Processors to provide certain functionalities (e.g., hosting, analytics, payment processing) that require processing of Personal Data, subject to the terms of our Privacy Policy and Third-Party Sub-Processors list.

Cometly maintains an up-to-date list of Sub-Processors used for data processing on your behalf, available at: https://www.cometly.com/sub-processors. We will notify you of any new Sub-Processors via email or in-app notice. You have the right to object to the use of a new Sub-Processor by providing a written objection within this period. If we cannot reasonably accommodate your objection, you may terminate this Agreement under Section 9.3 Termination by Customer.

Obligations of Sub-Processors: Cometly ensures that Sub-Processors are bound by written agreements that impose data protection obligations no less protective than those contained in this DPA. Cometly remains fully liable to you for the performance of Sub-Processors’ obligations.

4.7 International Data Transfers

Cometly processes and stores Personal Data primarily in the United States. For Personal Data originating from the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, Cometly ensures that such transfers are conducted in accordance with applicable Data Protection Laws. This includes utilizing Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Addendum, as applicable.

Supplementary Measures: Cometly implements additional safeguards to ensure an equivalent level of protection as required under GDPR, including encryption, pseudonymization, and data minimization.

Controller’s Responsibilities: If required by applicable law, you are responsible for notifying and obtaining consent from your end users regarding data transfers and ensuring compliance with local jurisdictional requirements.

5. Audits and Monitoring

5.1 Audit Rights

Upon reasonable request, Cometly will make available information necessary to demonstrate compliance with this DPA, including third-party certifications, summaries of security measures, and relevant policies.

5.2 Further Audits

Further audits may be conducted in accordance with the terms and frequency specified in the Agreement or as required by law. Such audits will be performed by an independent auditor at Cometly’s expense, provided that the audit scope is reasonable and does not unreasonably interfere with Cometly’s business operations.

6. Liability and Indemnification

6.1 Liability

The liability provisions in the Agreement apply to this DPA unless prohibited by law. To the extent permitted by law, Cometly’s total aggregate liability under this DPA shall not exceed the amounts paid or payable by you to Cometly for the Services in the twelve (12) months immediately preceding the claim.

(a) IF YOU HAVE NOT PAID ANY AMOUNTS TO COMETLY IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE CLAIM, COMETLY’S LIABILITY SHALL BE LIMITED TO $10,000.

6.2 Indemnification

• Customer Indemnification: You shall defend, indemnify, and hold Cometly harmless from any claims, damages, liabilities, costs, and expenses arising out of or related to your breach of this DPA or the Agreement, including any claims that arise from the processing of Personal Data in violation of applicable Data Protection Laws.

6.3 Exclusive Remedy

The remedies set forth in this DPA are the sole and exclusive remedies available to the parties for any breach of this DPA.

7. Miscellaneous

7.1 Duration

This DPA remains in effect as long as Cometly processes Personal Data on your behalf under the Agreement.

7.2 Governing Law

This DPA is governed by and construed in accordance with the laws specified in the Agreement. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Agreement.

7.3 Modifications

Cometly may update this DPA from time to time to reflect changes in data protection practices or legal requirements. If the changes are material, Cometly will notify you via email or through your account dashboard. Continued use of the Services after such changes constitutes your acceptance of the updated DPA.

7.4 Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail solely with respect to the processing of Personal Data.

7.5 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

7.6 Assignment

Neither party may assign or transfer this DPA without the prior written consent of the other party, except to a successor in connection with a merger, acquisition, or sale of all or substantially all assets.

7.7 Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes any prior agreements or understandings, whether written or oral, related to such processing.

8. Contact Information

If you have any questions about this DPA, please contact us at: