Data Processing Addendum

This Data Processing Addendum (the “DPA”) is entered into between Bailar, Inc., a Delaware corporation (successor by statutory conversion effective May 4, 2026 to Bailar LLC, a Florida limited liability company) (“Bailar,” the “Processor”) and the customer that has accepted Bailar’s Studio Master Terms or otherwise contracted with Bailar to use the Bailar Studio Service or any associated Bailar API (the “Customer,” the “Controller”). The DPA forms part of, and supplements, the agreement between the parties (the “Principal Agreement”) and governs Bailar’s processing of personal data on the Customer’s behalf in connection with the Customer’s use of the Bailar Studio Service.

Where the parties’ Principal Agreement does not require a DPA — for example, where Bailar and the Customer act as independent controllers of consumer personal data flowing through the Bailar marketplace — this DPA applies only to the limited set of activities for which the Customer determines the purposes and means of processing and Bailar acts on the Customer’s documented instructions. The Customer’s upload of a contact list, an existing customer roster, attendance records, or other Studio-Controlled Data into the Studio Service is sufficient documented instruction for Bailar to begin processing under this DPA.

1. DEFINITIONS

1.1 “Applicable Data Protection Law” means all laws and regulations applicable to the processing of personal data under the Principal Agreement, including: the EU General Data Protection Regulation (Regulation (EU) 2016/679, “EU GDPR”); the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK GDPR”); the Swiss Federal Act on Data Protection (“Swiss FADP”); the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq., the “CCPA”); the Personal Information Protection and Electronic Documents Act of Canada (“PIPEDA”); Quebec’s Act respecting the protection of personal information in the private sector (“Quebec Law 25”); the Mexican Ley Federal de Protección de Datos Personales en Posesión de los Particulares (“LFPDPPP”); and any other privacy or data-protection law applicable to a party in connection with the Principal Agreement.

1.2 Terms not otherwise defined in this DPA — including “controller,” “processor,” “personal data,” “data subject,” “processing,” “sub-processor,” “business,” “service provider,” “sale,” and “sharing” — have the meanings given to them in Applicable Data Protection Law. References to “controller” include “business” under the CCPA; references to “processor” include “service provider” under the CCPA.

1.3 “Customer Personal Data” means the personal data that Bailar processes on the Customer’s behalf under this DPA, as further described in Annex I.

2. ROLES AND SCOPE

2.1 With respect to Customer Personal Data, the Customer is the controller (or, under the CCPA, the business) and Bailar is the processor (or, under the CCPA, the service provider).

2.2 Bailar will process Customer Personal Data only on the documented instructions of the Customer (including via the Studio dashboard, API calls, and the configuration choices the Customer makes), for the limited and specified purposes set out in Annex I, and as necessary to comply with Applicable Data Protection Law. If Bailar is required by law to process Customer Personal Data otherwise, Bailar will inform the Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

2.3 Bailar will not (a) sell or share Customer Personal Data within the meaning of the CCPA or any equivalent state-privacy law; (b) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Bailar and the Customer; (c) combine Customer Personal Data with personal data Bailar receives from any other source for purposes outside the documented business purpose; or (d) use Customer Personal Data to train third-party general-purpose AI foundation models for commercial sale or sublicense.

2.4 Bailar will promptly inform the Customer if, in Bailar’s opinion, an instruction from the Customer infringes Applicable Data Protection Law.

3. STAFF AND CONFIDENTIALITY

Bailar will ensure that personnel authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to personnel who need access for the documented purposes.

4. SECURITY MEASURES

4.1 Bailar will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures are described in Annex II.

4.2 The measures are subject to technical progress and development. Bailar may update them from time to time, provided that the updates do not materially reduce the overall level of security of the Customer Personal Data.

5. SUBPROCESSORS

5.1 The Customer grants Bailar a general authorization to engage subprocessors to process Customer Personal Data, subject to the conditions in this Section 5. Bailar’s current list of subprocessors is published at bailar.site/legal/subprocessors and is incorporated into this DPA by reference.

5.2 Before engaging a new subprocessor (other than a successor to an existing subprocessor in a routine reorganization), Bailar will give the Customer at least thirty (30) days’ advance notice by updating the published subprocessor list (or, if the Customer has registered for change notifications, by emailing the registered contact). During the notice period, the Customer may object to the new subprocessor on reasonable data-protection grounds by emailing privacy@bailar.site. If the parties cannot resolve the objection within thirty (30) days of receipt, the Customer may terminate the affected portion of the Principal Agreement (without penalty other than payment of fees owed for services already provided).

5.3 Bailar will impose on each subprocessor, by written contract, data-protection obligations substantially equivalent to those imposed on Bailar under this DPA. Bailar remains liable to the Customer for the acts and omissions of its subprocessors with respect to Customer Personal Data.

6. INTERNATIONAL DATA TRANSFERS

6.1 Bailar is established in the United States and processes Customer Personal Data in the United States and in other countries where its subprocessors operate (as listed at bailar.site/legal/subprocessors).

6.2 EU / EEA, UK, Switzerland. Where Customer Personal Data is transferred from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, the parties incorporate the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914, the “EU SCCs”), as amended from time to time. For these purposes, Module 2 (controller to processor) applies; Customer is the data exporter, Bailar is the data importer. The optional docking clause is incorporated; the supervisory authority is the lead authority of the Customer (or, where the Customer has none, the Irish Data Protection Commission). For UK transfers, the parties also incorporate the UK International Data Transfer Addendum issued by the Information Commissioner’s Office. For Swiss transfers, the parties incorporate the equivalent Swiss-FADP SCCs / supplements.

6.3 Canada and Quebec. For transfers from Canada and Quebec, Bailar has assessed the data-protection regimes of the destination jurisdictions in accordance with PIPEDA Principle 4.1.3 and Article 17 of Quebec Law 25 and relies on contractual safeguards with each subprocessor and on the technical measures in Annex II.

6.4 Other transfers. Where Applicable Data Protection Law in another jurisdiction requires a specific transfer mechanism, the parties will negotiate in good faith to incorporate that mechanism.

7. ASSISTANCE TO THE CONTROLLER

7.1 Bailar will, taking into account the nature of the processing, assist the Customer through appropriate technical and organizational measures (insofar as possible) to fulfil the Customer’s obligations to respond to requests from data subjects exercising their rights under Applicable Data Protection Law.

7.2 Bailar will assist the Customer with compliance with the security, breach-notification, data-protection-impact-assessment, and prior-consultation obligations of the Customer under Applicable Data Protection Law (including GDPR Articles 32 to 36 and equivalents), taking into account the nature of the processing and the information available to Bailar.

8. BREACH NOTIFICATION

Bailar will notify the Customer without undue delay (and in any event within seventy-two (72) hours of becoming aware of a personal-data breach involving Customer Personal Data) by emailing the Customer’s registered administrative contact and, where reasonably available to Bailar, the email on the Customer’s Stripe Connect account. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach. Bailar will provide further information as it becomes available.

9. AUDITS

9.1 Bailar will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including by providing the most recent SOC 2-class audit reports (or equivalent independent assessments) of its key subprocessors that Bailar receives, and Bailar’s own security overview, on the Customer’s reasonable request.

9.2 Where the information described in Section 9.1 is not sufficient to demonstrate compliance, the Customer may, on reasonable notice and no more than once per calendar year (except where required by an investigation by a data protection authority), conduct an audit (or mandate an independent third-party auditor to conduct an audit) of Bailar’s processing of the Customer’s Personal Data, at the Customer’s cost, during normal business hours, and subject to a reasonable confidentiality undertaking.

10. RETURN AND DELETION

On termination of the Principal Agreement and at the Customer’s option, Bailar will, within thirty (30) days, return Customer Personal Data to the Customer (in a structured, commonly-used, machine-readable format) or delete it. Bailar may retain Customer Personal Data thereafter only (a) in encrypted disaster-recovery backups for the rolling-90-day window described in the Privacy Policy, after which it is rotated out; (b) in aggregated or de-identified form that does not identify any data subject; or (c) where retention is required by law.

11. ORDER OF PRECEDENCE AND TERM

11.1 This DPA applies for the duration of the Principal Agreement and survives termination to the extent necessary for Bailar to comply with Section 10 (Return and Deletion) and any post-termination obligations under Applicable Data Protection Law.

11.2 In the event of a conflict between this DPA and the Principal Agreement, this DPA controls with respect to Bailar’s processing of Customer Personal Data. In the event of a conflict between this DPA and the EU SCCs (where incorporated), the EU SCCs control with respect to transfers governed by them.

ANNEX I — SCOPE OF PROCESSING

Subject matter. Provision of the Bailar Studio Service (and any Bailar APIs used by the Customer) to the Customer under the Principal Agreement.

Nature and purpose of the processing. Hosting, transmitting, displaying, indexing, ranking, recommending, moderating, and operationally supporting Customer Personal Data within the Bailar Studio Service so that the Customer can operate its dance studio, school, instructor practice, or event series; sending transactional and lifecycle communications on the Customer’s behalf; producing operational analytics and reports for the Customer; and providing technical support.

Duration of the processing. The term of the Principal Agreement plus the retention windows described in Section 10 and the Privacy Policy.

Categories of data subjects. The Customer’s own students, prospective students, members, attendees, instructors, contractors, and the Customer’s personnel who access the Studio dashboard.

Categories of personal data. Identification data (name, contact details); profile data (dance experience, preferences); booking and attendance data; communications between the Customer and its data subjects through the Bailar Studio Service; payment metadata (the underlying payment is processed by Stripe under Stripe’s own terms); and any other data the Customer chooses to upload into the Studio Service.

Sensitive categories. The Studio Service is not designed to process special categories of personal data under GDPR Article 9 (health, biometrics, race, religion, sexual orientation, political opinion). The Customer agrees not to upload such data into the Studio Service without first obtaining a written confirmation from Bailar that the Service is suitable for that use.

ANNEX II — TECHNICAL AND ORGANIZATIONAL MEASURES

Access control. Role-based access control, single-sign-on for Bailar personnel, two-factor authentication for sensitive surfaces, least-privilege access provisioning, access logging, and periodic access review.

Encryption. Encryption in transit (TLS 1.2 or higher) on all customer-facing endpoints and on inter-service traffic; encryption at rest for primary databases, object storage, and disaster-recovery backups (provider-managed AES-256 or equivalent).

Network security. Cloud-provider-managed network segmentation; web application firewall; DDoS protection at the CDN edge (Cloudflare); rate limiting and bot mitigation on public endpoints.

Application security. Secure software-development lifecycle, code review for security-relevant changes, dependency scanning, secrets management, periodic vulnerability assessment, and automated CI/CD with required checks.

Operational security. Centralized logging and alerting (Sentry, Slack); audit trail of administrative actions; documented incident-response process and on-call rotation; published vulnerability-disclosure policy (bailar.site/legal/vulnerability-disclosure) with a safe-harbor commitment to good-faith researchers.

Backup and disaster recovery. Daily encrypted backups of the primary database with point-in-time recovery; rolling 90-day retention; geographic redundancy through the cloud provider; documented restore procedure.

Personnel. Confidentiality obligations for all personnel; security-awareness training; background screening proportionate to role; immediate access revocation on departure.

Vendor management. Subprocessor selection criteria favouring vendors offering standard DPAs and recognized third-party security attestations; documented vendor review process.

CONTACT

Bailar, Inc.
Attn: Privacy Officer
401 Ocean Dr, Suite 404
Miami Beach, FL 33139
United States
privacy@bailar.site