Data Processing Agreement

1. Definitions

"Controller" means the customer organisation that determines the purposes and means of processing. "Processor" means Better Execute Pty Ltd. "Personal Data", "Processing", "Data Subject", and "Sub-processor" have the meanings given under applicable data protection law.

2. Roles

The customer is the Controller of Personal Data processed via the Service. Better Execute Pty Ltd acts as Processor on behalf of the Controller for data submitted to the Service.

3. Processing Details

Subject matter: Provision of the Better Execute strategy and execution platform.

Duration:For the term of the customer's subscription, plus any retention period described in the Privacy Policy.

Nature and purpose: Hosting, storage, and processing of customer data to deliver the Service, including AI features where enabled.

Types of data: Names, email addresses, job titles, user-generated content (projects, tasks, notes, strategy content, scorecard entries, meeting notes), and usage data.

Categories of data subjects:Customer's employees and authorised users of the Service.

4. Processor Obligations

The Processor shall: (a) process Personal Data only on documented instructions from the Controller (these Terms and any written agreement); (b) ensure personnel with access to Personal Data are bound by confidentiality; (c) implement appropriate technical and organisational security measures; (d) assist the Controller with data subject access, correction, and deletion requests; (e) notify the Controller without undue delay of any Personal Data breach; (f) delete or return Personal Data upon written request at end of the agreement.

5. Sub-processors

We engage the following sub-processors to operate the Service. All are bound by data processing terms consistent with this DPA:

• Vercel Inc. — application hosting (United States)
• Neon Inc. — database hosting (United States)
• Stripe Inc. — payment processing (United States)
• OpenAI LLC — AI inference for AI features (United States)
• Postmark (Wildbit LLC) / Resend — transactional email delivery (United States)
• Sentry (Functional Software Inc.) — error monitoring (United States)

We will notify Customers of any material changes to sub-processors at least 14 days in advance via email or in-app notice.

6. International Transfers

Sub-processors operate primarily in the United States. By accepting this DPA, the Controller consents to Personal Data being transferred to and processed in the United States and other countries where sub-processors operate, subject to appropriate contractual safeguards with each sub-processor.

7. Security Incidents

The Processor will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach, and will provide information reasonably required to assist the Controller in meeting any applicable breach notification obligations.

8. Audits

The Controller may request written information from the Processor to verify compliance with this DPA no more than once per year and upon reasonable notice. The Processor will respond within 30 days. Where available, the Processor may provide third-party audit reports (e.g. SOC 2) in lieu of Controller-conducted audits.

9. Governing Law

This DPA is governed by the laws of Queensland, Australia, consistent with the Terms of Service.

10. Contact

DPA and data protection enquiries: legal@betterexecute.com