// Legal · Document 5 of 7

Data Processing Addendum

Last updated: March 2026 · SELLF LLC · Effective immediately

[BOTH] -- This DPA applies to all SELLF LLC services and governs the processing of personal data on behalf of users who are subject to GDPR, UK GDPR, CCPA/CPRA, or other applicable data protection laws.

1. Parties & Roles

Data Controller

You (the SELLF-X user or SELLF AI customer) are the Data Controller. You determine the purposes and means of processing personal data of your prospects, contacts, and end users.

Data Processor

SELLF LLC is the Data Processor. We process personal data on your behalf, strictly according to your instructions and these Terms.

For personal data that SELLF LLC collects directly from end users (e.g., account registration data, billing data), SELLF LLC acts as the Data Controller for that data under its own Privacy Policy.

2. Scope of Processing

SELLF LLC processes the following categories of personal data on your behalf:

Category	Examples	Purpose
Contact Data	Name, email, phone number	Signal Engine outreach, AI twin conversations
Professional Data	Job title, company, industry	Lead scoring, role detection
Behavioral Data	Conversation transcripts, engagement signals	Lead scoring, AI twin training
Video/Audio Data	Your recorded video for AI twin	Digital twin generation (via Tavus)
Usage Data	Feature usage, session data	Product improvement, analytics

3. SELLF LLC's Obligations as Processor

+Process personal data only on your documented instructions and not for any other purpose.
+Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
+Implement appropriate technical and organizational security measures to protect personal data against unauthorized access, disclosure, alteration, or destruction.
+Assist you in responding to data subject requests (access, rectification, erasure, portability) within a reasonable timeframe.
+Notify you without undue delay (within 72 hours where feasible) upon becoming aware of a personal data breach affecting data processed on your behalf.
+Delete or return all personal data to you upon termination of services, at your election, and delete existing copies unless retention is required by law.
+Make available to you all information necessary to demonstrate compliance with GDPR Article 28 obligations.

4. Sub-Processors

SELLF LLC uses the following sub-processors to deliver its services. By accepting these Terms, you authorize SELLF LLC to engage these sub-processors:

Stripe, Inc.United StatesPayment processingPrivacy Shield / SCCs

Tavus, Inc.United StatesAI twin video generationDPA / SCCs

Apollo.ioUnited StatesProspect data enrichmentPrivacy Shield / SCCs

Amazon Web Services (S3)United StatesFile and media storageAWS DPA / SCCs

Manus AIUnited StatesInfrastructure and authenticationDPA / SCCs

SELLF LLC will notify you of any intended changes to sub-processors at least 14 days in advance. You may object to a new sub-processor within 14 days; if the objection cannot be resolved, you may terminate your subscription with a pro-rata refund.

5. International Data Transfers

SELLF LLC is based in the United States. If you are located in the EU, UK, or another jurisdiction with data transfer restrictions, personal data you provide may be transferred to and processed in the United States.

SELLF LLC relies on the following transfer mechanisms:

+Standard Contractual Clauses (SCCs) as approved by the European Commission
+UK International Data Transfer Agreements (IDTAs) for UK-to-US transfers
+Adequacy decisions where applicable

To request a copy of the applicable SCCs or IDTAs, contact [email protected].

6. Security Measures

SELLF LLC implements the following technical and organizational measures:

Encryption in Transit

TLS 1.2+ for all data in transit

Encryption at Rest

AES-256 encryption for stored data

Access Controls

Role-based access; principle of least privilege

Authentication

OAuth 2.0; session tokens; no plaintext passwords

Audit Logging

All data access and mutations are logged

Incident Response

72-hour breach notification policy

Vendor Assessment

Sub-processors reviewed for security compliance

Data Minimization

Only data necessary for service delivery is collected

7. Data Subject Rights Assistance

When you receive a data subject request (access, erasure, portability, etc.) from one of your prospects or contacts whose data is processed through SELLF-X, SELLF LLC will assist you in fulfilling that request. To initiate a data subject rights request on behalf of your contacts, email [email protected] with the subject line "DSR Request -- [your account email]."

SELLF LLC will respond within 30 days. Complex requests may require up to 90 days with notice.

8. Governing Law

This DPA is governed by the laws of the State of Florida, United States, consistent with the main Terms and Conditions. For EU/UK data subjects, GDPR/UK GDPR requirements take precedence over Florida law where applicable.

Contact

Data protection inquiries: [email protected]