Data Processing Addendum

Last updated: 22 April 2026 · Version 3.0

1. Applicability and legal context

This Data Processing Addendum ("DPA") is a mandatory part of the Community Network Terms of Service and applies where a user ("Controller", "you"), being an entrepreneur, organisation, business-account owner or community/event organiser on the Platform, uploads or otherwise places third-party individuals' data on the Platform. The DPA is drawn up in accordance with: part 3 of article 6 of Russian Federal Law 152-FZ; article 28 of Regulation (EU) 2016/679 (GDPR); UK-GDPR and Data Protection Act 2018; equivalent processor-agreement rules in other jurisdictions. A separate bilateral DPA signature is not required. Acceptance of the DPA is any action involving the transfer of third-party data to the Platform.

2. Party statuses and subject of the engagement

Controller: the Platform user, in whose interests and under whose responsibility processing of third-party data is performed. Processor: KG Connect ltd. (the "Company", "we"), processing third-party personal data exclusively on the Controller's instructions and exclusively to the extent necessary for the operation of the Platform. Subject of the engagement: provision by the Company of the Platform's infrastructure services, during which technical means perform operations on personal data uploaded by the Controller. Duration of the engagement: from the moment the data is uploaded and until the data is deleted by the Controller or the Company as provided for in the DPA and applicable law.

3. Categories of data and data subjects

Data-subject categories: Controller's employees; community members managed by the Controller; contact persons of the Controller's counterparties; event participants organised by the Controller; invited guests. Data categories: identification (full name, username); contact (email, phone, messengers); images (photos); positions, place of work, role in the community; technical (IP address, session metadata). The Controller warrants that it does not upload to the Platform special categories of personal data (biometrics, health, minors' data, political/religious beliefs etc.) without prior written coordination with the Company and compliance with additional legal requirements.

4. Permitted processing operations

The Controller instructs, and the Company is entitled to perform, the following operations within the extent necessary for providing the Platform services: — collection; — recording; — systematisation; — accumulation; — storage; — updating (modification, change); — retrieval; — use; — transfer (provision, access) — within Platform functionality and to technical contractors (section 7); — depersonalisation; — blocking; — deletion; — destruction. This list is exhaustive and aligns with 152-FZ terminology.

5. Processing purposes

Processing is carried out solely for the following purposes: — ensuring Platform functioning for the Controller; — providing technical communication, community management and event management capabilities; — ensuring Platform information security; — aggregated analytics on usage metrics; — responding to lawful requests from government authorities. The Company may not use third-party personal data for its own marketing, AI training (except public data with opt-out), sale or transfer to advertisers.

6. Company (Processor) obligations

Confidentiality. Process data confidentially; bind employees and contractors with access to data to confidentiality. Security measures. Apply technical and organisational measures per articles 18.1 and 19 of 152-FZ, article 32 of GDPR (detailed list — section 11 of the Privacy Policy). Localisation. For Russian-citizen data, ensure that recording, systematisation, accumulation, storage, updating and retrieval are carried out using databases located in the Russian Federation. Incident notification. Immediately (no later than 24 hours) notify the Controller of an incident under 152-FZ art. 21(3.1) or GDPR art. 33. Assistance. Provide documents confirming legal compliance on written request; assist in responding to subject requests, DPIAs, prior consultations with supervisory authorities. Sub-processors. Engage third parties only under obligations no less strict than in this DPA. Deletion on completion. On completion of services or Controller request, delete or return all personal data, except copies mandatorily retained by law. Audit. On a reasonable written request by the Controller no more than once every 12 months, provide compliance reports or undergo an audit at the requesting party's expense.

7. Sub-processors

Current list of sub-processors and their service categories: — Hosting: DigitalOcean (US / Russia, segmented), AWS (US/EU — backups); — CDN / protection: Cloudflare (US); — Email: SendGrid / Mailgun (US); — Push: Firebase (Google) / Apple APNs (US); — SMS: licensed gateways (RU/EU/US); — KYC: SumSub (UK/EU); — Payments: Stripe / ЮKassa (US/EU/RU); — Analytics: Google Analytics (optional, US, with consent); — AI models: OpenRouter / Anthropic / OpenAI (US, no training on queries). Russian-citizen data is processed on sub-processors with infrastructure in Russia, in compliance with localisation. When engaging a new sub-processor, the Company notifies Controllers by email and/or banner at least 14 days in advance; during that period the Controller may object.

8. Cross-border transfers

Cross-border transfer of personal data is performed under article 12 of 152-FZ, chapter V of GDPR, equivalent UK-GDPR rules and the acts of other jurisdictions. Applicable mechanisms: — Adequacy Decisions; — EU-U.S. Data Privacy Framework (DPF); — Standard Contractual Clauses (SCCs) — Annex to the DPA on request; — UK IDTA / IDTA Addendum; — Transfer Impact Assessment (TIA) for jurisdictions without adequacy.

9. Controller obligations

Lawful basis. Have a lawful basis for processing under applicable law for each data category transferred to the Company. Consents. Obtain properly executed consents from data subjects or ensure another lawful basis. Informing subjects. Fulfil the information obligations toward subjects (art. 18 of 152-FZ, art. 13-14 of GDPR). Do not upload data whose processing is prohibited by law or exceeds the scope necessary for the stated purpose. Indemnification. Reimburse the Company for all losses, fines, legal expenses arising from the Controller's breach of applicable law or this DPA.

10. Liability

The parties are liable under applicable law taking into account the limitations of the Terms of Service (section 11). The primary duty of response to data subjects rests with the Controller. Upon receipt of a subject's request, the Company forwards it to the Controller within a reasonable period and/or provides technical assistance in exercising the subject's rights.

11. Duration and termination

The DPA enters into force upon acceptance of the Terms of Service and the first upload of third-party data to the Platform. The DPA terminates upon termination of the Terms of Service or upon the Controller's data-deletion request, whichever occurs first. Upon termination, the Company deletes or anonymises data within the timeframes of the Privacy Policy (section 10), except data mandatorily retained by law.

12. Miscellaneous

Priority of the Russian-language version (in case of discrepancy with translations). Where the DPA and the Terms of Service conflict, the DPA prevails in respect of personal-data processing. Governing law, jurisdiction, arbitration — per the Terms of Service.

13. Contact information

DPO / processing questions: privacy@communitynet.app / dpo@communitynet.app Legal questions: legal@communitynet.app Platform: www.communitynet.ru (Russian-language) · www.communitynet.app (international) Company: KG Connect ltd.