Data Processing Addendum

10.1 Scope

This Data Processing Addendum ("DPA") supplements the Terms of Service and Privacy Policy and applies when Howl Dating LLC, doing business as Raute.io, processes personal data on behalf of its customers ("Controller") in connection with the provision of the Service. This DPA sets forth the obligations of the parties with respect to the processing and security of personal data.

10.2 Definitions

Unless otherwise defined herein, terms used in this DPA shall have the meanings given to them in the applicable data protection legislation, including:

• GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation) and its national implementing legislation.
• CCPA/CPRA: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
• Controller: The entity that determines the purposes and means of the processing of personal data (the customer).
• Processor: The entity that processes personal data on behalf of the Controller (Howl Dating LLC / Raute.io).
• Data Subject: An identified or identifiable natural person whose personal data is processed.
• Personal Data: Any information relating to a Data Subject, as defined under applicable data protection law.
• Sub-Processor: Any third party engaged by the Processor to process personal data on behalf of the Controller.

10.3 Our Obligations as Processor

As a data processor, Howl Dating LLC commits to the following obligations:

• Documented Instructions: Process personal data only in accordance with the documented instructions of the Controller, unless required by applicable law.
• Confidentiality: Ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations.
• Security Measures: Implement and maintain appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
• Data Subject Requests: Assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection law.
• Breach Notification: Notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach.
• Deletion or Return: Upon termination of the Service or at the Controller's request, delete or return all personal data to the Controller, unless retention is required by applicable law.
• Audits: Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an authorized auditor.

10.4 Sub-Processors

• We may engage Sub-Processors to assist in providing the Service, subject to appropriate data processing agreements.
• We maintain a current list of Sub-Processors and will make it available upon request.
• We will notify the Controller of any intended changes to Sub-Processors, providing the Controller with an opportunity to object to such changes.
• We remain fully liable for the acts and omissions of our Sub-Processors with respect to the processing of personal data.

10.5 International Transfers

Where personal data is transferred to countries outside the European Economic Area (EEA) or other jurisdictions with data transfer restrictions, we will ensure that appropriate safeguards are in place. This includes the use of Standard Contractual Clauses (SCCs) approved by the European Commission or other legally approved transfer mechanisms to ensure adequate protection of personal data during international transfers.

10.6 Contact

For questions or requests related to this Data Processing Addendum, please contact us: