FORGEPIPELINE LLC
DATA PROCESSING ADDENDUM
Effective Date: February 24, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between ForgePipeline LLC (“Processor”) and the business client (“Controller”) governing the processing of personal data.

ROLE OF THE PARTIES

ForgePipeline LLC acts as a Service Provider / Data Processor when handling personal data on behalf of business clients.

The Client acts as the Data Controller and determines the purposes and means of processing personal data.

SCOPE OF PROCESSING

This DPA applies to personal data processed through the use of:

• CRM systems
• Messaging automation
• Lead capture forms
• AI workflows
• Calendar booking tools
• Revenue tracking systems

Processing is limited to what is necessary to provide contracted services.

CLIENT OBLIGATIONS

Client represents and warrants that:

• Personal data was lawfully obtained
• Required disclosures were provided
• Required consent was collected prior to messaging
• Data subject rights are honored
• Messaging consent complies with TCPA, 10DLC, CTIA, and applicable laws

Client is solely responsible for the legality of data submitted to the platform.

PROCESSING INSTRUCTIONS

ForgePipeline processes personal data only:

• To provide contracted services
• Under documented client instructions
• To maintain security and system integrity
• To comply with legal obligations

Processor does not determine independent purposes for processing client data.

SUBPROCESSORS

ForgePipeline may engage subprocessors to provide services, including:

• Cloud hosting providers
• CRM infrastructure providers
• Messaging and telecommunications providers
• Payment processors
• Compliance and security vendors

All subprocessors are bound by confidentiality and appropriate security obligations.

SECURITY MEASURES

ForgePipeline implements reasonable technical and organizational safeguards, including:

• Access controls
• Encryption in transit
• Authentication safeguards
• Logging and monitoring
• Role-based permissions

No system can guarantee absolute security.

DATA RETENTION

Personal data is retained only as long as necessary to:

• Provide services
• Maintain compliance records
• Fulfill contractual obligations
• Meet legal requirements

Upon termination, data handling follows the terms of the main service agreement.

DATA SUBJECT REQUESTS

The Client is responsible for responding to data subject access, deletion, correction, or portability requests.

ForgePipeline will provide reasonable assistance where technically feasible.

BREACH NOTIFICATION

ForgePipeline will notify the Client without undue delay after confirming a security breach affecting client data.

Notification will include available details necessary to support Client compliance obligations.

LIMITATION OF RESPONSIBILITY

ForgePipeline is not responsible for unlawful collection, improper consent, or misuse of data by the Client.