Data Processing Agreement

Loon Shoot Pty Ltd
ABN: 85 638 743 932
Last updated: 25 March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Loon Shoot Pty Ltd ("Processor", "Loon Shoot", "we") and the entity agreeing to the Terms of Service ("Controller", "Customer", "you"), and governs the processing of Personal Data by Loon Shoot on behalf of Customer in connection with the Platform.

This DPA is incorporated into and subject to the Terms of Service available at getoutrun.com/legal/terms. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data.

By agreeing to the Terms of Service, Customer also agrees to this DPA.

1. Definitions

Terms defined in the Terms of Service have the same meaning in this DPA unless otherwise defined below.

"Applicable Data Protection Law" means, as applicable to the processing: (a) the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs); (b) the UK GDPR and Data Protection Act 2018; (c) the EU GDPR (Regulation 2016/679); and (d) any other applicable data protection or privacy legislation.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

"Data Subject" means an identified or identifiable individual to whom Personal Data relates.

"EU SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor).

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Loon Shoot on behalf of Customer through the Platform.

"Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Sub-processor" means any third party engaged by Loon Shoot to process Personal Data on behalf of Customer.

"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018.

2. Roles & Scope

2.1. Roles. Customer is the Controller (or equivalent under Applicable Data Protection Law). Loon Shoot is the Processor (or service provider) acting on Customer's instructions.

2.2. Scope. This DPA applies to all Personal Data processed by Loon Shoot on behalf of Customer through the Platform, as described in Annex 1 below.

2.3. Loon Shoot will process Personal Data only on Customer's documented instructions, unless required to do so by applicable law, in which case Loon Shoot will inform Customer of that legal requirement before processing (unless prohibited by law from doing so).

3. Customer Obligations

3.1. Customer is responsible for: (a) ensuring it has a lawful basis for providing Personal Data to Loon Shoot; (b) providing all required notices to, and obtaining all required consents from, Data Subjects; (c) ensuring that its processing instructions to Loon Shoot comply with Applicable Data Protection Law; and (d) classifying its data and selecting the appropriate data residency region for each dataset.

3.2. Customer warrants that it has the right to transfer Personal Data to Loon Shoot for processing in accordance with this DPA.

4. Data Residency & Regional Processing

Data Storage

4.1. Current Region. All Customer Data at rest is currently stored in the EU region, operated by Hetzner Online GmbH in Falkenstein, Germany.

Residency Models

4.2. Global Model (default). By default, Outrun operates a Global data residency model. Customer Data is stored in available regions based on geographic identifiers in the data record, where possible. Currently, all Customer Data under the Global model is stored in the EU region. As additional regions become available, data may be distributed to the nearest region to the end customer. Under the Global model, data may be relocated between regions to maintain service availability during infrastructure events such as regional outages, capacity constraints, or maintenance. In normal operation, each record exists in a single region based on its geographic classification. Loon Shoot will notify Customer and update this DPA when new regions become available under the Global model.

4.3. Region-Locked Model. Customers requiring strict data residency guarantees may opt for a Region-Locked residency plan, restricting all data storage to a single designated region regardless of end customer location or availability events. Currently available: EU Only — all data stored exclusively in Hetzner, Falkenstein, Germany. Additional region-locked options may be offered as new regions become available.

4.4. Infrastructure Metadata. Database system metadata (schema definitions, cluster coordination, health checks) may be shared across infrastructure for service availability. This metadata does not contain Customer Data, personally identifiable information, or business data. This is comparable to DNS or certificate infrastructure and is standard practice for globally distributed database systems.

AI Processing

4.5. AI Inference. All AI inference requests are processed via Google Vertex AI in europe-west3 (Frankfurt, Germany). Prompt data is not stored by the inference provider and is subject to Google's data processing terms.

Email

4.6. Transactional Email. Email notifications (containing recipient email addresses and notification content) are delivered via Amazon Web Services Simple Email Service (SES), currently hosted in the United States (us-east-1). Email content transits US infrastructure during delivery. No email content is stored after delivery. This transfer is subject to the EU SCCs and/or UK Addendum incorporated into this DPA (see clause 11) where applicable.

Transfer Summary

4.7. Loon Shoot will not transfer Personal Data outside the regions described in this clause except: (a) as described in clause 4.6 (transactional email); (b) as new regions become available under the Global model (with prior notice to Customer); (c) as required to comply with applicable law; or (d) with Customer's prior written consent.

5. Security

5.1. Loon Shoot will implement and maintain appropriate technical and organisational security measures to protect Personal Data against Data Breaches, having regard to the state of the art, the cost of implementation, the nature, scope, context and purposes of processing, and the risks to Data Subjects. These measures are described in Annex 2 below.

5.2. Loon Shoot will ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Sub-processors

6.1. Customer authorises Loon Shoot to engage the Sub-processors listed in Annex 3 below. Customer provides general written authorisation for Loon Shoot to engage additional Sub-processors, subject to the requirements of this clause.

6.2. Loon Shoot will: (a) notify Customer before any new Sub-processor begins processing Personal Data, and will use reasonable efforts to provide at least 14 days' advance notice (notice will be provided via email to the address associated with Customer's Account, or via the Platform); (b) impose data protection obligations on each Sub-processor that are no less protective than those in this DPA; and (c) remain fully liable for the acts and omissions of its Sub-processors.

6.3. Objection. If Customer reasonably objects to a new Sub-processor on data protection grounds, Customer must notify Loon Shoot in writing within 15 days of receiving notice. The parties will discuss the objection in good faith. If the parties cannot resolve the objection within 30 days, Customer may terminate the affected Services (and only the affected Services) by providing written notice, and Loon Shoot will refund any prepaid Fees attributable to the terminated Services for the unused portion of the subscription period.

7. Data Subject Rights

7.1. Loon Shoot will assist Customer, by appropriate technical and organisational measures, in fulfilling Customer's obligation to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

7.2. If Loon Shoot receives a request from a Data Subject directly, Loon Shoot will promptly redirect the Data Subject to Customer, unless otherwise instructed by Customer.

8. Data Breach Notification

8.1. Loon Shoot will notify Customer of a confirmed Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach.

8.2. The notification will include, to the extent reasonably available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) a contact point for further information.

8.3. Loon Shoot will cooperate with Customer and provide reasonable assistance in: (a) investigating the breach; (b) fulfilling Customer's notification obligations to supervisory authorities (including the OAIC, ICO, or other applicable authority); and (c) communicating with affected Data Subjects where required.

9. Data Protection Impact Assessments

9.1. Loon Shoot will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities where required under Applicable Data Protection Law, taking into account the nature of the processing and the information available to Loon Shoot.

10. Audit

10.1. Loon Shoot will make available to Customer, on reasonable request, the information necessary to demonstrate compliance with this DPA.

10.2. Customer (or a qualified third-party auditor appointed by Customer and approved by Loon Shoot, such approval not to be unreasonably withheld) may conduct an audit of Loon Shoot's compliance with this DPA, subject to the following conditions: (a) no more than once per calendar year (unless required by a supervisory authority or following a Data Breach); (b) with at least 30 days' written notice; (c) during normal business hours; (d) at Customer's cost; and (e) scoped to the processing activities relevant to Customer's Personal Data.

10.3. Loon Shoot may satisfy an audit request by providing: (a) a current third-party security certification or audit report, where available; or (b) responses to a reasonable written security questionnaire, provided these adequately address Customer's concerns.

11. International Transfers

11.1. Where no cross-border transfer occurs (i.e., Personal Data is stored and processed within Customer's designated region): No additional transfer mechanism is required.

11.2. UK Transfers. Where Personal Data originating from the United Kingdom is transferred outside the UK, the UK Addendum to the EU SCCs applies and is incorporated by reference into this DPA. The relevant details are set out in Annex 1.

11.3. EU Transfers. Where Personal Data originating from the European Economic Area is transferred outside the EEA, the EU SCCs (Module 2: Controller to Processor) apply and are incorporated by reference into this DPA. The relevant details are set out in Annex 1.

11.4. Australian Transfers. Where Personal Data is disclosed to an overseas recipient, Loon Shoot will take reasonable steps to ensure the overseas recipient handles the Personal Data in a manner consistent with the Australian Privacy Principles, in accordance with APP 8.

11.5. Adequacy. Where a transfer is to a jurisdiction recognised as providing an adequate level of data protection, the parties acknowledge that no additional transfer mechanism is required for that transfer.

12. Return & Deletion

12.1. Upon termination of the Terms of Service, Loon Shoot will, at Customer's election: (a) return Customer's Personal Data in a commonly used, machine-readable format; or (b) securely delete Customer's Personal Data.

12.2. Customer must make its election within the 30-day export period specified in the Terms of Service. If Customer does not make an election, Loon Shoot will securely delete the Personal Data.

12.3. Loon Shoot may retain Personal Data to the extent required by applicable law, provided that such retained data continues to be protected in accordance with this DPA and is not processed for any other purpose.

13. Term

13.1. This DPA takes effect on the date Customer agrees to the Terms of Service and remains in effect for as long as Loon Shoot processes Personal Data on behalf of Customer.

13.2. The obligations in this DPA survive termination to the extent Loon Shoot continues to hold Personal Data.

Annex 1: Details of Processing

Annex 2: Technical and Organisational Security Measures

Loon Shoot implements the following measures (updated from time to time as appropriate):

Access Controls

• Role-based access control for all systems processing Personal Data
• Multi-factor authentication for administrative access
• Principle of least privilege applied to all access permissions
• Regular access reviews

Encryption

• Encryption of Personal Data at rest (AES-256 or equivalent)
• Encryption of Personal Data in transit (TLS 1.2 or higher)

Infrastructure Security

• Hosting on Hetzner Online GmbH (Falkenstein, Germany); AI processing on Google Cloud Platform (Frankfurt, Germany)
• Network segmentation and firewall controls
• Regular vulnerability scanning and patching
• DDoS protection

Network Security

• Point-to-point encrypted tunnels (WireGuard) for internal service communication
• No customer data transits third-party VPN coordination servers

Tenant Isolation

• Logical separation of Customer Tenants
• Customer Data is not accessible to other Tenants

Monitoring & Logging

• In-house security event logging and monitoring (no third-party monitoring provider)
• Intrusion detection
• Alerting for anomalous activity

Business Continuity

• Regular automated backups
• Disaster recovery procedures

Personnel

• Confidentiality obligations for all personnel with access to Personal Data
• Data protection training

Incident Response

• Documented incident response plan
• Designated incident response team

Annex 3: Sub-processors

This list is current as of 25 March 2026. Updates will be notified in accordance with clause 6.2.