---

Data Processing Addendum

1. Roles

XenoStep and the Supplier are independent data controllers for personal data each party processes in connection with resale, product delivery, customer support, compliance, tax, and payment operations. The parties are not acting as processor and controller for each other under this Addendum unless a separate written agreement says otherwise.

Each party is responsible for its own legal basis, notices, security, retention, and data subject response obligations.

2. Data Shared

XenoStep may share customer email addresses with the Supplier for product delivery, account activation, support, fraud prevention, and customer transition purposes. XenoStep may also share usage data reasonably needed to deliver the product, resolve support issues, manage subscriptions, process refunds, investigate disputes, or meet legal obligations.

The Supplier may use shared data only for the approved product and related support obligations.

3. Sub-Processors and Service Providers

XenoStep uses service providers to operate the platform, process payments, send emails, host application infrastructure, and store data. Current core providers include Stripe (https://stripe.com), Supabase (https://supabase.com), Resend (https://resend.com), and Vercel (https://vercel.com).

XenoStep may update providers as needed for security, performance, compliance, or operational reasons.

4. International Transfers

Data may be processed in the United States. Where required, transfers will rely on standard contractual clauses, adequacy decisions, or another lawful transfer mechanism.

The Supplier must not transfer shared customer data to another country unless it has a lawful basis and appropriate safeguards.

5. Security

Each party must apply reasonable administrative, technical, and organizational safeguards. At minimum, shared data must be protected through encryption in transit and at rest, access controls, least-privilege permissions, account security controls, and procedures for reviewing access.

6. Breach Notification

A party that discovers a security incident affecting shared customer data must notify the other party without undue delay and no later than seventy-two (72) hours after confirming the incident. The notice should describe the affected data, likely impact, containment steps, and contact person for follow-up.

7. Data Subject Rights

The parties will cooperate in good faith on access, deletion, correction, portability, objection, restriction, and similar requests from data subjects. Each party remains responsible for requests it receives directly, but must provide reasonable assistance when the request concerns shared data.

8. Retention

Upon termination of the Supplier relationship, the Supplier must delete shared customer data within thirty (30) days unless retention is required by law, dispute handling, accounting, tax, security, or legitimate compliance obligations. Any retained data must remain protected and must not be used for new marketing or unrelated purposes.

9. Controlling Language

This Addendum is prepared in English. A Korean translation may be provided for reference convenience only. If there is any conflict or inconsistency between the English version and any translation, the English version controls in all respects.