Last Updated: May 26, 2026

This Data Processing Addendum (the “Processing Addendum”) applies to the processing of Personal Information by SuperNeatFunSoft Inc. (the “Provider”). This Processing Addendum is to be read with and is incorporated into the Provider’s Terms and Conditions and Privacy Policy (the “Agreement”) entered into by you (the “Customer”) for the use of the Provider’s services and is incorporated into the Agreement. In the event of a conflict between the Processing Addendum and any other terms in the Agreement, the terms of this Processing Addendum will govern.

The Provider may modify this Processing Addendum from time to time in order to comply with applicable law. The Provider will provide notice to the Customer by posting the revised Processing Addendum on the Provider’s website and revising the date on the top of this Processing Addendum.

1. Definitions and Interpretation

1.1

The following definitions and rules of interpretation apply in this Processing Addendum.

“Business Purpose” means the services described in the Terms and Conditions and the Privacy Policy or any other purpose specifically identified in Appendix A.

“Data Subject” means an individual or an organization who is the subject of Personal Information.

“Personal Information” means any information the Provider collects, uses, processes or maintains for the Customer that:

1. relates to an identifiable individual and identifies or can be used to identify that individual, directly or indirectly, either alone or in combination with other personal or identifying information that is or can be associated with that specific individual, including but not limited to: (a) first and last name; (b) email address or other online information, such as a user name and profile picture; and (c) the content of messages; or
2. the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.

“Processing, processes, or process” means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

“Provider” means SuperNeatFunSoft Inc.

“Privacy and Data Protection Requirements” means all applicable federal, provincial, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the British Columbia Personal Information Protection Act ("PIPA") and/or the federal Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA").

“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

“Service” means the SuperNeatFunSoft.com website, the 3minuteanimal.com website, and the related 3 Minute Animal mobile application each operated by the Provider.

1.2

The Provider reserves the right to modify this Processing Addendum in order to comply with applicable Privacy and Data Protection Requirements. To the extent that the Provider modifies this Processing Addendum in order to ensure compliance, the Provider will provide notice to the Customer of the modifications, and the Customer’s continued use of the Service will constitute the Customer’s agreement to those modifications. The Provider may provide that notice in a variety of ways, including, among other things, posting a notice on the Service itself and revising the date at the top of this Processing Addendum.

1.3

This Processing Addendum is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms in the Agreement apply to the interpretation of this Processing Addendum.

1.4

The Appendices form part of this Processing Addendum and will have effect as if set out in full in the body of this Processing Addendum. Any reference to this Processing Addendum includes the Appendices.

1.5

A reference to writing or written includes faxes and email.

1.6

In the case of conflict or ambiguity between:

• (a) any provision contained in the body of this Processing Addendum and any provision contained in the Appendices, the provision in the body of this Processing Addendum will prevail;
• (b) the terms of any accompanying invoice or other documents annexed to this Processing Addendum or any provision contained in the Appendices, the provision contained in the Appendices will prevail;
• (c) any of the provisions of this Processing Addendum and the provisions of the Agreement, the provisions of this Processing Addendum will prevail; and
• (d) any of the provisions of this Processing Addendum and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.

2. Personal Information Types and Processing Purposes

2.1

The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.

2.2

Appendix A describes the general Personal Information categories and Data Subject types that the Provider may process to fulfill the Business Purposes of the Agreement. The Customer discloses Personal Information to the Provider only for the limited and specified Business Purposes.

3. Provider’s Obligations

3.1

The Provider will only process the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes. The Provider will not process the Personal Information for any other purpose or in a way that does not comply with this Processing Addendum or the Privacy and Data Protection Requirements. The Provider must promptly notify the Customer if, in its opinion, the Customer’s instructions will not comply with the Privacy and Data Protection Requirements.

3.2

The Provider must promptly comply with any Customer request requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate or remedy any unauthorized processing.

3.3

The Provider will maintain the confidentiality of all Personal Information and will not disclose Personal Information to third parties unless the Customer or this Processing Addendum specifically authorizes the disclosure in compliance with Privacy and Data Protection Requirements, or as otherwise required by law. If a law requires the Provider to process or disclose Personal Information, the Provider must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4

The Provider will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Privacy and Data Protection Requirements, considering the nature of the Provider’s processing and the information available to the Provider.

3.5

The Provider must promptly notify the Customer of any changes to Privacy and Data Protection Requirements that may adversely affect the Provider’s performance of the Agreement.

3.6

The Customer acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions from the Personal Information other than as required under the Privacy and Data Protection Requirements.

3.7

The Provider will only collect Personal Information for the Customer using a notice or method that the Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Customer’s identity and its appointed data protection representative, the purpose or purposes for which their Personal Information will be processed and any other information that is required by applicable Privacy and Data Protection Requirements. The Provider will not modify or alter the notice in any way without the Customer’s prior written consent.

3.8

The Provider is responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements.

4. Provider’s Employees

4.1

The Provider will limit Personal Information access to:

• (a) those employees who require Personal Information access to meet the Provider’s obligations under this Processing Addendum and the Agreement; and
• (b) the part or parts of the Personal Information that those employees strictly require for the performance of their duties.

4.2 The Provider will ensure that all employees:

• (a) are informed of the Personal Information’s confidential nature and use restrictions;
• (b) have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and
• (c) are aware both of the Provider’s duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this Processing Addendum.

4.3

The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of the Provider’s employees with access to the Personal Information.

5. Security

5.1

The Provider must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction or damage including, but not limited to, the security measures set out in Appendix B. The Provider must document those measures in writing and periodically review them, at least annually, to ensure they remain current and complete.

5.2

The Provider may store Personal Information in off-site servers and will take reasonable security measures as set out in Appendix B in storing Personal Information.

5.3

The Provider will immediately notify the Customer if it becomes aware of any advance in technology and methods of working, which indicate that the Parties should adjust their security measures.

5.4

The Provider must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures in compliance with Privacy and Data Protection Requirements or other applicable laws.

6. Security Breaches and Personal Information Loss

6.1

The Provider will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable.

6.2

The Provider will as soon as feasible notify the other Party if it becomes aware of:

• (a) any unauthorized or unlawful processing of the Personal Information; or
• (b) any Security Breach.

6.3

Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the Parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Customer in the Customer’s handling of the matter, including:

• (a) assisting with any investigation;
• (b) providing the Customer with physical access to any facilities and operations affected;
• (c) facilitating interviews with the Provider’s employees, former employees, and others involved in the matter; and
• (d) making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Customer.

6.4

The Provider will not inform any third party of any Security Breach without first obtaining the Customer’s prior written consent, except when Privacy and Data Protection Requirements, or other laws or regulations, require it.

6.5

The Provider agrees that the Customer has the sole right to determine:

• (a) whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies or others, as required by Privacy and Data Protection Requirements or other laws or regulations, or at the Customer’s discretion, including the contents and delivery method of the notice; and
• (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.6

The Provider will cover all reasonable expenses associated with the performance of the obligations under Section 6.2 and Section 6.3 , unless the matter arose from the Customer’s specific instructions, negligence, willful default or breach of this Processing Addendum, in which case the Customer will cover all reasonable expenses.

6.7

The Provider will also reimburse the Customer for actual reasonable expenses the Customer incurs when responding to and mitigating damages, to the extent that the Provider caused a Security Breach, including all costs of notice and any remedy as set out in Section 6.5.

6.8

The Provider will maintain records of any Security Breach in accordance with Privacy and Data Protection Requirements.

7. Cross-Border Personal Information Transfers

7.1

Appendix A lists all of the countries where the Provider may receive, access, transfer, or store Personal Information. The Provider must not receive, access, transfer or store Personal Information outside the countries listed on Appendix A without the Customer’s prior written consent.

8. Complaints, Data-Subject Requests and Third-Party Rights

8.1

The Provider must notify the Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either Party’s compliance with the Privacy and Data Protection Requirements.

8.2

The Provider must notify the Customer within fifteen (15) working days if it receives a request from a Data Subject for access to their Personal Information or a request to correct, delete, or withdraw its consent from any use by Customer or Provider of same.

8.3

The Provider will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.

8.4

The Provider must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer’s request or instruction, permitted by this Processing Addendum, or is otherwise required by law.

9. Term and Termination

9.1

This Processing Addendum will remain in full force and effect until the later of the following:

• (a) the Agreement remains in effect; or
• (b) the Provider retains any Personal Information related to the Agreement in its possession or control, (the “Term”).

9.2

Any provision of this Processing Addendum that expressly or by implication should come into or continue in force on or after termination of the Agreement to protect Personal Information will remain in full force and effect.

9.3

The Provider’s failure to comply with the terms of this Processing Addendum is a material breach of the Agreement. In such event, the Customer may terminate the Agreement/any part of the Agreement authorizing the processing of Personal Information effective immediately upon written notice to the Provider without further liability or obligation.

9.4

If a change in any Privacy and Data Protection Requirement prevents either Party from fulfilling all or part of its Agreement obligations, the Parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the Parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirement sixty (60) days, they may terminate the Agreement upon written notice to the other Party.

10. Data Return and Destruction

10.1

At the Customer’s request, the Provider will give the Customer a copy of or access to all or part of the Customer’s Personal Information in its possession or control in the format reasonably specified by the Customer.

10.2

On termination of the Agreement for any reason or expiration of the Term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this Processing Addendum in its possession or control, except for one copy that it may retain and use for six (6) years for audit purposes only.

10.3

If any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Provider may only use this retained Personal Information for the required retention reason or audit purposes.

11. Records

11.1

The Provider will keep detailed, accurate, and up-to-date records regarding any Personal Information processing it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).

11.2

The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this Processing Addendum.

11.3

The Customer and the Provider must review the information listed in the Appendices to this Processing Addendum once a year to confirm its current accuracy and update it when required to reflect current practices.

12. Audit

12.1

At least once per year, the Provider will conduct site audits of its Personal Information processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Processing Addendum, including, but not limited to, obtaining a network- level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices.

12.2

Upon the Customer’s written request, the Provider will make all of the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as the Provider’s confidential information under this Processing Addendum.

12.3

The Provider will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider’s management and as approved by Customer.

13. Representations and Warranties

13.1

The Provider represents and warrants that:

• (a) it and its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements;
• (b) it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this Processing Addendum and all applicable Privacy and Data Protection Requirements and any other applicable laws, enactments, regulations, codes, orders, standards, and other similar instruments;
• (c) it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Agreement’s contracted services or the services hereunder; and
• (d) considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:
  • (i) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage;
  • (ii) the nature of the Personal Information protected; and
  • (iii) comply with all applicable Privacy and Data Protection Requirements and its information and security policies, including the security measures required in Section 5.1.

13.2

The Customer represents and warrants that the Provider’s expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer under this Processing Addendum will comply with all Privacy and Data Protection Requirements.

14. Indemnification

14.1

The Provider agrees to indemnify, keep indemnified and defend at its own expense the Customer against all costs, claims, damages, or expenses incurred by the Customer or for which the Customer may become liable due to:

• (a) any failure by the Provider or its employees, subcontractors, or agents to comply with any of its obligations under this Processing Addendum or applicable Privacy and Data Protection Requirements and any other applicable laws, enactments, regulations, codes, orders, standards, and other similar instruments; and
• (b) any breach of its representations warranties, covenants, and other obligations under this Processing Addendum.

14.2

Any limitation of liability set forth in the Agreement will not apply to this Processing Addendum’s indemnity or reimbursement obligations.

APPENDIX A

Personal Information Processing Purposes and Details

Business Purposes: The Provider processes Personal Information solely for the provision of the Services to the Customer.

Personal Information Categories:

• Name
• Surname
• Email address
• Profile information on the Slack platform, including profile picture
• Content of messages

Data Subject Types:

• Individuals
• Organizations

Countries where the Provider may receive, access, transfer or store Personal Information:

• Canada
• The United States of America

APPENDIX B

Security Measures

All Personal Information processed pursuant to this Processing Addendum will be conducted in accordance with the technical and organizational security measures set out in this Appendix B:

1. Physical Access Control – the prevention of unauthorized persons from gaining access to systems and data

• The Provider delegates responsibility for the implementation and maintenance of physical security control to Amazon Web Services ("AWS") which hosts the Provider’s infrastructure.
• AWS employs a number of protection features, which include the following:
  • Physical access is restricted to individuals who need to be at a location for a justified business reason. AWS employees who routinely need to access a data center are given permission to visit relevant areas of the facility based on job function. Access is regularly scrutinized;
  • AWS controls, staffs, and monitors data center entry points to detect and prevent unauthorized access; and
  • AWS Security Operations Centers provide continuous global monitoring of physical security events.
• More information on the physical access control measures that AWS employs can be found at the following weblink: https://aws.amazon.com/trust-center/data-center/

2. System Access Controls – the prevention of systems being used without authorization

• All 3-Minute Animal systems are inaccessible externally, subject to the following exceptions:
  • Administrative access is enabled through the AWS Management Console which is protected by SAML 2.0 Identity Federation (Security Assertion Markup Language) whereby Google Workspace is the Identity Provider, and AWS is the Service Provider. This process authenticates only members of the Provider to access the AWS console. Authorization is then achieved using role-based permissions provided by the AWS Identity Center, so that the minimum necessary set of employees are granted access to production infrastructure resources; and
  • Public access is available to allow delivery of the service. Public access is limited to the following cases:
    • Slack servers access 3-Minute Animal API (Application Programing Interface) endpoints where Slack’s identity is proven by cryptographic signing of the transmitted content where a secret signature is held privately by both parties;
    • Stripe servers access 3-Minute Animal API endpoints in the same manner as above; and
    • End users access 3-Minute Animal API endpoints from their browser where authentication is provided by Slack OAuth 2.0, through which users explicitly agree to granting the minimum required set of data access and action permissions upon every sign-in.

3. Data Access Controls – safeguards to who can access the Personal Information

• Any personal information that is stored in the 3-Minute Animal database (the “Database”) is protected with username and password.
• The 3-Minute Animal backend application is given the username and password by which it can access and change personal information records.
• The Provider’s employees may access personal information records if necessary to serve a particular job function and with justified reason for the task at hand, if in accordance with the Provider’s policy.

4. Transmission Controls – safeguards to ensure that Personal Information data cannot be read, copied, or deleted during electronic transmission, transport or storage

• All external communications between 3-Minute Animal systems and third- party systems are transmitted via HTTPS (Hypertext Transfer Protocol Secure) with a minimum protocol of TLS 1.2 to ensure that data remains private and protected from interception.
• All data is encrypted at rest with AES-256 (Advanced Encryption Standard).
• Internally to 3-Minute Animal systems, the source and destination of data transmissions are limited by AWS Security Groups.

5. Input Controls, Data Back-Up and Data Segregation – safeguards to control the input of Personal Information data, the back-up of Personal Information data and the segregation of Personal Information data

• Personal information is delivered directly from Slack for the appropriate contextual user and Customer. No personal information is collected directly from the user and Customer. As such, 3-Minute Animal effectively leverages input safeguards that Slack employs.
• The Database undergoes regular automated backups.
• Personal information is logically partitioned within a single shared database. Backend application logic ensures that such information is only exposed within the scope of the effective Slack workspace. This practice is consistent with the scope within which Slack makes users’ personal information available within workspaces.