Data Processing Addendum

1. Definitions

"Personal Data", "Processing", "Controller", and "Processor" have the meanings given to them under the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). "Customer Personal Data" means any Personal Data processed by Capme on behalf of the Customer in the course of providing the Services.

2. Scope and Role of the Parties

Roles: The parties acknowledge and agree that with respect to Customer Personal Data, the Customer acts as the Data Controller and Capme acts as the Data Processor. Architectural Exclusion of Video Data: The Customer explicitly acknowledges and agrees that Capme's architecture is local-first. Video files, screen recordings, audio data, and webcam footage are written directly to the user's local browser storage (Origin Private File System) and are never uploaded to, stored by, or processed via Capme's infrastructure. Consequently, video content is completely excluded from the scope of Customer Personal Data, and Capme bears zero liability or processing obligations regarding the Customer's video files. Agreement Hierarchy: In the event of a conflict between this DPA and the Terms of Service or Privacy Notice regarding the processing of Personal Data, this DPA takes precedence.

3. Obligations of the Processor

Capme agrees to: Instructions: Process Customer Personal Data only on behalf of and in accordance with the documented instructions of the Customer. The Agreement and this DPA constitute the Customer's complete instructions. Confidentiality: Ensure that administrative access to production infrastructure is strictly limited and logged. Security Measures: Implement and maintain appropriate technical and organizational measures to secure its server infrastructure, as detailed in Appendix C of this DPA. Data Subject Rights: Taking into account the nature of the processing, assist the Customer by appropriate technical measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests from data subjects. Sub-Processor Accountability: Capme remains fully liable to the Customer for the acts and omissions of its sub-processors to the same extent as Capme's own acts and omissions under this DPA. Personal Data Breaches: Notify the Customer without undue delay, and no later than 72 hours, after becoming aware of a verified personal data breach affecting Capme's server infrastructure. Notifications will include, to the extent known: the nature of the breach; the categories and approximate number of Data Subjects affected; the categories and approximate number of Personal Data records affected; the likely consequences; and the measures taken or proposed to address the breach. Deletion: Delete Customer Personal Data within a reasonable timeframe following the termination of the service or upon the Customer's written request, unless applicable European or German law requires continued storage. DPIA Assistance: Upon the Customer's reasonable written request, and taking into account the nature of the processing and information available to Capme, provide reasonable assistance to the Customer in carrying out data protection impact assessments (DPIAs) required under GDPR Art. 35 and, where required, in prior consultations with supervisory authorities under GDPR Art. 36.

4. Sub-Processors

General Authorization: By accepting this Agreement, the Customer grants Capme general authorization under GDPR Article 28(2) to engage sub-processors to perform operational infrastructure and software delivery services. Sub-Processor Changes: The current list of authorized sub-processors is maintained in Appendix B of this DPA. Capme will notify the Customer of material changes to the sub-processor list by email to the registered account address or via in-app notification, and by updating this DPA. Customers may object to a new sub-processor within 14 days of notification on reasonable data protection grounds. If Capme cannot accommodate the objection, the Customer may terminate this Agreement with immediate effect and will receive a pro-rata refund of any prepaid fees covering the unused portion of the current subscription period.

5. Limitation of Liability & Beta Disclaimer

Liability Cap: To the maximum extent permitted by applicable German and EU law, the total aggregate liability of Steffen Rosenögger (Capme) for any and all claims, damages, or losses arising out of or in connection with this DPA shall be limited to the fees paid by the Customer in the 12 months preceding the claim. No Consequential Damages: Under no circumstances shall Capme be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, goodwill, or business interruption, even if advised of the possibility of such damages. Beta Status: The Customer acknowledges that the Service is currently a public beta, provided on an "AS IS" and "AS AVAILABLE" basis, without warranties of any kind. Notwithstanding the foregoing, Capme's obligations under this DPA with respect to the protection, return, and deletion of Customer Personal Data remain in full force regardless of the Service's beta status. Customer Responsibilities: As Data Controller, the Customer is responsible for: (a) ensuring a lawful basis for processing under GDPR; (b) obtaining necessary consents from Data Subjects before provisioning them access to Capme; (c) providing privacy notices to workspace users per GDPR Articles 13/14; (d) verifying Data Subject identity before fulfilling rights requests; (e) notifying supervisory authorities and Data Subjects of breaches where required by GDPR Articles 33–34. GDPR Article 82: Under GDPR Article 82(3), liability for damages is allocated between Controller and Processor based on fault. Each party is liable only for damage caused by its own GDPR violation.

6. International Data Transfers

To the extent that the processing of Customer Personal Data involves a transfer outside the European Economic Area (EEA) to a third country without an adequacy decision, such transfers are governed by appropriate safeguards, including Standard Contractual Clauses (SCCs) executed downstream with the respective sub-processors, or the EU–US Data Privacy Framework. CCPA Service Provider Designation: To the extent Capme processes the personal information of California residents on behalf of the Customer, Capme acts as a "Service Provider" as defined under the California Consumer Privacy Act (CCPA) and its implementing regulations. Capme: (a) processes such personal information only for the business purposes specified in this DPA and the Customer's documented instructions; (b) does not sell or share (as those terms are defined under CCPA) the Customer's personal information; (c) does not retain, use, or disclose such personal information for any commercial purpose other than providing the services specified in the Agreement; and (d) does not combine such personal information with personal information received from or collected on behalf of other businesses, except as permitted under the CCPA.

7. Audit Rights

Customer may verify Capme's compliance with this DPA subject to the following conditions: - Requests must be submitted in writing to security@capme.app with at least 60 days' notice. - Audits are limited to once per calendar year unless required by a supervisory authority. - Audits must be conducted by an independent third party bound by confidentiality obligations. - The Customer bears all costs of the audit. - Audit scope is limited to GDPR compliance under this DPA. In lieu of a full audit, Capme will make available upon reasonable request documentation demonstrating compliance with this DPA, including this publicly available DPA, the Privacy Notice, and the authorized sub-processor list in Appendix B of this DPA.

8. Governing Law

This DPA is governed by the laws of the Federal Republic of Germany, consistent with the governing law clause in the Terms of Service. The place of jurisdiction for disputes arising from or in connection with this DPA is Düsseldorf, Germany. Mandatory provisions of the GDPR and applicable EU data protection law take precedence over any conflicting provision of national law.

9. Indemnification

Processor Indemnification: Capme shall indemnify and hold the Customer harmless against GDPR administrative fines, regulatory penalties, and reasonable legal costs incurred by the Customer to the extent directly and solely caused by Capme's material breach of its obligations as Processor under this DPA or applicable data protection law. Controller Indemnification: The Customer shall indemnify and hold Capme harmless against GDPR administrative fines, regulatory penalties, and reasonable legal costs to the extent directly and solely caused by the Customer's breach of its obligations as Controller under this DPA, the GDPR, or other applicable data protection law — including the Customer's failure to establish a lawful basis for processing, failure to provide adequate privacy notices to Data Subjects, or failure to fulfil other Controller obligations under GDPR Arts. 24–26. GDPR Article 82: Liability for damages under GDPR Art. 82 is allocated between Controller and Processor based on fault. Each party is liable only for damage caused by processing that violates the GDPR and is attributable to that party's own breach. Liability Cap: Each party's indemnification obligations under this Section 9 are subject to the aggregate liability cap set out in Section 5 of this DPA.

Appendix A: Details of the Processing

A.1 Categories of Data Subjects - Authorized users of the Customer's Capme workspace (employees, contractors). - External guest viewers accessing Customer-branded workspace landing pages. A.2 Categories of Personal Data - Account Identification: User corporate email addresses. - Session Management: Authentication tokens (HttpOnly cookies). - Workspace Configurations: Workspace names, custom branding assets, admin lists, and domain whitelisting settings. - Operational Metadata: Anonymized recording telemetry (timestamps, durations, resolution metrics, and feature flags). A.3 Nature and Purpose of Processing The processing of configuration data and metadata is performed solely to provide, secure, and maintain the Capme screen-recording studio and workspace administrative dashboards as contracted under the Agreement. A.4 Duration of Processing Customer Personal Data will be processed for the duration of the active account subscription and purged or anonymized within a reasonable timeframe following service termination.

Appendix B: Authorized Sub-Processors

The following sub-processors are authorized to process Customer Personal Data as of the date of this DPA:

Capme will notify the Customer by email at least 14 days before adding or replacing a sub-processor.

Appendix C: Technical and Organizational Security Measures

This appendix constitutes the full Technical and Organizational Measures (TOM) document for Capme. Last reviewed: May 2026. Status: Active — Public Beta. C.1 Local-First Architecture Capme's primary security measure is architectural: video content never passes through Capme infrastructure. - The browser's MediaRecorder Web API captures screen and webcam input. - Data is written in real-time to OPFS (Origin Private File System) — a sandboxed browser storage area isolated from other origins, accessible only by the browser and the user's operating system. - From OPFS, the user's OS can sync files to their own storage (OneDrive, SharePoint, Google Drive, S3, local folder). Capme has no involvement in and no visibility into this sync. - A compromise of Capme infrastructure would expose only workspace configuration, recording metadata, and auth tokens (auto-rotated). Video content is completely unaffected. C.2 Encryption in Transit All communication between user browsers and Capme services uses TLS 1.2 minimum; TLS 1.3 preferred. This covers authentication, workspace configuration, analytics, error reporting, and transactional email delivery. Video content is never uploaded to Capme — there is no video data in transit to or from Capme servers. C.3 Encryption at Rest Video files are encrypted at rest by the user's own storage provider. OneDrive, SharePoint, Google Drive, and Amazon S3 use AES-256 by default; device-level encryption (BitLocker on Windows, FileVault on macOS) provides an additional layer. Capme holds no encryption keys for video content and cannot decrypt files. Workspace configuration and metadata are stored in an encrypted EU-hosted database. Encryption key management is handled by the database provider (Supabase; see Appendix B). C.4 Authentication - Email-based one-time passwords (OTP) — no stored passwords, nothing to phish or reuse. - OTPs are generated by Supabase Auth and delivered via the transactional email provider (Plunk; see Appendix B). - Rate limiting: 5 OTP requests per 15 minutes per email address, 20 per 15 minutes per IP. - Session tokens (sb-*) are HttpOnly cookies, cleared on sign-out, and rotated automatically. C.5 Workspace Access Control Two provisioning methods are supported:

Admin roles can manage branding, settings, domain whitelisting, access links, other admins, analytics, and billing. Video content is never accessible to admins via Capme. C.6 Internal Access Control - MFA required for all administrative access to production systems. - Row-Level Security (RLS) enforces tenant isolation at the database layer: users can only access data belonging to their own workspace. - Capme is operated by Steffen Rosenögger as a private individual. - All administrative actions on production infrastructure are logged. C.7 Cookie Security

No marketing or tracking cookies are set. OpenPanel (analytics) and Better Stack (error tracking) set no cookies. C.8 CDN and DDoS Protection All traffic to capme.app passes through Gcore (CDN, DDoS protection, caching; see Appendix B). Gcore does not set cookies for standard CDN traffic and acts as a data processor under Art. 28 GDPR. C.9 Analytics OpenPanel runs on Capme's own on-premise server in Germany (EU). Data never leaves EU infrastructure and is never shared with third parties. For all visitors: no cookies; IP addresses are processed transiently for geographic location (country/region) and are not stored in the analytics database. A daily-rotating cryptographic hash estimates unique visitors within a 24-hour window; no persistent identifier is stored on device. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). For logged-in users: events include a plan attribute ('business' or 'public') to distinguish session types. No user ID, email, name, or organisation identifier is sent to OpenPanel. Admin dashboard usage statistics are sourced from recording metadata stored separately in Supabase (see below), not from OpenPanel. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Anonymized recording metadata (duration, resolution, mode, branding usage) is stored in an EU-hosted database and automatically purged after 24 months. C.10 Error Tracking Technical errors (browser version, error stack traces) are logged by Better Stack (EU-hosted; see Appendix B) to support bug resolution. No user tracking, no cookies. C.11 Offline Capability Limited offline recording functionality may be available via the Capme Progressive Web App (PWA). This is an experimental feature; offline capability is not guaranteed, depends on browser and device configuration, and may be modified or removed at any time. Sessions remain valid for up to 7 days after last online authentication. Capme makes no warranty as to offline availability or reliability, and this feature does not constitute a commitment for use in air-gapped or network-restricted environments. C.12 Security Program Certifications: Capme holds no independent security certifications (SOC 2 Type II, ISO 27001) as of this document's date. EU-hosted sub-processors maintain their own certifications; see Appendix B. Physical security: Capme operates no owned data centers. Physical security is governed by each sub-processor's own controls (see Appendix B). Vulnerability management: Dependencies are monitored via automated tooling (Dependabot). Critical security patches applied within 7 days of public disclosure. The local-first architecture substantially limits the exploitable server-side attack surface. Security review: An internal security review was conducted in May 2026 covering authentication, API, and data handling layers. All critical findings were remediated before deployment. An independent third-party penetration test is not yet scheduled. Backup and recovery: Supabase maintains automated backups of workspace configuration and metadata on its standard schedule. Video data is not backed up by Capme — it resides on the user's own device and storage environment. Secure development: Code changes are reviewed before deployment. The application is built on maintained open-source frameworks. No third-party code has access to user video data. Personnel: Capme is operated by Steffen Rosenögger as a private individual. Incident history: No security incidents or personal data breaches have occurred to date. C.13 Data Minimization Only an email address is required for registration — no name, phone number, or additional personal data. Analytics metadata is anonymized; no video content, audio, or screen data is collected server-side. No persistent identifiers are stored for unauthenticated visitors. C.14 Purpose Limitation

C.15 Data Retention

C.16 Breach Response In the event of a security incident: 1. Contact security@capme.app. 2. Due to the local-first architecture, any breach of Capme infrastructure is limited to workspace configuration, recording metadata, and auth tokens (auto-rotated). Video content cannot be exposed in a Capme breach as it is never stored on Capme infrastructure. 3. Affected customers and relevant supervisory authorities will be notified per GDPR Art. 33–34 (72-hour notification window). During the beta period, Capme may communicate changes to these measures via in-app notification rather than email. After general availability, material changes will be communicated by email or in-app notification and reflected in an updated DPA.