Cosgn
Data Processing Addendum
Effective Date: December 11, 2025
Version: 1.0
Part of: Cosgn Terms of Service
Applies To: All Cosgn brands, including Launch In Ten, Lvabl, Cosgn Pay, Cosgn Cloud, Cosgn Hi, Cosgn Credit, RECOSGN, Clloser, and all future Cosgn brands covered under section 0 (Unified Entity) of the Master Terms.
This Data Processing Addendum (“DPA”) forms part of the Cosgn Terms of Service (the “Master Terms”) and governs Cosgn’s processing of personal data on behalf of Members where Cosgn acts as a Data Processor or Service Provider under applicable privacy laws. This DPA does not apply where Cosgn acts as a Data Controller (see the Privacy Policy and section 0 of the Master Terms).
Capitalized terms used but not defined in this DPA have the meaning given to them in the Master Terms.
Nothing in this DPA creates duties, warranties, or liabilities beyond those permitted in the Master Terms, nor does it override section 10 (Warranties; Disclaimers), section 12 (Limitation of Liability), section 21 (Survival), or any Unified Entity protections in section 0.
1. Definitions and Roles
1.1 Member as Controller
The Member is the Data Controller, “Business,” or equivalent under applicable laws, including GDPR, UK GDPR, Law 25, CPRA and similar US state laws, and PIPEDA.
1.2 Cosgn as Processor
Cosgn acts as a Data Processor, “Service Provider,” or “Processor” solely for the limited purposes of providing the Services defined in the Master Terms and any applicable Statement of Work.
1.3 Member Data
For purposes of this DPA, “Member Data” means personal information that the Member or its users upload to, store in, or process through the Services where Cosgn acts as a Processor or Service Provider on the Member’s documented instructions.
Account-level information that Cosgn processes for its own purposes (for example, fraud prevention, billing, security monitoring, analytics, and regulatory compliance) is handled by Cosgn as an independent Controller, as described in the Privacy Policy.
1.4 Unified Entity Application
Consistent with section 0 of the Master Terms, all Cosgn brands, divisions, trade names, and future entities operate as a unified legal framework. This DPA extends to all Cosgn Services and all current and future Cosgn brands automatically. No Cosgn brand operates as a separate data controller or separate legal entity.
1.5 No Assumption of Controller Duties
Cosgn does not act as a Controller or joint Controller for Member Data unless explicitly stated in the Privacy Policy or an executed addendum. All remaining processing of Member Data is strictly on behalf of the Member as Controller or Business.
2. Purpose and Scope of Processing
Cosgn processes Member Data solely to deliver, maintain, secure, and support the Services, including:
• hosting, storage, and deployment services (including Cosgn Cloud)
• website and app development workflows and related configurations
• analytics required for infrastructure performance, security, and capacity planning
• customer support and operational communication
• Cosgn Credit administration and membership account management
• fraud detection, abuse prevention, and compliance checks
• backup, redundancy, and service continuity operations
• billing, verification, and payment-related activities
• compliance with legal, regulatory, and audit obligations
The duration of Cosgn’s processing of Member Data is the duration of the Services under the Master Terms and any applicable Statement of Work, plus any additional retention period permitted or required under section 7 of this DPA and the Cosgn Data Retention Schedule.
Cosgn does not:
• sell personal data
• share personal data for advertising or cross-context behavioral advertising
• use Member Data for Cosgn’s own independent commercial purposes
• train AI models on Member Data except where such data is anonymized, aggregated, or otherwise de-identified in a way that no longer identifies the Member or its end users
All processing is strictly limited to what is necessary to provide the Services, enforce the Master Terms, and comply with legal obligations.
For clarity, the Member’s documented instructions to Cosgn consist of:
• the Master Terms, this DPA, and any applicable Statement of Work,
• configuration, settings, and options selected by the Member inside the Services, and
• any additional written instructions that the Member submits to Cosgn and that Cosgn expressly accepts.
Cosgn may rely on any such instructions as being duly authorized by the Member.
For clarity, to the extent Cosgn converts Member Data into de-identified or aggregated information that cannot reasonably be linked to an identified or identifiable individual or Member, Cosgn may use such de-identified or aggregated information for lawful business purposes, including analytics, capacity planning, service improvement, and security research. Such de-identified or aggregated information is not treated as Member Data under this DPA.
2.1 Lawful Instructions
The Member represents and warrants that its documented instructions to Cosgn, including any configurations, settings, or workflows it enables within the Services, will not cause Cosgn to violate applicable law. If Cosgn reasonably believes that an instruction from the Member violates applicable law or materially increases security or regulatory risk, Cosgn may suspend the relevant processing until the instruction is clarified, modified, or withdrawn. Cosgn will notify the Member of any such suspension where legally permitted.
3. Sub-processors
3.1 Authorization
The Member provides a general written authorization for Cosgn to engage sub-processors necessary to provide the Services.
Sub-processors may include:
• cloud infrastructure and hosting providers
• data storage and backup vendors
• authentication and identity providers
• ticketing, CRM, and support platforms
• fraud detection, risk, and security vendors
• monitoring, logging, and analytics vendors
• email, SMS, and push notification providers
3.2 Sub-processor Obligations
All sub-processors engaged by Cosgn:
• are contractually bound by confidentiality and data protection obligations that are no less protective than those imposed on Cosgn under this DPA
• act only under Cosgn’s documented instructions
• must implement appropriate technical and organizational security measures
• are prohibited from using Member Data for their own independent purposes
3.3 Transparency and Changes
Cosgn maintains a current list of material sub-processors available upon request at [email protected]. Cosgn may notify Members, via the Help Centre, email, or other reasonable means, before materially adding or replacing sub-processors, unless earlier deployment is required for security, continuity, or incident response.
Where applicable law grants a right to object to a new sub-processor, the Member’s sole remedy is to discontinue the affected Service after reasonable efforts to resolve the objection in good faith.
4. International Transfers
Consistent with the Privacy Policy and sections 5, 15, and 25 of the Master Terms, Cosgn may transfer and process personal data internationally, including in:
• Canada
• the United States
• the European Union
• the United Kingdom
• other permitted jurisdictions
Transfers rely on one or more of the following legal mechanisms, as applicable:
• EU Standard Contractual Clauses (SCCs)
• the UK Addendum or UK International Data Transfer Agreement
• Québec Law 25 transfer impact assessments
• PIPEDA-compliant contractual protections
• adequacy decisions, where applicable
• encryption, access controls, and other technical safeguards to reduce cross-border risk
Cosgn will not knowingly transfer Member Data to sanctioned jurisdictions or prohibited parties in violation of section 15.2 (Sanctions and High-Risk Markets) of the Master Terms.
5. Security Measures
Cosgn implements administrative, technical, and physical safeguards that are proportionate to the nature of the data and risks, which may include:
• encryption in transit and at rest where appropriate
• access controls and role-based permissions
• multi-factor authentication for sensitive internal systems
• network-level protections, firewalls, segmentation, and rate limiting
• data minimization and environment isolation
• audit logging and monitoring of key systems
• incident detection, triage, and response procedures
• vulnerability management and regular patching
• sub-processor oversight and contractual controls
Cosgn does not guarantee perfect security, uninterrupted access, or immunity from incidents. All disclaimers, limitations of liability, and no-duty clauses in sections 10 and 12 of the Master Terms continue to apply in full.
6. Security Incident Notification
Cosgn will notify the Member without undue delay after confirming a personal data breach affecting Member Data processed by Cosgn as Processor or Service Provider.
Such notification will include, to the extent reasonably available at the time:
• the nature of the incident
• the types of Member Data that may be affected
• general steps taken or planned to contain and remediate the incident
• guidance for the Member, where appropriate
Cosgn is not required to provide full forensic reports, internal logs, system diagrams, or other proprietary information, and nothing in this DPA requires Cosgn to admit fault or liability.
The Member is responsible for determining whether to notify regulators, affected individuals, or other parties and for the content of any such notices, except where Cosgn is acting as an independent Controller under the Privacy Policy.
7. Deletion and Return of Data
Upon termination or expiration of the Services, and subject to section 5.5 (Data Retention and Exit Procedures), section 21 (Survival), and any applicable legal or regulatory retention requirements:
• Cosgn will delete or anonymize Member Data in accordance with the Cosgn Data Retention Schedule.
• The Member may request a data export within the applicable retention window described in the Retention Schedule and the Master Terms.
• Data required for legal, tax, audit, fraud, or regulatory obligations may be retained as long as necessary for those purposes.
• If the account is in default or unresolved under section 3.4 (Default; Remedies; Administrative Control; 12-Month Rule), Member Data may be retained and handled in accordance with that section.
Cosgn has no obligation to retain Member Data beyond defined retention periods or beyond what is required by law, nor to reconstruct data that the Member has failed to back up independently.
7.1 Member Confidential Information Carve-Out
Nothing in this DPA requires Cosgn to store, retain, or preserve Member Confidential Information beyond the retention timelines, destruction requirements, or exit procedures described in the Master Terms and the Cosgn Data Retention Schedule. Cosgn may delete or anonymize such Member Confidential Information in accordance with those policies, and the Member is solely responsible for maintaining independent backups or archival copies of any data it wishes to retain.
8. Member Obligations
These obligations apply regardless of any settings, workflows, features, or tools made available within the Services, and cannot be delegated, shifted, or transferred to Cosgn.
The Member bears sole and exclusive responsibility for all processing activities relating to Member Data and for all configurations, workflows, and integrations the Member enables within the Services. The Member’s obligations include, without limitation:
8.1 Lawfulness, Notices, and Consents
The Member is solely responsible for:
• determining the lawful basis for collecting, using, storing, and transferring personal data
• providing all required privacy notices to end users, customers, employees, and any other data subjects
• obtaining, managing, and documenting all required consents and authorizations
• ensuring Member Data is accurate, lawful, and collected in compliance with applicable privacy, marketing, and consumer protection laws
8.2 Data Restrictions
The Member must not upload, store, or process through the Services:
• unlawful personal data
• personal data that the Member does not have the legal right to process
• highly sensitive categories of data (including health information, financial account numbers, government-issued identifiers, or biometric identifiers) unless a lawful basis exists and Cosgn has provided explicit prior written approval
8.3 Configuration and Use of the Services
The Member is solely responsible for:
• configuring its websites, applications, forms, consent flows, cookies, APIs, and integrations in a manner compliant with all applicable laws
• determining whether the Services are suitable for the Member’s intended purpose
• implementing any required privacy, security, or compliance controls within its own systems
• ensuring that Member-selected settings, workflows, and customizations do not violate law or create risk
Cosgn has no obligation to validate, review, or supervise the Member’s configuration or use of the Services.
8.4 Member Systems and Integrations
The Member is solely responsible for any transfer, export, synchronization, or duplication of personal data into:
• the Member’s own systems
• third-party platforms, tools, or integrations selected or configured by the Member
Cosgn has no obligation to:
• track or delete external copies of data
• audit or assess third-party environments
• ensure the security or compliance of tools the Member chooses to use
8.5 No Representations of Compliance
Cosgn does not warrant or represent that the Member’s use of the Services will satisfy, meet, or demonstrate compliance with any law, regulation, industry standard, or contractual obligation applicable to the Member.
The Member remains solely responsible for evaluating and ensuring its own compliance framework, including privacy, security, accessibility, e-commerce, financial, advertising, and marketing requirements.
8.6 No Duty to Monitor or Validate Member Data
Cosgn has no obligation to:
• monitor Member Data or end-user content
• verify the accuracy, completeness, or legality of Member Data
• review Member Data for compliance
• detect misuse, misconfiguration, or violations of law
• screen Member Data for sensitive or prohibited categories
Any processing performed by Cosgn is reactive and based solely on the Member’s documented instructions.
8.7 No Legal, Regulatory, or Compliance Advice
Cosgn does not:
• provide legal, compliance, regulatory, tax, accounting, or governance advice
• interpret laws or determine Member obligations
• advise the Member on whether its practices are lawful
Any documentation, guidance, or support from Cosgn is informational only and does not constitute legal advice. The Member must obtain its own professional, legal, or regulatory counsel.
8.8 End-User and Consumer Rights Requests
The Member is solely responsible for responding to privacy, consumer, or data subject requests directed to the Member or to Member-controlled systems. The Member must implement processes to verify the identity of requesters and provide required responses.
8.9 Member Accountability
The Member is fully liable for:
• its own compliance with applicable laws
• actions or omissions of its personnel, agents, or subcontractors
• the accuracy, legality, and content of all Member Data
• the consequences of data entered, uploaded, or transmitted by the Member
• misuse of the Services arising from the Member’s configuration, settings, or integrations
The Member is responsible for ensuring that its end users, customers, contractors, and any parties acting under its direction do not misuse the Services or violate applicable laws.
Nothing in this DPA transfers Controller obligations, risks, or liabilities to Cosgn.
9. Data Subject and Consumer Requests
When Cosgn receives a data subject or consumer request (for example, access, deletion, correction, or opt-out) that:
• relates to Member Data, and
• identifies the Member as the Controller or Business,
Cosgn will, where legally permitted:
• either direct the requester to contact the Member, or
• notify the Member so that the Member can respond.
Cosgn will not respond directly to such requests on the Member’s behalf unless:
• required by applicable law, or
• expressly agreed in a separate written agreement.
For personal information that Cosgn processes as an independent Controller (such as account-level, billing, security, or fraud-prevention data), Cosgn will handle requests in accordance with its Privacy Policy.
10. Audits and Demonstrations of Compliance
To the extent required by applicable law and subject to confidentiality, security, and the Unified Entity framework:
• Cosgn will make available information or documentation reasonably necessary to demonstrate compliance with this DPA, which may include independent audit reports or certifications from Cosgn’s sub-processors.
• Any audit or inspection requested by the Member must be reasonable in scope and frequency, limited to Cosgn’s processing of Member Data, and must not compromise the security or confidentiality of Cosgn’s systems, other Members’ data, or proprietary information.
• Remote or document-based audits are preferred. Onsite audits, where permitted, may require a separate written audit agreement and may be refused if they create security, privacy, or operational risk.
The Member bears all costs associated with any audits it initiates.
Nothing in this section requires Cosgn to disclose detailed security architecture, proprietary tooling, source code, internal vulnerability data, or configurations that could weaken the security of the Services.
11. Priority and Conflict
If any provision of this DPA conflicts with the Master Terms:
• the Master Terms control, except
• where a specific obligation in this DPA is required by applicable privacy law and cannot be contracted out, in which case the legally required portion controls for that limited topic only.
Nothing in this DPA:
• expands Cosgn’s liability beyond the limitations and exclusions in section 12 of the Master Terms
• creates new warranties beyond those disclaimed in section 10 of the Master Terms
• modifies the Unified Entity protections or survival provisions in sections 0 and 21 of the Master Terms
12. Survival
All provisions of this DPA that by their nature should survive termination, including those relating to confidentiality, security, international transfers, deletion, legal retention, and audit records, survive in accordance with section 21 (Survival) of the Master Terms and apply across all current and future Cosgn brands.
13. No Third-Party Beneficiaries
This DPA creates rights and obligations only between Cosgn and the Member. No other person or entity has any rights under this DPA, and no third party is intended to be a beneficiary of it.
Cosgn Data Processing Addendum (Summary)
Effective Date: December 7, 2025
This summary is for convenience only and does not replace the legally binding DPA, which forms part of the Cosgn Master Terms.
Your Role and Our Role
• You (the Member) are the Data Controller or Business.
• Cosgn is the Data Processor or Service Provider, meaning we process data only to provide the Services, except where the Privacy Policy describes Cosgn as an independent Controller for account-level activities.
What We Use Data For
We process personal information to:
• host and operate websites and applications
• support Members
• operate Cosgn Credit and memberships
• maintain platform security and stability
• comply with legal, tax, and regulatory obligations
Sub-processors
Cosgn uses trusted vendors (for example, hosting, analytics, support systems). All sub-processors:
• act only under Cosgn’s instructions
• must protect data with appropriate safeguards
• cannot use Member Data for their own independent purposes
International Transfers
Data may be stored or processed in Canada, the United States, or other approved regions. Cosgn uses safeguards such as SCCs, the UK Addendum, and Law 25 transfer assessments, in line with the Privacy Policy.
Security
Cosgn maintains industry-standard safeguards, including:
• encryption
• access controls
• monitoring and logging
• incident response procedures
Your Responsibilities
You must:
• tell your end users how you use their data
• collect consent where required
• upload only lawful data
• comply with the laws in your jurisdiction
• configure your sites and apps responsibly
Deletion
When your membership ends:
• you may request a data export within the applicable retention window
• after this window, data is deleted or anonymized per the Retention Schedule and legal requirements
Controller–Processor Agreement (CPA) – Enterprise Amendment
For enterprise clients who require an explicit Controller–Processor Agreement in addition to the DPA.
Controller–Processor Agreement (CPA)
Effective Date: December 7, 2025
Part of: Enterprise Statement of Work (SOW) + Master Terms + DPA
1. Purpose
This Agreement governs the processing of personal data where the Member is the Controller and Cosgn is the Processor in the context of an Enterprise SOW.
2. Processing Instructions
Cosgn will process personal data only:
• under the Member’s documented instructions
• for the purposes contained in the SOW, Master Terms, Privacy Policy, and DPA
• for security, fraud prevention, billing, and compliance
If Cosgn reasonably believes an instruction violates applicable law, Cosgn may suspend the relevant processing until the instruction is clarified, modified, or withdrawn.
3. Member Responsibilities
The Member must:
• ensure personal data is collected and used lawfully
• provide appropriate privacy notices and obtain required consents
• maintain accuracy and legitimacy of data
• configure systems and use the Services in compliance with applicable law
Cosgn does not assume Controller duties for Member Data.
4. Security Measures
Cosgn will maintain the safeguards described in the DPA and Privacy Policy and may update them from time to time to maintain a reasonable level of protection.
5. Audit Rights (Enterprise Only)
Upon written request and subject to the conditions in section 10 of this DPA:
• Cosgn will provide documentation reasonably sufficient to demonstrate compliance
• audits must be limited, non-invasive, and protect Cosgn’s IP and other Members’ data
• onsite audits, if allowed, require a signed Audit Agreement and may be refused where they pose risk
6. Sub-processors
The Member authorizes Cosgn to use sub-processors as described in section 3 of this DPA. Changes may be communicated through the Help Centre, email, or other reasonable channels.
7. International Transfers
International transfers of personal data are handled in accordance with section 4 of this DPA, the Privacy Policy, and applicable law, including SCCs, the UK Addendum, and Law 25 methodology.
8. Term and Termination
This CPA terminates automatically when:
• the applicable Enterprise SOW ends, or
• the Master Terms terminate,
whichever occurs first. Surviving obligations remain per section 21 of the Master Terms and section 12 of this DPA.
US State Privacy Addendum (CPRA, Colorado, Virginia, Connecticut, Utah)
US State Privacy Addendum
Effective Date: December 7, 2025
Applies To: California, Colorado, Virginia, Connecticut, Utah, and similar US state privacy regimes where the Member is subject to such laws.
1. Roles
Cosgn acts as a “Service Provider” or “Processor” under applicable US state privacy laws.
The Member acts as the “Business” or “Controller.”
2. Prohibited Uses
For personal information subject to these laws, Cosgn will not:
• sell or share personal information as those terms are defined in applicable law
• use personal information for cross-context behavioral advertising or targeted advertising
• retain, use, or disclose personal information outside the scope of the business relationship, except as permitted by law
• combine personal information across Members except for security, fraud prevention, debugging, or service improvement permitted by law
3. Consumer Requests
Where required by law, Cosgn will provide reasonable assistance to enable the Member to respond to verified consumer requests relating to Member Data, including:
• access, correction, or deletion
• opt-out preferences where applicable
4. Monitoring and Documentation
Upon reasonable request, Cosgn will make available:
• documentation describing its service provider or processor status
• relevant third-party certifications or reports, where available
5. Sensitive Data
The Member must not upload or direct Cosgn to process sensitive personal information (such as precise geolocation, financial account numbers, or health information) unless:
• such processing is permitted by applicable law, and
• Cosgn has explicitly agreed in writing to support that processing.
6. Certification
Cosgn certifies that it understands and will comply with the restrictions applicable to Service Providers and Processors under relevant US state privacy laws when handling Member Data, and will notify the Member without undue delay if Cosgn determines that it can no longer meet these obligations.
UK GDPR Addendum
Effective Date: December 7, 2025
1. International Transfers
For transfers of personal data subject to UK GDPR from the United Kingdom to countries without adequacy, Cosgn relies on:
• the UK International Data Transfer Addendum or UK IDTA, and
• any future equivalent mechanism approved by UK authorities.
2. UK Representation
Where Cosgn is required by UK law to appoint a representative, details will be provided in the Privacy Policy and on cosgn.com/legal. The Member is responsible for its own compliance with UK GDPR as Controller.
EU GDPR Addendum
Effective Date: December 7, 2025
1. Lawful Basis
The Member, as Controller, is solely responsible for determining and documenting the lawful basis for processing personal data under EU GDPR.
2. Data Subject Rights
Cosgn will provide reasonable assistance, as described in sections 8 and 9 of this DPA, to enable the Member to respond to data subject requests relating to Member Data.
3. Data Protection Impact Assessments
Upon request, Cosgn will provide available technical and organizational information reasonably necessary for the Member to perform a Data Protection Impact Assessment (DPIA). Cosgn does not conduct DPIAs on behalf of the Member and does not provide legal advice.
Québec Law 25 Appendix
Law 25 Appendix
Effective Date: December 7, 2025
Applies To: Members and end users subject to Québec privacy law.
1. Transfer Impact Assessments
Before communicating personal information outside Québec, Cosgn conducts a transfer impact assessment that considers:
• the sensitivity of the information
• the purposes of processing
• the safeguards applied by service providers
• the legal regime of the destination country and residual risks
2. Breach Notifications
Where required by Law 25, Cosgn will notify:
• the Member
• the Commission d’accès à l’information (CAI), and
• affected individuals when a confidentiality incident presents a risk of serious injury,
in accordance with the Privacy Policy and this DPA.
3. Governance
Cosgn maintains:
• a record of confidentiality incidents
• internal access and activity logs, where appropriate
• transparency regarding material sub-processors
• technical and organizational safeguards (including encryption and access controls) appropriate to the risks
Vendor and Sub-processor DPA (Cosgn to Vendors)
Cosgn Vendor Data Processing Addendum
Effective Date: December 7, 2025
This section describes the minimum data protection obligations Cosgn imposes on vendors and sub-processors that process personal data on Cosgn’s behalf. It does not create third-party beneficiary rights for Members or any other party.
1. Purpose
Vendor processes personal data only to provide contracted services to Cosgn, in accordance with Cosgn’s documented instructions.
2. Restrictions
Vendor must not:
• sell personal data
• use personal data for advertising, analytics, or other purposes outside the scope of services for Cosgn
• combine Cosgn data with other client data except as necessary for security, fraud prevention, or service improvement consistent with Cosgn’s instructions
• subcontract processing to another party without Cosgn’s prior written approval, and any approved sub-processor must be bound by written obligations no less protective than those in this Vendor DPA
• process personal data outside agreed territories without authorization from Cosgn
3. Security
Vendor must maintain appropriate technical and organizational security measures, including:
• encryption where appropriate
• access controls and role-based permissions
• documented incident response procedures
• vulnerability management and patching practices
• logical separation of customer environments and data
4. Assistance and Cooperation
Vendor will provide reasonable assistance to Cosgn, at Cosgn’s request and subject to applicable law, in connection with:
• responding to data subject or consumer requests that involve personal data processed by Vendor for Cosgn, and
• regulatory inquiries, investigations, or audits relating to such processing.
Any such assistance must not require Vendor to disclose proprietary information unrelated to the services provided to Cosgn.
5. Incident Notification
Vendor must notify Cosgn promptly and, in any event, no later than 48 hours after becoming aware of a personal data breach that affects Cosgn data, providing available details and cooperating with Cosgn’s response.
6. Confidentiality
Vendor must ensure that its personnel are bound by confidentiality obligations that are consistent with this Vendor DPA and the Master Terms.
7. Return and Deletion
Upon termination or expiration of the vendor relationship, Vendor must delete or return personal data processed on behalf of Cosgn, unless retention is required by law. Vendor must certify deletion upon request where feasible.
8. No Third-Party Beneficiaries
This Vendor DPA is between Cosgn and the Vendor. Members and other third parties have no rights to enforce this Vendor DPA and are not third-party beneficiaries of it.