Data Processing Addendum

Assembly Labs Inc. · Version 1.2 · Last updated July 14, 2026

This Data Processing Addendum ("DPA") forms part of and is incorporated into the agreement between the customer identified in that agreement ("Customer") and Assembly Labs Inc., a Delaware corporation that provides the Ordinal service ("Ordinal"), for Customer's use of the Ordinal services—being Ordinal's Terms of Serviceor a separately executed agreement between the parties (in either case, the "Agreement," and the services provided under it, the "Services"). This DPA applies where and to the extent Ordinal Processes Personal Data on behalf of Customer in providing the Services. In the event of a conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA controls.

1. Definitions

Capitalized terms used but not defined in this DPA have the meaning given in the Agreement. In this DPA:

"Data Protection Laws"means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable, the EU General Data Protection Regulation 2016/679 ("EU GDPR"); the UK GDPR and the Data Protection Act 2018 ("UK GDPR"); the Swiss Federal Act on Data Protection ("FADP"); and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA").

"Controller," "Processor," "Data Subject," "Personal Data," "Processing," "Personal Data Breach," and "Supervisory Authority" have the meanings given in the GDPR. Where the CCPA applies, "Business," "Service Provider," "Consumer," "Sell," "Share," and "Personal Information" have the meanings given in the CCPA.

"Customer Personal Data" means the Personal Data that Ordinal Processes on behalf of Customer under the Agreement, as described in Annex I.

"Sub-processor" means any third party engaged by Ordinal to Process Customer Personal Data.

"EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914.

"UK Addendum" means the International Data Transfer Addendum to the EU SCCs, template B.1.0 issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, as revised under its mandatory clauses.

"Technical and Organizational Measures" or "TOMs" means the security measures set out in Annex II.

2. Roles and Scope

(a) For Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) and Ordinal is the Processor (or Sub-processor). Where the CCPA applies, Customer is the Business and Ordinal is the Service Provider.

(b) Annex I sets out the subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects.

(c) This DPA applies only to Ordinal's Processing of Customer Personal Data as a Processor. It does not apply to data for which Assembly Labs Inc. is an independent Controller, including account administration, billing, security, and its own product analytics, which is Processed in accordance with the Privacy Policy.

3. Processing Instructions and Customer Responsibilities

(a) Ordinal shall Process Customer Personal Data only on documented instructions from Customer, including as set out in the Agreement and this DPA and as necessary to provide the Services, unless required to do otherwise by applicable law. Where legally permitted, Ordinal shall inform Customer of that legal requirement before Processing.

(b) The Agreement, together with Customer's configuration and use of the Services, constitutes Customer's complete and documented instructions.

(c) Ordinal shall inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

(d) Customer is responsible for the accuracy, quality, and legality of Customer Personal Data; the means by which Customer acquired it; and the instructions Customer provides to Ordinal.

(e) Customer represents and warrants that it has all lawful bases, rights, consents, authorizations, and notices necessary for Ordinal to Process, disclose, and transfer Customer Personal Data as contemplated by the Agreement and this DPA, and that Customer's instructions will not cause Ordinal to violate Data Protection Laws.

(f) The Services are not intended for the Processing of special-category or similarly sensitive Personal Data. Customer shall not intentionally submit such data unless the parties first agree in writing to appropriate additional safeguards. Customer remains responsible for any such data it submits contrary to this restriction.

(g) Ordinal may generate and use aggregated or de-identified information derived from the Services for analytics, security, and improvement of the Services, provided it does not identify Customer or any Data Subject and cannot reasonably be re-identified. Such information is not Customer Personal Data.

4. Confidentiality

(a) Ordinal shall ensure that persons authorized to Process Customer Personal Data are bound by an appropriate contractual or statutory duty of confidentiality.

(b) Ordinal limits access to Customer Personal Data to personnel who require access to provide the Services, on a least-privilege, need-to-know basis.

5. Security

(a) Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks to Data Subjects, Ordinal shall implement and maintain commercially reasonable TOMs designed to provide a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

(b) Ordinal may update its TOMs from time to time, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data.

6. Sub-processors

(a) Customer provides Ordinal with general authorization to engage Sub-processors to Process Customer Personal Data. Ordinal's current Sub-processors are listed in Annex III and maintained on the Subprocessors page.

(b) Ordinal shall enter into a written agreement with each Sub-processor imposing data protection obligations that are materially no less protective than those applicable to Ordinal under this DPA.

(c) Ordinal shall provide at least fifteen (15) days' prior notice of an intended addition or replacement by updating the Subprocessors page and emailing Customers who have requested notifications at hi@tryordinal.com. Customer may object within that period on reasonable, documented grounds relating to data protection. If the parties cannot resolve the objection, Customer may, as its sole and exclusive remedy, terminate only the affected portion of the Services. Customer remains responsible for fees incurred before termination. If an urgent replacement is reasonably necessary for security or continuity, Ordinal may engage the replacement before notice and shall notify Customer as soon as reasonably practicable.

(d) Ordinal remains liable to Customer for each Sub-processor's performance of its data protection obligations to the extent Ordinal would be liable if it performed the relevant Processing itself, subject to Section 14.

7. Data Subject Rights

(a) Customer is responsible for receiving and responding to requests from Data Subjects concerning Customer Personal Data. Taking into account the nature of the Processing, Ordinal shall provide appropriate technical and organizational measures and reasonable assistance, insofar as reasonably possible, to help Customer fulfill its obligations.

(b) If Ordinal receives a request from a Data Subject relating to Customer Personal Data, Ordinal shall, unless legally prohibited, promptly forward it to Customer and shall not respond directly except to confirm receipt, direct the Data Subject to Customer, follow Customer's documented instructions, or comply with applicable law.

8. Personal Data Breach

(a) Ordinal shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

(b) To the extent known and reasonably available, the notification shall describe the nature of the Personal Data Breach; the categories and approximate numbers of affected Data Subjects and records; its likely consequences; a contact point; and the measures taken or proposed to address it. Information may be provided in phases as it becomes available.

(c) Ordinal shall take reasonable steps to mitigate and remediate the Personal Data Breach and provide reasonable assistance with Customer's notification obligations. Notice or response shall not be construed as an admission of fault or liability by Ordinal.

9. Compliance Assistance

(a) Taking into account the nature of the Processing and the information available to Ordinal, Ordinal shall provide reasonable assistance with Customer's obligations under Articles 32 through 36 of the GDPR, including data protection impact assessments and prior consultations with Supervisory Authorities, in each case only as they relate to Ordinal's Processing of Customer Personal Data.

(b) To the extent permitted by Data Protection Laws, Customer shall reimburse Ordinal's reasonable costs for materially burdensome assistance beyond standard Service functionality, except to the extent the assistance is required because of Ordinal's material breach of this DPA.

10. International Transfers

(a) Ordinal shall not make a restricted transfer of Customer Personal Data originating from the EEA, United Kingdom, or Switzerland without an appropriate transfer mechanism under Data Protection Laws.

(b) For a restricted transfer subject to the EU GDPR, the EU SCCs are incorporated by reference and deemed executed. Module Two applies where Customer is a Controller and Module Three where Customer is a Processor. Clause 7 does not apply; Clause 9 uses Option 2 with the notice period in Section 6; the optional language in Clause 11 does not apply; Clause 17 is governed by Irish law; and Clause 18(b) designates the courts of Ireland. Annexes I, II, and III of this DPA populate the corresponding EU SCC annexes.

(c) For a restricted transfer subject to the UK GDPR, the EU SCCs as completed in Section 10(b) apply together with the UK Addendum completed in Annex IV.

(d) For a transfer subject to the FADP, the EU SCCs apply with references to the GDPR interpreted as references to the FADP; the Swiss Federal Data Protection and Information Commissioner is the competent authority; and the term "Member State" shall not prevent a Data Subject in Switzerland from bringing proceedings in Switzerland. Where a transfer is exclusively subject to the FADP, Clauses 17 and 18 shall refer to Swiss law and Swiss courts.

(e) The parties shall cooperate in documenting any transfer assessment required by Data Protection Laws. If a transfer mechanism ceases to be valid, Ordinal may implement an alternative lawful mechanism. In a conflict involving a restricted transfer, the EU SCCs or UK Addendum, as applicable, prevail.

11. California Consumer Privacy Act

(a) To the extent Ordinal Processes Personal Information subject to the CCPA on behalf of Customer, Ordinal acts as a Service Provider and shall not: (i) Sell or Share it; (ii) retain, use, or disclose it for a purpose other than the business purposes specified in the Agreement and this DPA, or as otherwise permitted by the CCPA; (iii) retain, use, or disclose it outside the direct business relationship between the parties; or (iv) combine it with Personal Information obtained from other sources, except as permitted by the CCPA.

(b) Ordinal shall provide the same level of privacy protection required of Customer by the CCPA, certifies that it understands and will comply with these restrictions, and shall notify Customer if it determines that it can no longer meet them.

(c) Upon reasonable notice of unauthorized Processing, the parties shall work in good faith to stop and remediate it. Customer may take reasonable and appropriate steps to help ensure that Ordinal's Processing is consistent with Customer's CCPA obligations.

12. Return or Deletion

Upon termination or expiry of the Agreement, Ordinal shall, at Customer's choice communicated within thirty (30) days, provide an export of Customer Personal Data in a commonly used, machine-readable format or delete it. Ordinal shall delete remaining Customer Personal Data and existing copies within thirty (30) days after that period or delivery of an export, unless applicable law requires continued storage. Data in routine backups shall be isolated from active Processing, remain protected by this DPA, and be deleted in the ordinary backup cycle and in any event within ninety (90) days. Ordinal shall certify deletion upon written request. Data retained by law shall be Processed only for the legally required purpose.

13. Audit

(a) Ordinal shall make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits as required by Article 28(3)(h) of the GDPR.

(b) Ordinal shall first satisfy this obligation through its standard security documentation, a reasonable security questionnaire, a description of its TOMs, and available information concerning relevant Sub-processor attestations. Ordinal does not operate physical data centers or on-premises hosting infrastructure.

(c) An additional audit may be conducted only where the documentation is reasonably demonstrated to be insufficient, a Supervisory Authority requires it, Customer has reasonable documented concerns of material non-compliance, or a Personal Data Breach materially affects Customer Personal Data. Except where a Supervisory Authority requires otherwise, audits are limited to once in any twelve-month period, require at least thirty (30) days' prior notice, occur during business hours, and shall be remote where practicable.

(d) An auditor must be qualified, independent, bound by confidentiality, and not a competitor of Ordinal. An audit may not expose another customer's data, source code, security-sensitive information, or information Ordinal is prohibited from disclosing, and may not unreasonably disrupt operations. Customer bears audit costs unless the audit establishes Ordinal's material non-compliance with this DPA.

14. Liability

To the maximum extent permitted by law, each party's liability arising out of or related to this DPA, including interparty liability relating to the EU SCCs or UK Addendum, is subject to the limitations and exclusions in the Agreement. This DPA does not limit rights of Data Subjects or Supervisory Authorities that cannot lawfully be limited, and does not expand either party's liability beyond what Data Protection Laws require.

15. Term

This DPA takes effect on the effective date of the Agreement and remains in effect until Ordinal has ceased all Processing of Customer Personal Data.

16. General

(a) In a conflict, this DPA prevails over the Agreement regarding the Processing of Customer Personal Data, and the EU SCCs or UK Addendum prevail regarding a restricted transfer.

(b) This DPA is governed by the governing law and jurisdiction specified in the Agreement, except to the extent Data Protection Laws, the EU SCCs, or the UK Addendum require otherwise.

(c) Except for enforceable rights granted to Data Subjects under the EU SCCs or UK Addendum, this DPA creates no third-party beneficiary rights. If any provision is invalid or unenforceable, the remaining provisions continue in effect.

(d) By entering into an Agreement that incorporates this DPA, or by executing this DPA separately, the parties agree to be bound by it and are deemed to have executed the EU SCCs and UK Addendum where applicable.

Annex I — Description of the Processing

A. List of Parties

Data Exporter / CustomerCustomer's legal name, address, relevant contact details, and role are those specified in the Agreement, order form, or Customer account. Customer may act as Controller or Processor. Activities: use of the Services and transfer of Customer Personal Data as described below.
Data Importer / ProcessorAssembly Labs Inc., a Delaware corporation, 2261 Market Street, STE 86563, San Francisco, CA 94114, United States. Contact: hi@tryordinal.com. Role: Processor. Activities: provision of the Services.

B. Description of the Processing

Categories of Data SubjectsCustomer's authorized users, personnel, contractors, clients, and collaborators; and contacts, audience members, social media followers, engagers, and other individuals whose Personal Data is submitted to or appears in content managed through the Services.
Categories of Personal DataNames, email addresses, internal user and workspace identifiers, usernames and social handles, profile information and images; posts, drafts, media, comments, messages, engagement and audience information; IP addresses, device and browser information, activity and diagnostic logs, link analytics; OAuth and integration tokens; and other Personal Data Customer elects to submit through the Services.
Special-category dataNone intended. Customer shall not intentionally submit such data without prior written agreement. If such data is incidentally included in Customer content, it is subject to purpose limitation, confidentiality, least-privilege access, encryption, logging, and the other TOMs in Annex II.
Nature and purposeHosting, organizing, drafting, collaborating on, scheduling, publishing, analyzing, and managing social media content and related communications; generating or reviewing content using AI at Customer's direction; providing link analytics; securing, supporting, and operating the Services; and performing the Agreement.
AI model trainingOrdinal does not use, or permit its AI Sub-processors to use, Customer Personal Data to train or improve general or shared AI models, unless Customer expressly opts in or instructs otherwise in writing.
Duration and frequencyContinuous for the term of the Agreement and until deletion under Section 12.

C. Competent Supervisory Authority

The competent Supervisory Authority is determined under Clause 13 of the EU SCCs: the authority of Customer's EU establishment; the authority where its EU representative is established; or, if no representative is required, an authority where affected Data Subjects are located, as Customer identifies. For UK transfers, the authority is the UK Information Commissioner; for transfers exclusively subject to the FADP, the Swiss Federal Data Protection and Information Commissioner.

Annex II — Technical and Organizational Measures

Ordinal maintains commercially reasonable measures designed to protect Customer Personal Data. The measures may be updated provided the overall level of protection is not materially reduced.

MeasureDescription
Encryption and secretsEncryption is used in transit over public networks and at rest at the managed database and storage layer using industry-standard protocols and configurations. Secrets and integration credentials are stored in access-controlled secrets or credential stores.
Access controlAccess follows least-privilege and need-to-know principles and is limited to authorized personnel. Multi-factor authentication is used for privileged production and administrative access where technically available. Access is reviewed periodically based on risk.
PersonnelPersonnel with access to Customer Personal Data are subject to confidentiality obligations and receive security and privacy awareness appropriate to their roles.
Logging and monitoringRelevant application, authentication, and infrastructure events are logged and monitored. Alerting and investigation processes are used for material service errors and suspected security events.
Secure developmentChanges are version-controlled and subject to testing, review, and controlled deployment. Production and non-production environments are logically separated. Dependencies and material vulnerabilities are addressed on a risk-prioritized basis.
Incident responseDocumented procedures address detection, triage, containment, remediation, notification, and post-incident review of security incidents.
Availability and recoveryManaged infrastructure provides backup and recovery capabilities. Ordinal maintains recovery and continuity procedures appropriate to the nature and risk of the Services.
Physical securityOrdinal does not operate physical data centers. Physical and environmental controls are provided by its hosting and infrastructure Sub-processors.
Sub-processor governanceSub-processors are assessed before engagement and periodically thereafter based on risk, and are subject to written data protection obligations.

Annex III — Sub-processors

The following Sub-processors are authorized to Process Customer Personal Data. The current list is maintained on the Subprocessors page, which also lists providers supporting Assembly Labs Inc.'s controller-side activities; those providers are not Sub-processors under this DPA solely because they appear on that page.

Sub-processorPurposePrimary location
Vercel Inc.Application hosting and content delivery (serverless functions, edge network)United States
Supabase Inc.Managed database and user authenticationUnited States
Inngest Inc.Background job and event processingUnited States
Axiom, Inc.Application loggingUnited States
Functional Software, Inc. (Sentry)Error monitoringUnited States
Knock Labs, Inc.Notification deliveryUnited States
OpenAI, L.L.C.AI content generation and reviewUnited States
Anthropic PBCAI content generation and reviewUnited States
Liveblocks, Inc.Realtime collaboration, content, comments, and presenceUnited States
Dub Technologies, Inc.Link shortening and click analyticsUnited States

Annex IV — UK International Data Transfer Addendum

For restricted transfers subject to the UK GDPR, the EU SCCs completed in Section 10(b) are supplemented by the UK Addendum. The parties incorporate by reference Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with Section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

Table 1 — Parties and start dateThe start date is the effective date of the Agreement. Exporter: Customer. Importer: Assembly Labs Inc. Party and key-contact details are in the Agreement and Annex I.
Table 2 — Selected EU SCCsThe EU SCCs incorporated in Section 10(b), including Module Two or Module Three as applicable and the elections stated there.
Table 3 — Appendix informationAnnex I.A and I.B: Annex I of this DPA. Annex II: Annex II of this DPA. Annex III: Annex III of this DPA.
Table 4 — Ending the AddendumThe Importer may end the UK Addendum as permitted by Section 19 of its Mandatory Clauses.