Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between Dope Menus, LLC ("Company," "Processor," "we," "us," or "our") and you ("Controller," "you," or "your"), the licensed cannabis business using our B2B collaborative platform (the "Platform" or "Services").

This DPA governs our processing of Personal Data (as defined below) on your behalf and supplements our Privacy Policy and Terms of Service. This DPA establishes the parties' respective responsibilities for compliance with applicable data protection laws, including the European Union General Data Protection Regulation ("GDPR"), California Consumer Privacy Act ("CCPA"), and other privacy regulations.

IMPORTANT NOTE: While the Platform is designed for Michigan-licensed cannabis businesses operating in the United States, this DPA provides data protection standards that align with international best practices to protect your business data and ensure regulatory compliance.

For purposes of this DPA, the following terms have the meanings set forth below:

2.1 Core Data Protection Terms

• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to: names, email addresses, phone numbers, employee information, user credentials, and any other data that identifies or can be used to identify an individual.
• "Processing" means any operation or set of operations performed on Personal Data, whether automated or not, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Data Controller" means you, the licensed cannabis business, who determines the purposes and means of the Processing of Personal Data. You are the Controller of Personal Data submitted to or collected through the Platform.
• "Data Processor" means Dope Menus, LLC, who Processes Personal Data on behalf of and according to the instructions of the Controller. We are the Processor for Personal Data you submit to the Platform.
• "Sub-processor" means any third-party service provider engaged by the Processor to Process Personal Data on behalf of the Controller, including cloud hosting providers, analytics services, POS integrations, and other vendors.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates, such as your employees, authorized users, or other individuals whose data you process through the Platform.
• "Data Protection Laws" means all applicable laws and regulations relating to privacy, data protection, and data security, including GDPR, CCPA, and other federal, state, and local privacy regulations.

2.2 Additional Regulatory Terms

• "Supervisory Authority" means any regulatory or governmental authority responsible for enforcing Data Protection Laws, such as state attorneys general or data protection agencies.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
• "Standard Contractual Clauses" means the model clauses approved by the European Commission for the transfer of Personal Data to countries outside the EEA.

3.1 Controller Responsibilities (Your Obligations)

As the Data Controller, you are responsible for:

• Determining the purposes and means of Processing Personal Data through the Platform
• Ensuring you have a lawful basis for Processing Personal Data under applicable Data Protection Laws
• Obtaining all necessary consents, authorizations, and permissions from Data Subjects
• Providing required privacy notices and disclosures to Data Subjects
• Ensuring the accuracy, completeness, and legality of Personal Data submitted to the Platform
• Complying with Data Subject rights requests (access, correction, deletion, etc.)
• Instructing the Processor on how to Process Personal Data in compliance with applicable laws
• Maintaining records of Processing activities as required by law
• Ensuring data transfers comply with applicable cross-border transfer requirements

3.2 Processor Responsibilities (Our Obligations)

As the Data Processor, we are responsible for:

• Processing Personal Data only on your documented instructions and for the purposes specified in this DPA
• Implementing appropriate technical and organizational security measures (see Section 6)
• Ensuring that personnel authorized to Process Personal Data are bound by confidentiality obligations
• Assisting you with Data Subject rights requests to the extent feasible
• Assisting you in ensuring compliance with data security, breach notification, and impact assessment obligations
• Deleting or returning Personal Data upon termination of Services, as instructed
• Making available to you information necessary to demonstrate compliance with this DPA
• Engaging Sub-processors only with your authorization and under binding written agreements
• Notifying you of Personal Data Breaches without undue delay

3.3 Limitation of Processor Liability for Controller Obligations

WE ARE NOT RESPONSIBLE FOR YOUR COMPLIANCE WITH DATA PROTECTION LAWS IN YOUR CAPACITY AS DATA CONTROLLER. You are solely responsible for: (a) determining whether your use of the Platform complies with applicable laws; (b) ensuring you have lawful bases for Processing; (c) obtaining required consents; and (d) providing required notices to Data Subjects. WE DO NOT PROVIDE LEGAL ADVICE regarding your compliance obligations.

4.1 Nature and Purpose of Processing

We Process Personal Data for the sole purpose of providing the Platform and Services to you in accordance with our Terms of Service, including:

• User authentication, account management, and access control
• Platform functionality including inventory management, order coordination, and analytics
• Real-time collaboration and communication features
• Integration with third-party services (POS systems, Metrc, etc.)
• Customer support, technical assistance, and service improvements
• Security monitoring, fraud detection, and incident response
• Compliance with legal obligations, regulatory requirements, and law enforcement requests

4.2 Categories of Personal Data Processed

We Process the following categories of Personal Data on your behalf:

• Account and User Data: Names, email addresses, phone numbers, usernames, job titles, and roles
• Authentication Data: Encrypted passwords, multi-factor authentication tokens, session identifiers
• Business Information: Business names, addresses, license numbers, EINs (for verification purposes only)
• Transaction Data: Order details, purchase information, vendor/retailer relationships
• Technical Data: IP addresses, device identifiers, browser information, log files, usage data
• Communications Data: Messages, support inquiries, feedback, and in-platform communications
• Integration Data: Data synchronized from POS systems, Metrc, and other third-party services

4.3 Categories of Data Subjects

Data Subjects whose Personal Data we Process include:

• Your employees, contractors, and agents authorized to use the Platform
• Your customers or business partners (to the extent their data is shared through the Platform)
• Account administrators, managers, and end users
• Support contact persons and authorized representatives

4.4 Duration of Processing

We Process Personal Data for the duration of your subscription to the Platform, plus any applicable retention period required by law or as necessary to resolve disputes, enforce agreements, or comply with audit requirements. Upon termination, we will delete or return Personal Data as described in Section 11.

5.1 Instructions for Processing

We will Process Personal Data only in accordance with your documented instructions, unless required to do otherwise by applicable law. Your instructions are initially set forth in this DPA and our Terms of Service. You may issue additional written instructions that are consistent with this DPA by contacting us at privacy@dopemenus.com.

5.2 Compliance with Data Protection Laws

We will Process Personal Data in compliance with applicable Data Protection Laws. If we determine that we cannot comply with any instruction you provide, we will promptly inform you and may suspend Processing until the matter is resolved.

5.3 Unlawful Instructions

If we reasonably believe that any instruction you provide would violate applicable Data Protection Laws, we will inform you without undue delay and may refuse to comply with such instruction until you modify it to ensure compliance.

5.4 Confidentiality of Personal Data

We ensure that all personnel authorized to Process Personal Data are subject to binding confidentiality obligations, whether by contract, professional obligation, or statutory duty. Personnel are trained on data protection requirements and security best practices.

6.1 Technical and Organizational Measures

We implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of Processing, including protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. These measures include:

• Encryption: Data in transit (TLS/SSL 1.2+) and data at rest (AES-256 or equivalent)
• Access Controls: Role-based access control (RBAC), principle of least privilege, multi-factor authentication
• Authentication: Strong password requirements, session management, credential rotation
• Network Security: Firewalls, intrusion detection/prevention systems, DDoS protection
• Application Security: Secure coding practices, code reviews, vulnerability scanning, penetration testing
• Data Backup: Regular encrypted backups with geographically distributed redundancy
• Logging and Monitoring: Comprehensive audit logs, real-time security monitoring, anomaly detection
• Physical Security: Secure data center facilities with restricted access (for cloud providers)
• Incident Response: Documented incident response plan and security team
• Employee Training: Regular security awareness training for all personnel

6.2 Security Standards and Certifications

We strive to maintain industry-standard security certifications and compliance frameworks, which may include: SOC 2 Type II, ISO 27001, or equivalent standards. Our cloud infrastructure providers (AWS, Google Cloud) maintain their own security certifications and compliance attestations.

6.3 Regular Security Assessments

We conduct regular security assessments, including:

• Annual or semi-annual penetration testing by qualified third parties
• Continuous vulnerability scanning and patch management
• Regular security audits and risk assessments
• Code security reviews and static/dynamic application security testing

6.4 Security Limitations

WHILE WE IMPLEMENT ROBUST SECURITY MEASURES, NO SYSTEM IS COMPLETELY SECURE. We cannot guarantee absolute security or prevent all unauthorized access, data breaches, or security incidents. You acknowledge the inherent risks of electronic data transmission and storage.

7.1 Authorization to Use Sub-processors

You authorize us to engage Sub-processors to Process Personal Data on your behalf, provided that: (a) we impose data protection obligations on Sub-processors that are no less protective than those in this DPA; (b) we remain liable for the acts and omissions of Sub-processors; and (c) we provide you notice of new Sub-processors as described below.

7.2 Current Sub-processors

We currently use the following categories of Sub-processors:

• Cloud Infrastructure Providers: Amazon Web Services (AWS), Google Cloud Platform, Vercel (hosting, storage, and computing resources)
• Database Services: Supabase, PostgreSQL hosting providers (data storage and management)
• Analytics Providers: Google Analytics, Mixpanel, Amplitude (usage analytics and performance monitoring)
• Communication Services: Resend, SendGrid, Twilio (email delivery, SMS, video conferencing)
• Security Services: Cloudflare (CDN, DDoS protection, security monitoring)
• Payment Processors: Stripe or similar (payment processing for Platform fees, NOT cannabis transactions)
• Customer Support Tools: Help desk and support ticketing systems
• POS System Providers: Flowhub, Treez, BioTrack, LeafLogix (data integration and synchronization)
• Compliance Systems: Metrc (Michigan seed-to-sale tracking integration)

A complete, up-to-date list of Sub-processors is available upon request by contacting privacy@dopemenus.com.

7.3 Notice of New Sub-processors

We will provide you with notice of any new Sub-processors before authorizing them to Process Personal Data. Notice will be provided via email to your account administrator or through Platform notification at least 30 days before the new Sub-processor begins Processing.

7.4 Objection to New Sub-processors

You may object to our use of a new Sub-processor on reasonable grounds relating to data protection by notifying us in writing within 30 days of receiving notice. If you object and we cannot accommodate your objection, either party may terminate the affected Services upon written notice.

7.5 Sub-processor Agreements

We ensure that all Sub-processors are bound by written agreements that impose data protection obligations no less protective than those in this DPA, including obligations regarding security, confidentiality, data retention, and Sub-processor liability.

8.1 Data Subject Rights Under GDPR and CCPA

Data Subjects have certain rights under applicable Data Protection Laws, including:

• Right of Access: Request access to their Personal Data
• Right to Rectification: Correct inaccurate or incomplete Personal Data
• Right to Erasure ("Right to be Forgotten"): Request deletion of Personal Data
• Right to Restriction: Request limitation of Processing activities
• Right to Data Portability: Receive Personal Data in a structured, machine-readable format
• Right to Object: Object to certain types of Processing (e.g., marketing)
• Right to Withdraw Consent: Withdraw previously given consent
• Right to Non-Discrimination (CCPA): Not be discriminated against for exercising privacy rights

8.2 Controller's Primary Responsibility

As the Data Controller, YOU ARE PRIMARILY RESPONSIBLE FOR RESPONDING TO DATA SUBJECT RIGHTS REQUESTS. Data Subjects should submit requests directly to you. We will provide reasonable assistance to help you fulfill these requests.

8.3 Processor Assistance

If we receive a Data Subject rights request directly, we will promptly forward it to you. Upon your reasonable request, we will assist you in responding to Data Subject rights requests by:

• Providing access to Personal Data within our control
• Correcting or updating Personal Data as instructed
• Deleting or anonymizing Personal Data as instructed
• Exporting Personal Data in a portable format where technically feasible
• Restricting Processing as instructed

Such assistance will be provided to the extent technically and commercially feasible. We may charge reasonable fees for assistance that requires significant effort or resources beyond ordinary Platform functionality.

8.4 Response Timelines

We will use commercially reasonable efforts to respond to your requests for assistance within a reasonable timeframe, taking into account the nature and complexity of the request. You remain responsible for meeting legal deadlines for responding to Data Subjects (typically 30-45 days under GDPR/CCPA).

9.1 Breach Notification Obligation

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on your behalf. This notification timeline is intended to allow you to meet your own notification obligations to Supervisory Authorities and Data Subjects under applicable Data Protection Laws.

9.2 Breach Notification Contents

To the extent known at the time of notification, we will provide you with:

• Description of the nature of the Personal Data Breach, including categories and approximate number of affected Data Subjects and Personal Data records
• Name and contact information of our data protection officer or other point of contact for more information
• Description of the likely consequences of the Personal Data Breach
• Description of measures taken or proposed to address the breach and mitigate its adverse effects
• Timeline of events and discovery of the breach
• Any other information reasonably requested by you

9.3 Cooperation in Breach Response

We will cooperate with you and provide reasonable assistance in investigating the breach, mitigating harm, and complying with your notification obligations to authorities and Data Subjects. This includes providing additional information as it becomes available and responding to reasonable inquiries.

9.4 Controller Notification Responsibility

YOU REMAIN RESPONSIBLE FOR DETERMINING WHETHER A PERSONAL DATA BREACH REQUIRES NOTIFICATION TO SUPERVISORY AUTHORITIES OR DATA SUBJECTS UNDER APPLICABLE LAWS. We do not assume responsibility for assessing legal notification requirements or making notifications on your behalf, except as expressly agreed in writing.

10.1 DPIA Assistance

If you are required to conduct a Data Protection Impact Assessment (DPIA) under GDPR Article 35 or similar assessments under other Data Protection Laws, we will provide reasonable assistance by:

• Providing information about our Processing activities and security measures
• Describing the technical and organizational measures we have implemented
• Answering reasonable questions about our data protection practices
• Reviewing portions of your DPIA that relate to our Processing activities

10.2 Prior Consultation

If you are required to consult with a Supervisory Authority regarding high-risk Processing, we will provide reasonable assistance and information to support your consultation. You are responsible for conducting the consultation and meeting legal requirements.

11.1 Retention During Services

During the term of your subscription, we will retain Personal Data as necessary to provide the Services and as required by applicable law, regulation, or legal obligations (e.g., Michigan cannabis record retention requirements, tax compliance).

11.2 Deletion Upon Termination

Upon termination or expiration of your subscription, we will, at your election, either:

• Delete: Securely delete all Personal Data Processed on your behalf within a reasonable timeframe (typically 90 days after termination), except as required to be retained by law; or
• Return: Return Personal Data to you in a commonly used, machine-readable format upon written request made within 30 days of termination

11.3 Exceptions to Deletion

We may retain Personal Data to the extent required by applicable law, regulation, legal process, or to comply with legitimate business interests such as:

• Compliance with Michigan cannabis regulatory record retention requirements (typically 7 years)
• Resolution of disputes, enforcement of agreements, or litigation holds
• Audit trails required for financial, tax, or regulatory compliance
• Backup systems (deleted during normal backup rotation cycles)

11.4 Certification of Deletion

Upon your written request, we will provide written certification that Personal Data has been deleted or returned as instructed, subject to the exceptions described in Section 11.3.

12.1 Data Storage and Processing Location

Personal Data is primarily stored and Processed in the United States using cloud infrastructure providers with data centers located in the U.S. Some Sub-processors may Process Personal Data in other countries as part of their service delivery.

12.2 Transfers Outside the EEA (if applicable)

To the extent that we Process Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland, we will ensure appropriate safeguards are in place for such transfers, which may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules or other approved transfer mechanisms
• Supplementary measures to ensure adequate data protection

12.3 U.S.-Based Platform Notice

IMPORTANT: THE PLATFORM IS DESIGNED FOR MICHIGAN-LICENSED CANNABIS BUSINESSES OPERATING WITHIN THE UNITED STATES. We do not intentionally collect or Process Personal Data from individuals located in the EEA. If you are accessing the Platform from outside the United States, you acknowledge that Personal Data will be transferred to, stored, and Processed in the United States.

13.1 Information and Audit Rights

We will make available to you information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. This may include:

• Security policies, procedures, and documentation
• Certifications, audit reports, and compliance attestations (e.g., SOC 2 reports)
• Sub-processor lists and agreements
• Responses to reasonable written inquiries about our data protection practices

13.2 On-Site Audits

Upon reasonable written notice (not less than 60 days) and no more than once per year, you or your authorized representative may conduct an audit or inspection of our data protection practices, subject to the following conditions:

• Audits must be conducted during normal business hours and at mutually agreed times
• Audits must be limited in scope to matters directly relating to this DPA and our Processing of your Personal Data
• Auditors must be bound by confidentiality obligations and not competitors of ours
• You will bear all costs associated with the audit
• Audits must not disrupt our operations or compromise security
• You will provide reasonable advance notice of audit scope and objectives

13.3 Alternative Compliance Verification

In lieu of an on-site audit, you may accept third-party audit reports, certifications, or attestations (such as SOC 2 Type II reports) as evidence of our compliance with this DPA, provided such reports are relevant and current (not more than 12 months old).

13.4 Remediation of Findings

If an audit reveals non-compliance with this DPA, we will work with you to develop and implement a reasonable remediation plan within an agreed timeframe. We will provide regular updates on remediation progress.

14.1 Allocation of Liability

Each party shall be liable for damages caused by its failure to comply with this DPA or applicable Data Protection Laws, subject to the limitations of liability set forth in our Terms of Service. In the event of joint liability under Data Protection Laws, the parties shall bear liability in proportion to their respective degrees of responsibility for the damage.

14.2 Processor Liability for Sub-processors

We shall be liable for the acts and omissions of our Sub-processors to the same extent we would be liable if performing the services of each Sub-processor directly under this DPA. We will enter into written agreements with Sub-processors imposing obligations no less protective than those in this DPA.

14.3 Controller Indemnification

You agree to indemnify, defend, and hold us harmless from and against any claims, damages, losses, liabilities, and expenses (including reasonable attorneys' fees) arising from or related to:

• Your breach of this DPA or violation of Data Protection Laws in your capacity as Controller
• Your failure to obtain required consents, authorizations, or provide required notices to Data Subjects
• Your Processing instructions that violate applicable laws
• Your failure to respond to Data Subject rights requests or Supervisory Authority inquiries
• Any inaccurate, incomplete, or unlawful Personal Data you provide to us

14.4 Limitations of Liability

EXCEPT FOR LIABILITIES THAT CANNOT BE LIMITED UNDER APPLICABLE LAW, THE TOTAL LIABILITY OF EITHER PARTY ARISING OUT OF OR RELATED TO THIS DPA SHALL BE SUBJECT TO THE LIMITATIONS OF LIABILITY SET FORTH IN OUR TERMS OF SERVICE. Nothing in this DPA excludes or limits either party's liability for fraud, gross negligence, or willful misconduct.

15.1 Term

This DPA shall remain in effect for as long as we Process Personal Data on your behalf in connection with the Services, and shall automatically renew for successive terms coextensive with the Terms of Service.

15.2 Termination

This DPA shall terminate automatically upon termination or expiration of the Terms of Service. Either party may terminate this DPA upon written notice if the other party materially breaches this DPA and fails to cure such breach within 30 days of receiving written notice.

15.3 Effect of Termination

Upon termination, we will cease all Processing of Personal Data and comply with the data deletion or return provisions set forth in Section 11. Termination does not relieve either party of obligations that accrued prior to termination.

15.4 Survival

The following provisions shall survive termination: Sections 6 (Security Measures, to the extent data is retained), 11 (Data Retention and Deletion), 14 (Liability and Indemnification), and this Section 15.

16.1 Amendments

We may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or our data processing practices. Material changes will be communicated via email or Platform notification at least 30 days before taking effect.

16.2 Relationship to Terms of Service

This DPA supplements and forms part of our Terms of Service. In the event of any conflict between this DPA and the Terms of Service specifically regarding data processing and protection, the provisions of this DPA shall prevail.

16.3 Governing Law

This DPA shall be governed by the laws of the State of Michigan and applicable federal laws of the United States, without regard to conflict of law principles. However, the interpretation and application of Data Protection Laws (such as GDPR) shall be governed by the laws of the relevant jurisdiction.

16.4 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

For questions, concerns, or requests regarding this Data Processing Agreement, please contact:

Dope Menus, LLC
Data Protection Officer / Privacy Department
Email: privacy@dopemenus.com or dpo@dopemenus.com
B2B Collaborative Platform for Michigan's Cannabis Industry

We will respond to DPA inquiries within 30 days of receipt. For urgent data protection matters, please mark your communication as "URGENT" in the subject line.