Become a Shareholder Today Ahead of Our Planned Nasdaq Listing under Ticker 'GOTV'
Invest Now
Invest Now
FullPAC Data Processing Agreement
Last Modified: June [2], 2026
This Data Processing Agreement (this “DPA”) is incorporated by reference into the Onboarding Services Agreement, Terms of Service, or other written agreement between FullPAC, Inc., a Nevada corporation (together with its subsidiaries and affiliates, “FullPAC”), and the client identified in such agreement (“Client”) under which FullPAC provides services (the “Services” and the “Underlying Agreement”). This DPA governs FullPAC’s processing of Personal Data (as defined below) in its capacity as a service provider, processor, or equivalent role on Client’s behalf in connection with the Services. Capitalized terms used but not defined in this DPA have the meanings given in the Underlying Agreement.
By entering into the Underlying Agreement, Client acknowledges and agrees to the terms of this DPA.
1.1 “Affiliate” means an entity that controls, is controlled by, or is under common control with a party.
1.2 “Applicable Privacy Law” means United States federal and state privacy and data protection laws applicable to the Processing of Personal Data under the Underlying Agreement, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and other comprehensive state privacy laws applicable to the Processing.
1.3 “Controller” means the entity that determines the purposes and means of Processing Personal Data, including a "business" under the CCPA and any equivalent role under other Applicable Privacy Law.
1.4 “FullPAC Privacy Policy” means the privacy policy posted on the FullPAC Sites, as it may be updated from time to time.
1.5 “FullPAC Sites” has the meaning given in the FullPAC Privacy Policy.
1.6 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, that (a) Client provides to FullPAC, or (b) FullPAC Processes on Client’s behalf in connection with the Services. Personal Data does not include:
(i) information that FullPAC collects, uses, or discloses in its capacity as a Controller, including information collected through the FullPAC Sites in connection with Client’s or its representatives’ use of the Services, which is governed by the FullPAC Privacy Policy; or
(ii) data that FullPAC makes available to Client as a separate product, license, or transaction, including voter file records, contributor records, and similar data products, which are governed by the applicable license, product, or other terms.
1.7 “Process” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
1.8 “Processor” means the entity that Processes Personal Data on behalf of a Controller, including a “service provider” or “contractor” under the CCPA and any equivalent role under other Applicable Privacy Law.
1.9 “Security Incident” means a confirmed breach of FullPAC's security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data Processed under this DPA. Security Incident does not include unsuccessful access attempts or similar events that do not result in unauthorized access to Personal Data.
1.10 “Sub-processor” means a third party engaged by FullPAC to Process Personal Data on Client’s behalf.
2.1 Roles. With respect to the Processing of Personal Data under this DPA, Client is the Controller and FullPAC is the Processor.
2.2 Scope. This DPA applies only to Personal Data as defined in Section 1.6. Personal information that FullPAC collects, uses, or discloses in its capacity as a Controller is governed by the FullPAC Privacy Policy and not by this DPA. Data that FullPAC sells, licenses, or otherwise transfers to Client as a product is governed by the applicable license, product, or other terms and is outside the scope of this DPA.
2.3 Additional regulatory frameworks. The parties acknowledge that certain categories of data Processed under this DPA may be subject to regulatory frameworks in addition to Applicable Privacy Law, including state and federal election law, the Telephone Consumer Protection Act and related rules, the CAN-SPAM Act, and laws governing the use of voter registration data and contributor information. Each party is responsible for compliance with all regulatory frameworks applicable to data within its control.
3.1 Representations and warranties. Client represents and warrants that:
(a) it is the Controller of all Personal Data it provides to FullPAC or directs FullPAC to Process;
(b) it has provided all notices and obtained all consents, authorizations, and other legal bases required under Applicable Privacy Law for the Processing of Personal Data by FullPAC in connection with the Services, including any heightened consents required for sensitive personal information and any consents required for communications with data subjects;
(c) its instructions to FullPAC, and the Processing it directs FullPAC to perform, comply with Applicable Privacy Law and any other regulatory frameworks applicable to the Personal Data, including state and federal election law, the Telephone Consumer Protection Act and related rules, the CAN-SPAM Act, applicable state laws governing the use of voter registration data and contributor information, and federal and state laws and rules governing the disclosure of artificial-intelligence-generated content in political and other communications; and
(d) it will not transfer to FullPAC, or direct FullPAC to Process, Personal Data of data subjects located in the European Economic Area, the United Kingdom, or Switzerland.
3.2 Accuracy and legality. Client is solely responsible for the accuracy, quality, and legality of Personal Data it provides to FullPAC.
4.1 Documented instructions. FullPAC will Process Personal Data only (a) in accordance with Client's documented instructions, including as set forth in the Underlying Agreement, this DPA, and Client's use of the Services, (b) as necessary to provide the Services, or (c) as required by applicable law, in which case FullPAC will, where legally permitted, notify Client of the legal requirement before Processing.
4.2 Confidentiality. FullPAC will ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations and have received appropriate training regarding the requirements of this DPA.
4.3 Service provider restrictions under CCPA. With respect to Personal Data subject to the CCPA, FullPAC will not:
(a) Sell or Share (each as defined in the CCPA) Personal Data;
(b) retain, use, or disclose Personal Data for any purpose other than the specific business purpose of performing the Services, or as otherwise permitted by the CCPA;
(c) retain, use, or disclose Personal Data outside the direct business relationship between FullPAC and Client;
(d) combine Personal Data received from Client with personal information FullPAC receives from any other source, except as permitted by the CCPA and its implementing regulations for the purpose of performing the Services; or
(e) Process Personal Data for cross-context behavioral advertising on Client’s behalf.
FullPAC certifies its understanding of the restrictions in this Section 4.3 and its agreement to comply with them. FullPAC will notify Client promptly if it determines that it can no longer meet its obligations under the CCPA, and Client may take reasonable and appropriate steps to stop and remediate any unauthorized Processing.
4.4 Equivalent obligations under other Applicable Privacy Law. With respect to Personal Data subject to other Applicable Privacy Law, FullPAC will comply with the obligations of a processor or equivalent role under such law, including limitations on use and disclosure, cooperation with Controller obligations, and engagement of Sub-processors.
5.1 Safeguards. FullPAC will implement and maintain reasonable and appropriate administrative, technical, and physical safeguards designed to protect Personal Data against Security Incidents. These safeguards will be informed by the nature of the Personal Data Processed and the risks presented by the Processing, and will include, at a minimum, the categories of measures described in Annex 1 (Technical and Organizational Measures).
5.2 Information about safeguards. FullPAC will make available to Client, upon reasonable request, a description of the technical and organizational measures then in place to protect Personal Data.
6.1 Notice. FullPAC will notify Client of a Security Incident without undue delay and in any event within seventy-two (72) hours after FullPAC becomes aware of the Security Incident.
6.2 Content of notice. FullPAC's notification will include, to the extent then known to FullPAC and as additional information becomes available:
(a) a description of the nature of the Security Incident;
(b) the categories and approximate volume of Personal Data affected;
(c) the likely consequences of the Security Incident;
(d) the measures taken or proposed to address the Security Incident and mitigate its effects; and
(e) the contact point for further information.
6.3 Cooperation. FullPAC will provide reasonable cooperation and assistance to Client in connection with Client's obligations under Applicable Privacy Law to investigate, remediate, and provide notice to regulators or affected data subjects with respect to the Security Incident.
6.4 No admission. FullPAC’s notification of, or response to, a Security Incident is not an acknowledgment by FullPAC of any fault or liability with respect to the Security Incident.
7.1 General authorization. Client provides FullPAC with general authorization to engage Sub-processors to Process Personal Data, subject to this Section 7.
7.2 Current Sub-processors. A current list of Sub-processors engaged by FullPAC is maintained at [URL TO BE PROVIDED] (the “Sub-processor List”). The Sub-processor List identifies each Sub-processor and the Processing activities it performs.
7.3 New Sub-processors. FullPAC will provide Client with notice of any addition to or replacement of Sub-processors by updating the Sub-processor List, and where reasonably practicable, by separate notice through the Services or by email to Client’s designated contact, at least thirty (30) days before the new Sub-processor begins Processing Personal Data. During the notice period, Client may object to the engagement of the new Sub-processor on reasonable grounds related to data protection. If Client and FullPAC cannot resolve the objection through good-faith discussion, Client may, as its exclusive remedy, terminate the affected portion of the Services upon notice to FullPAC, without further liability beyond fees accrued through the date of termination.
7.4 Sub-processor obligations. FullPAC will enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective of Personal Data than those imposed on FullPAC under this DPA.
7.5 Liability. FullPAC remains liable to Client for the acts and omissions of its Sub-processors with respect to Personal Data as if they were FullPAC’s own.
8.1 Cooperation. Taking into account the nature of the Processing, FullPAC will assist Client by appropriate technical and organizational measures, insofar as reasonably possible, in fulfilling Client's obligations to respond to requests from data subjects exercising rights under Applicable Privacy Law (each, a “Data Subject Request”).
8.2 Requests received by FullPAC. Where FullPAC receives a Data Subject Request directly from a data subject regarding Personal Data Processed on Client’s behalf, FullPAC will:
(a) take any action that is within FullPAC’s independent authority or responsibility, including, where applicable, adding the relevant identifier to a FullPAC-maintained suppression or do-not-contact list;
(b) where the Client is identifiable, promptly notify the Client of the request; and
(c) where appropriate, direct the data subject to the Client for substantive resolution.
This Section 8.2 reflects the practice described in the FullPAC Privacy Policy.
8.3 Suppression list carve-out. The parties acknowledge that FullPAC maintains suppression and do-not-contact lists in connection with its compliance obligations under the Telephone Consumer Protection Act and related rules, the CAN-SPAM Act, and other applicable laws. Identifiers added to such lists, and the fact of suppression, are FullPAC’s own records maintained in its capacity as a Controller and are not subject to the deletion, return, or other Processor obligations of this DPA. FullPAC may retain and use such records indefinitely to honor opt-out requests, and may apply such suppression on a cross-client basis as appropriate to satisfy its compliance obligations.
9.1 Information on request. FullPAC will make available to Client, on reasonable request, information necessary to demonstrate compliance with this DPA, which may include written responses to reasonable information requests, copies of relevant audit reports or certifications, or other documentation.
9.2 Further audit activity. Where Client reasonably requires audit activity beyond the information described in Section 9.1 to demonstrate compliance with Applicable Privacy Law, the parties will discuss in good faith the scope, timing, and cost of such activity. Audits requested by Client beyond the information described in Section 9.1 will be conducted no more than once per twelve-month period (except in the case of a Security Incident or as required by a regulator), with reasonable advance notice, during regular business hours, and at Client’s expense.
9.3 Limits. Audits will not unreasonably interfere with FullPAC’s business operations and will be subject to FullPAC’s reasonable confidentiality and security requirements.
FullPAC Processes Personal Data within the United States. FullPAC does not direct, target, or solicit business from data subjects in the European Economic Area, the United Kingdom, or Switzerland. As described in Section 3.1(d), Client represents and warrants that it will not transfer to FullPAC, or direct FullPAC to Process, Personal Data of data subjects located in those jurisdictions.
11.1 Term. This DPA takes effect on the effective date of the Underlying Agreement and continues for the duration of the Underlying Agreement.
11.2 Return or deletion. Upon termination of the Underlying Agreement, FullPAC will, at Client’s election and within a reasonable period, return to Client or delete Personal Data Processed on Client’s behalf, except as set forth in Section 11.3.
11.3 Exceptions. Notwithstanding Section 11.2, FullPAC may retain Personal Data:
(a) to the extent retention is required by applicable law, regulation, or legal process;
(b) for the establishment, exercise, or defense of legal claims;
(c) in the form of suppression and do-not-contact list records, as described in Section 8.3;
(d) in the form of aggregated or de-identified information from which Personal Data has been irreversibly removed, provided that FullPAC will not attempt to re-identify such information; and
(e) in routine backup media, until such media is overwritten or destroyed in the ordinary course of FullPAC's business, during which period the retained Personal Data will not be Processed for any purpose other than backup, restoration, or as required by law.
Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Underlying Agreement.
In the event of a conflict between this DPA and the Underlying Agreement with respect to the Processing of Personal Data, this DPA controls. In all other respects, the Underlying Agreement controls.
FullPAC may modify this DPA from time to time as necessary to reflect changes in Applicable Privacy Law, FullPAC's business or business practices, or for other reasonable business purposes, in accordance with the modification provisions of the Underlying Agreement. Notice of changes will be provided as set forth in the Underlying Agreement, and the modified DPA will be posted on the FullPAC Sites. The version of this DPA posted on the FullPAC Sites controls over any other copy, including any printed or PDF version.
Notices to FullPAC under this DPA will be sent to:
FullPAC, Inc. Attn: Privacy
1206 Laskin Road, Suite 201-o
Virginia Beach, Virginia 23451
Email: privacy@fullpac.com
Notices to Client will be sent to the contact information designated in the Underlying Agreement.
FullPAC implements and maintains the following categories of technical and organizational measures designed to protect Personal Data:
A more detailed description of the technical and organizational measures then in place is available to Client upon reasonable request.
The Processing activities carried out by FullPAC under this DPA may be described as follows:
