Romulus, Inc. — Data Processing Addendum

"Data Protection Laws" means all applicable laws, regulations, and binding guidance relating to the processing of Personal Data, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.) ("CCPA/CPRA"), and any other applicable US state privacy laws, in each case as amended, superseded, or replaced from time to time.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Company on behalf of Customer in connection with the Services.

"Processing" (and its derivatives) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, combination, restriction, erasure, or destruction.

"Security Breach" means any confirmed unauthorized access to, or acquisition of, Personal Data that compromises the security, confidentiality, or integrity of such Personal Data.

"Sub-processor" means any third party engaged by Company to process Personal Data on behalf of Customer.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021.

2.1With respect to Personal Data uploaded to or processed through the Services by Customer, Customer is the Controller and Company is the Processor. Company processes Personal Data solely on behalf of and in accordance with Customer's documented instructions as set forth in this DPA and the Agreement.

2.2With respect to account registration data, billing information, and Company's own website analytics, Company is an independent Controller. The processing of such data is governed by Company's Privacy Policy at sevrel.com/privacy.

2.3 The subject matter, duration, nature, and purpose of processing, the types of Personal Data processed, and the categories of data subjects are described in Annex I to this DPA.

3.1Company shall process Personal Data only in accordance with Customer's documented instructions, unless required to do so by applicable law, in which case Company shall inform Customer of such legal requirement before processing (unless prohibited by law from doing so).

3.2Customer's instructions for processing Personal Data are set forth in the Agreement and this DPA. Customer may issue additional written instructions consistent with the terms of the Agreement. Any additional instructions that fall outside the scope of the Agreement shall require a separate written agreement and may be subject to additional fees.

3.3Company shall promptly inform Customer if, in Company's opinion, an instruction from Customer infringes Data Protection Laws.

4.1 Company shall ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory).

4.2Company shall not disclose Personal Data to any third party except as authorized by this DPA, the Agreement, or Customer's written instructions.

5.1 Company shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, including at minimum:

1. Encryption of Personal Data at rest using AES-256 or equivalent and in transit using TLS 1.2 or higher.
2. Role-based access controls limiting access to Personal Data to authorized personnel with a demonstrated business need.
3. Multi-factor authentication for administrative access to production systems.
4. Annual penetration testing conducted by a qualified independent third party, with material findings remediated promptly.
5. Security event monitoring and logging with a minimum 90-day retention period for security logs.
6. Background checks for personnel with access to Personal Data in production environments.
7. Logical separation of Customer data from other customers' data within the Services.

5.2 Company shall regularly test, assess, and evaluate the effectiveness of these measures and shall update them as reasonably necessary to maintain appropriate security levels.

6.1 Customer hereby provides general written authorization for Company to engage Sub-processors to process Personal Data. A current list of Sub-processors is maintained at sevrel.com/subprocessors.

6.2Company shall notify Customer by email of any intended changes to Sub-processors (additions or replacements) at least thirty (30) days before authorizing such Sub-processor to process Personal Data. Customer may object to a new Sub-processor on reasonable grounds by notifying Company in writing within fifteen (15) business days of receipt of Company's notice. If Customer objects and the parties cannot resolve the objection within thirty (30) days, either party may terminate the affected Services upon written notice.

6.3 Company shall impose on each Sub-processor, by written contract, data protection obligations no less protective than those set forth in this DPA. Company remains fully liable for the acts and omissions of its Sub-processors to the same extent as if Company were performing the processing directly.

7.1Company shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligation to respond to requests from data subjects exercising their rights under Data Protection Laws ("Data Subject Requests").

7.2 If Company receives a Data Subject Request directly, Company shall promptly redirect the data subject to Customer and notify Customer of such request, unless prohibited by law.

7.3Company shall not independently respond to a Data Subject Request except upon Customer's documented instructions or as required by applicable law.

8.1Company shall notify Customer of any Security Breach without undue delay and in any event within seventy-two (72) hours of substantiation. Such notification shall include, to the extent reasonably available: (a) the nature of the breach, including categories and approximate number of data subjects and Personal Data records affected; (b) the name and contact details of Company's designated privacy contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach, including measures to mitigate potential adverse effects.

8.2 Company shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each Security Breach. Company shall preserve all records and evidence relating to a Security Breach for a minimum of thirty-six (36) months following the breach.

8.3 Notification of a Security Breach pursuant to this Section is not and shall not be construed as an acknowledgement of fault or liability.

10.1Company shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Company's compliance may be verified through the following tiered approach:

1. Tier 1 (Primary): Upon written request (no more than once annually), Company shall provide Customer with a copy of its most recent SOC 2 Type II report and/or ISO 27001 certification (or equivalent third-party audit report), under a separate confidentiality agreement or under the confidentiality provisions of the Agreement.
2. Tier 2 (Supplementary):Upon written request (no more than once annually), Company shall respond to a reasonable written security questionnaire from Customer, limited to matters related to Company's processing of Personal Data and compliance with this DPA.
3. Tier 3 (For Cause):If Customer has reasonable grounds to believe that Company is not in compliance with this DPA, or following a Security Breach, Customer or its qualified independent auditor may conduct an on-site inspection of Company's facilities and systems relevant to the processing, subject to: thirty (30) days' advance written notice, during business hours, at Customer's expense, under appropriate confidentiality obligations, and limited in scope to DPA compliance. Company may object to an auditor if the auditor is a direct competitor of Company, in which case Customer shall appoint an alternative auditor.

11.1To the extent that Company processes Personal Data originating from the European Economic Area ("EEA"), United Kingdom, or Switzerland in a country not subject to an adequacy decision, Company shall ensure an appropriate transfer mechanism is in place. Company relies on the following mechanisms:

1. EU-U.S. Data Privacy Framework: Company has self-certified (or will self-certify prior to processing EEA Personal Data) under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework.
2. Standard Contractual Clauses: As a supplementary measure, the parties agree that the SCCs (Module 2: Controller-to-Processor) are hereby incorporated by reference into this DPA. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum shall apply. Customer is the "data exporter" and Company is the "data importer."

11.2 Company shall promptly inform Customer if it becomes aware of any change in law or circumstance that may materially affect its ability to comply with the transfer mechanisms in this Section.

12.1Upon termination or expiration of the Agreement, Company shall make Customer's Personal Data available for electronic export in a commonly used format for a period of thirty (30) days. After such period, Company shall delete all copies of Personal Data in its possession or control within ninety (90) days, except to the extent that retention is required by applicable law or for the establishment, exercise, or defense of legal claims.

12.2Upon Customer's written request, Company shall provide written certification of deletion.

12.3 The foregoing does not apply to Aggregated Data (as defined in the Agreement) or data that has been fully de-identified such that it no longer constitutes Personal Data under applicable law.

13.1To the extent Company processes Personal Data subject to the CCPA/CPRA on behalf of Customer, Company is a "Service Provider" as defined in Cal. Civ. Code § 1798.140(ag).

13.2 Company shall not sell or share (as those terms are defined under the CCPA/CPRA) Personal Data received from Customer. Company shall not retain, use, or disclose Personal Data for any purpose other than performing the Services specified in the Agreement, or as otherwise permitted by the CCPA/CPRA for Service Providers.

13.3Company shall not combine Personal Data received from Customer with Personal Data received from or on behalf of another person or entity, or collected from Company's own interactions with consumers, except as permitted by the CCPA/CPRA.

13.4Company shall assist Customer in responding to verifiable consumer requests under the CCPA/CPRA and shall provide Customer with information in Company's possession reasonably necessary to enable Customer to respond to such requests.

13.5Company grants Customer the right to take reasonable and appropriate steps to help ensure that Company uses Personal Data in a manner consistent with Customer's obligations under the CCPA/CPRA. If Company determines that it can no longer meet its obligations under the CCPA/CPRA, Company shall promptly notify Customer.

15.1 This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, unless otherwise required by Data Protection Laws.

15.2 In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA shall prevail.

15.3 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

15.4 This DPA shall automatically terminate upon termination or expiration of the Agreement, subject to the survival of Sections 8 (Security Breach Notification), 10 (Audit Rights), 12 (Data Retention and Deletion), and 14 (Liability).

Romulus, Inc.

14101 NW 4th St, Sunrise, Florida 33325

privacy@sevrel.com