Data Processing Addendum

This Data Processing Addendum (this "DPA") forms part of and supplements the Rad CRM Terms of Service Agreement (the "Agreement"), the Website Terms of Use (the "Website Terms"), and the Rad CRM Privacy Policy (the "Privacy Policy"), each between Rad CRM, LLC ("Processor") and Customer ("Controller"), and applies to the extent Processor processes Personal Data on behalf of Controller in connection with the Service. Processor and Controller are each individually a "Party" and collectively the "Parties." Unless otherwise defined in this DPA, all capitalized terms have the meanings ascribed to them in the Agreement or, if not defined therein, the Website Terms or Privacy Policy.

Recitals

WHEREAS, Processor and Controller have entered into and agreed to be bound by the terms of the Agreement; WHEREAS, Controller has read, understands, and agrees to the Processor's Website Terms and Privacy Policy; and WHEREAS, the Parties wish to set forth the terms under which Controller gives Processor permission to Process certain data that the Controller submits to and through the Service. NOW THEREFORE, in consideration of the mutual promises, covenants, terms, and conditions set forth herein, the Parties agree as follows.

1. Scope and Term

1.1. Role of the Parties

Customer is either a Controller of Customer Personal Data, or a Processor of Customer Personal Data acting on another Controller's behalf (e.g., Customer's Affiliate) while passing down relevant processing instructions to Processor. Processor processes Customer Personal Data solely on behalf of Controller and in accordance with Controller's Documented Instructions, including as set forth in the Website Terms and the Privacy Policy.

1.2. Term of the DPA

The term of this DPA coincides with the Term of the Agreement and terminates upon expiration or termination of the Agreement (or, if later, the date on which Processor ceases all Processing of Customer Personal Data).

2. Definitions

• "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of personal data under the Agreement.
• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• "Customer Personal Data" means personal data contained in Customer Data and/or Customer Materials that Processor processes under the Agreement solely on behalf of Customer, including any Personal Data included in attachments provided in technical support requests.
• "Personal Data" means information about an identified or identifiable natural person, or which otherwise constitutes "personal data," "personal information," "personally identifiable information," or similar terms as defined in Applicable Data Protection Laws.
• "Processing" (and "Process" and "Processed") means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, alteration, retrieval, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Processor" means the Company, in its capacity as an entity which processes Personal Data on behalf of the Controller.
• "Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data processed by Processor and/or its Sub-processors.
• "Sub-processor" means any third party (including Company Affiliates and/or other Subcontractors) engaged by Company to Process Customer Personal Data.

3. Personal Data Processing Responsibilities

3.1. This DPA, the Agreement, and Customer's use of the Service (including relevant configurations and settings) and any related Support Services constitute Customer's documented instructions regarding Processor's processing of Customer Personal Data (the "Documented Instructions").

3.2. Processor will process Personal Data only: to provide and support the Services and any Support Services requested by Controller; as instructed by Controller; and/or in any manner required by applicable law, regulation, or in cooperation with a legal court or law enforcement order.

3.3. Processor will not sell Customer Personal Data or use it for its own independent commercial purposes.

3.4. Controller authorizes Processor to engage Sub-processors to support the Services. Company will impose data protection obligations on Sub-processors that are no less protective than those set forth in this DPA and remains responsible for their performance.

3.5. Controller represents, warrants, and acknowledges that: all Documented Instructions comply with all Applicable Data Protection Laws; it is responsible for determining whether the Service is appropriate for the Processing of Customer Data; it has all necessary rights, consents, and legal bases to provide Personal Data to Processor; it has provided all required notices to relevant Data Subjects; it will comply with all applicable laws and regulations; and it is solely responsible for the content and legality of all Customer Personal Data.

4. Confidentiality

Processor will use commercially reasonable efforts to ensure that all personnel and Subcontractors authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and the reasonable administrative, technical, and organizational safeguards described in Section 5.1 below.

5. Security

5.1. Safeguards

Processor has implemented and will maintain appropriate, commercially reasonable technical and organizational safeguard measures designed to protect the security, confidentiality, integrity, and availability of Customer Personal Data and protect against Security Incidents. Controller is responsible for configuring the Service and using available features to maintain appropriate security. The Company's current measures are described in Schedule 1. Processor may update or modify the Security Measures from time to time, provided such updates do not materially decrease the overall security of the Service during a Subscription Term. No security measures are 100% secure, although Processor will make best commercially reasonable efforts to keep Customer Personal Data secure.

5.2. Security Incidents

Processor will notify Controller without undue delay and, where feasible, within no later than seventy-two (72) hours after becoming aware of a confirmed Security Incident that leads to a breach of Customer Personal Data. Processor must make reasonable efforts to identify the cause, mitigate the effects, and remediate the cause to the extent within its reasonable control, and will assist Controller in meeting its notification obligations. Any notification is not an acknowledgment of fault or liability.

6. Data Subject Rights

Processor will provide reasonable assistance to Controller in responding to Data Subject requests. If Processor receives a request directly, it will notify Controller and not respond except as required by law.

7. International Data Transfers

Processor may process Personal Data in the United States and other jurisdictions where it or its Sub-processors operate. Where required by applicable law, Processor will implement appropriate safeguards for cross-border data transfers.

8. Return and Deletion

Upon termination, Processor will delete or return Personal Data at Controller's direction, unless retention is required by law.

9. Limitation of Processing Role

Processor acts solely as a processor or service provider and does not determine the purposes or means of processing Personal Data.

10. Liability Alignment

10.1 Limitation of Liability

This DPA is subject to the limitations of liability set forth in the Terms of the Service Agreement. To the fullest extent permitted by law, Processor shall not be liable for: Controller's compliance or non-compliance with applicable laws and regulations; the legality, completeness, or accuracy of Personal Data; and Controller's Documented Instructions and/or use of the Service.

10.2 Indemnification

All indemnification obligations of Customer/Controller under the Terms of the Agreement apply fully to this DPA and shall not be limited by any cap on damages to the extent permitted by law.

---

Schedule 1 — Security Measures

Processor maintains reasonable administrative, technical, and organizational safeguards appropriate to the nature of the Personal Data collected, including:

• Access Controls: Maintaining role-based access limitations and authentication controls.
• Data Protection: Encryption of data in transit and, where appropriate, at rest.
• System Security: Network monitoring, logging, and vulnerability management.
• Confidentiality: Ensuring all personnel and Subcontractors are subject to confidentiality obligations.
• Incident Response: Having in place processes to detect, respond to, and mitigate Security Incidents.
• Data Minimization: Limiting access and processing of Personal Data strictly to uses necessary and/or appropriate to provide the Service.

Processor may update these measures from time to time, provided such updates do not materially reduce the overall level of protection.