DATA PROCESSING AGREEMENT

EffectiveDate: May 19, 2026

This Data Processing Agreement ("DPA") is entered into between the entity identified as the "Controller" or "Business" ("Customer") and Boostr, Inc. ("Service Provider" or "Processor"), and forms part of the Terms and Conditions, Order Forms, or other applicable agreement between the parties (the "Agreement").

This DPA reflects the parties' agreement with respect to the Processing of Personal Data in connection with the Service Provider's provision of software-as-a-service products and related services. In the event of any conflict between this DPA and the Agreement with respect to data protection and privacy matters, this DPA shall control. For all other matters, the Agreement shall control.

1. DEFINITIONS

The following terms have the meanings ascribed to them in this Section. Capitalized terms not defined herein have the meanings set forth in the Agreement or applicable Data Protection Laws.

"Applicable Data Protection Laws" means, as applicable to the Processing of Personal Data under this DPA: (i) the EU General Data Protection Regulation (EU) 2016/679 ("GDPR"); (ii) the UK GDPR and UK Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection ("FADP"); (iv) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"); (v) the Virginia Consumer Data Protection Act ("VCDPA"); (vi) the Colorado Privacy Act ("CPA"); (vii) the Connecticut Data Privacy Act ("CTDPA"); (viii) the Texas Data Privacy and Security Act ("TDPSA"); (ix) the Utah Consumer Privacy Act ("UCPA"); and (x) any other applicable national, federal, state, or local privacy and data protection statutes or regulations in effect or as enacted, each as amended or superseded from time to time.

"Controller" or "Business" means the Customer in its capacity as the entity that determines the purposes and means of Processing Personal Data.

"Data Subject" or "Consumer" means an identified or identifiable natural person to whom Personal Data relates.

"Personal Data" or "Personal Information" means any information that identifies, relates to,describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person, as defined under Applicable Data Protection Laws.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Processor" or "Service Provider" means Service Provider in its capacity as the entity that Processes Personal Data on behalf of the Controller in accordance with this DPA.

"Restricted Transfer" means a transfer of Personal Data to a country or territory not recognized as providing an adequate level of protection for Personal Data under Applicable Data Protection Laws.

"SecurityIncident" or "PersonalData Breach" means a breach of security leading to the accidental orunlawful destruction, loss, alteration, unauthorized disclosure of, or accessto, Personal Data transmitted, stored, or otherwise Processed.

"Services" means the software-as-a-service platform and related services provided by Service Provider to Customer under the Agreement.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to processors established in third countries, as adopted by the European Commission and the UK Information Commissioner's Office, as applicable.

"Sub-processor" means any third-party engaged by Service Provider to Process Personal Data on behalf of Customer.

"Sensitive Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation, and in the US context, Social Security numbers, driver's license numbers, state identification card numbers, passport numbers, financial account data with required security or access codes, and precise geolocation data. Sensitive Personal Data does not include information that Customer has made publicly available or information that has been de-identified or aggregated such that it cannot reasonably be linked to an individual.

2. SCOPE AND RELATIONSHIP OF THE PARTIES

2.1 Roles of the Parties. The parties acknowledge that: (a) Customer is the Controller or Business with respect to Personal Data Processed under this DPA; (b) Service Provider is the Processor or Service Provider with respect to such Personal Data; and (c) Service Provider shall Process Personal Data only on behalf of and in accordance with the documented instructions of Customer. Nothing in this DPA shall prevent Service Provider from Processing Personal Data as an independent Controller for its own legitimate business purposes, including: (i) providing, maintaining, and improving the Services; (ii) ensuring security and preventing fraud; (iii) complying with legal obligations; (iv) creating de-identified or aggregated data that cannot reasonably identify individuals; and (v) other purposes disclosed in Service Provider's privacy notice, in each case where Service Provider has a separate legal basis to do so under Applicable Data Protection Laws.

2.2 Customer Instructions. Customer instructs Service Provider to Process Personal Data as necessary to: (a) provide the Services in accordance with the Agreement and this DPA; (b) comply with Customer's other documented written instructions that are consistent with the terms of the Agreement and this DPA; and (c) comply with Applicable Data Protection Laws. Any additional instructions beyond those set forth in (a) must be agreed to by Service Provider in writing and may be subject to additional fees. If Service Provider reasonably believes that an instruction infringes Applicable Data Protection Laws or is technically impossible to implement, Service Provider shall promptly inform Customer and shall not be required to follow such instruction. Service Provider shall not be liable for any delays or failures in performance resulting from Customer's unlawful or technically infeasible instructions.

2.3 Details of Processing. The subject matter, nature, purpose, duration, types of Personal Data Processed, and categories of Data Subjects are set out in Annex I to this DPA.

3. SERVICE PROVIDEROBLIGATIONS

3.1 General Obligations. Service Provider shall: (a) process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data, unless required to do so by Applicable Data Protection Laws; in such a case, Service Provider shall inform Customer of that legal requirement before Processing, unless such law prohibits this; (b) ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Section 5 and Annex II; (d) respect the conditions for engaging Sub-processors as set out in Section 4; (e) taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible and subject to reimbursement of Service Provider's reasonable costs for assistance beyond the standard functionality of the Services, for the fulfillment of Customer's obligation to respond to requests for exercising Data Subject rights; (f) provide reasonable assistance to Customer in ensuring compliance with its obligations under Applicable Data Protection Laws, including security of Processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities, provided that such assistance shall be limited to matters within Service Provider's control and subject to reimbursement of Service Provider's reasonable costs for assistance beyond the standard functionality of the Services; (g) at the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of Services relating to Processing, and delete existing copies unless Applicable Data Protection Laws require storage; (h) make available to Customer all information reasonably necessary to demonstrate compliance with obligations under this DPA, subject to the audit rights and limitations set forth in Section 9; and (i) immediately inform Customer if, in Service Provider's opinion, an instruction infringes Applicable Data Protection Laws.

3.2 CCPA/CPRA Specific Obligations. To the extent Service Provider Processes Personal Information subject to the CCPA/CPRA as a Service Provider, Service Provider certifies that it understands and will comply with the restrictions applicable to Service Providers under the CCPA/CPRA, including: (a) Service Provider shall not Sell or Share Personal Information received from Customer; (b) Service Provider shall not retain, use, or disclose Personal Information for any purpose other than the Business Purpose specified in this DPA or as otherwise permitted by the CCPA/CPRA; (c) Service Provider shall not retain, use, or disclose Personal Information outside of the direct business relationship between Customer and Service Provider; (d) Service Provider shall not combine Personal Information received from Customer with Personal Information received from or collected pursuant to other sources, except as permitted under the CCPA/CPRA; (e) Service Provider shall assist Customer in facilitating Consumer rights requests, including the right to know, right to delete, right to correct, and right to opt out of Sensitive Personal Information use; and (f) Service Provider shall notify Customer if it determines it can no longer meet its obligations under the CCPA/CPRA.

4.SUB-PROCESSORS

4.1 General Authorization. Customer provides general authorization for Service Provider to engage Sub-processors, subject to the conditions in this Section 4. Service Provider shall maintain and make available to Customer a current list of Sub-processors at www.boostr.com/data-protection.

4.2 Changes to Sub-processors. Service Provider shall provide prior written notice to Customer of any intended changes to the list of Sub-processors, including additions or replacements, giving Customer sufficient time to object to such changes before the new Sub-processor Processes Personal Data. If Customer has legitimate grounds to object, Customer shall notify Service Provider in writing within fourteen (14) calendar days of Service Provider's notice. In the event of an objection that the parties cannot resolve, Customer may terminate the relevant Services without penalty upon thirty (30) days' written notice.

4.3 Sub-processor Obligations. Service Provider shall impose obligations on each Sub-processor that are at least equivalent to those imposed on Service Provider under this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures. Service Provider shall remain liable to Customer for the acts and omissions of its Sub-processors to the same extent Service Provider would be liable if performing the services of each Sub-processor directly.

5.SECURITY

5.1 Technical and Organizational Measures. Service Provider shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access ("TOMs"), as described in Annex II. Such measures shall take into account: (a) the state of the art; (b) the costs of implementation; (c) the nature, scope, context, and purposes of Processing; and (d) the risk of varying likelihood and severity for the rights and freedoms of natural persons.

5.2 Security Incident / Personal Data Breach Notification. In the event of a Security Incident, Service Provider shall: (i) notify Customer without undue delay and, where feasible, no later than forty-eight (48) hours after becoming aware of the Security Incident (or within such shorter period as required under Applicable Data Protection Laws); (ii) provide Customer with sufficient information to allow Customer to meet any obligations to report the Security Incident to supervisory authorities or Data Subjects, including: (a) a description of the nature of the Security Incident; (b) the categories and approximate numbers of Data Subjects and Personal Data records concerned; (c) the name and contact details of the data protection officer or other point of contact; (d) a description of the likely consequences; and (e) a description of measures taken or proposed to address the Security Incident; (iii) cooperate with Customer and take necessary steps to mitigate and remediate the effects of the Security Incident; and (iv) maintain records of all Security Incidents, including those not meeting the notification threshold. Service Provider's notification of or response to a Security Incident shall not be construed as an acknowledgment of fault or liability by Service Provider.

6.DATA SUBJECT RIGHTS

6.1Assistance with Requests. Service Provider shall, to the extent legally permitted, promptly notify Customer if Service Provider receives a request from a Data Subject exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, objection, and opt-out. Service Provider shall not respond to such requests except on documented instructions of Customer or as required by Applicable Data Protection Laws. Service Provider shall provide Customer with reasonable cooperation and assistance in fulfilling Customer's obligation to respond to such requests within the legally required timeframe.

6.2 Sensitive Personal Data. To the extent Service Provider processes Sensitive Personal Data on behalf of Customer, Service Provider shall implement additional safeguards as mutually agreed in writing or as specified in Annex II.

7. INTERNATIONAL DATA TRANSFERS

7.1 Transfer Mechanisms. Service Provider shall not transfer Personal Data to any country or recipient not recognized as providing an adequate level of protection without first ensuring that the transfer is made pursuant to an appropriate transfer mechanism as required under Applicable Data Protection Laws, including: (a) EU Standard Contractual Clauses (Commission Decision 2021/914) where applicable; (b) UK International Data Transfer Addendum (ICO) where applicable; (c) Swiss SCCs or other mechanisms approved by the Swiss Federal Data Protection and Information Commissioner; and (d) Adequacy Decisions issued by the European Commission or UK Secretary of State; (e) the EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. DPF, or Swiss-U.S. DPF, as applicable, where Service Provider is a certified participant; or other derogations or mechanisms permitted under Article 49 GDPR or equivalent national law.

7.2SCCs Incorporation. To the extent Service Provider transfers Personal Data from the EEA, UK, or Switzerland to countries not recognized as providing adequate data protection, the applicable SCCs are incorporated by reference into this DPA and shall apply. In the event of conflict between the SCCs and this DPA, the SCCs shall prevail to the extent of the conflict.

8. DATA PROTECTION IMPACT ASSESSMENTS

Service Provider shall provide reasonable cooperation and assistance to Customer in connection with any data protection impact assessment ("DPIA") required by Applicable Data Protection Laws, and in connection with any prior consultation with a competent supervisory authority, to the extent such DPIA or consultation relates to Processing carried out by Service Provider under this DPA.

9.AUDITS AND INSPECTIONS

9.1 Audit Rights.

9.1.1 Service Provider shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or a mandated third-party auditor, subject to the following conditions: (a) Customer provides reasonable prior written notice of at least thirty (30) calendar days; (b) audits are conducted during normal business hours with minimal disruption to Service Provider's operations; (c) audits occur no more than once per calendar year unless a Security Incident has occurred; and (d) the auditor executes a confidentiality agreement acceptable to Service Provider.

If a third party is to conduct the audit, Service Provider may object to the auditor if the auditor is, in Service Provider’s reasonable opinion, not independent, a competitor of Service Provider, or otherwise manifestly unsuitable. Such objection by Service Provider will require Customer to appoint another auditor or conduct the audit itself.

9.1.3 To request an audit, Customer must submit a detailed proposed audit plan to Service Provider at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Service Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Service Provider’s security, privacy, employment, or other relevant policies). Service Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 9 shall require Service Provider to breach any duties of confidentiality.

Customer will promptly notify Service Provider of any non-compliance discovered during the course of an audit and provide Service Provider any audit reports generated in connection with any audit under this Section 9, unless prohibited by Applicable Data Protection Law or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum.

9.1.5 Any audits are at Customer’s expense. Customer shall reimburse Service Provider for any time expended by Service Provider or its Third Party Subprocessors in connection with any audits or inspections under this Section 9 at Service Provider’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. Nothing in this Addendum shall be construed to require Service Provider to furnish more information about its Third Party Subprocessors in connection with such audits than such Third Party Subprocessors make generally available to their customers.

9.2 Audit Reports. Service Provider may satisfy Customer's audit rights by providing Customer with current third-party audit reports (e.g., SOC 2 Type II, ISO 27001 certification, or equivalent), provided such reports cover the scope of Service Provider's obligations under this DPA. If Customer reasonably determines that the reports are insufficient to demonstrate compliance, Customer may exercise its on-site audit rights under Section 9.1.

10. CONFIDENTIALITY OF PERSONAL DATA

Service Provider shall treat all Personal Data as confidential. Service Provider shall ensure that access to Personal Data is limited to those employees, contractors, and authorized Sub-processors who have a need to access the Personal Data for the purpose of providing the Services, and that all such persons are bound by appropriate confidentiality obligations.

11. DATA RETENTION AND DELETION

11.1 Retention During Services. Service Provider shall retain Personal Data only for as long as necessary to provide the Services or as otherwise agreed in writing between the parties.

11.2Post-Termination. Upon expiration ortermination of the Agreement, or upon Customer's written request, Service Provider shall, at Customer's election: (a) return all Personal Data to Customer in a machine-readable format within sixty (60) calendar days; or (b) securely delete or destroy all Personal Data within sixty (60) calendar days, and certify such deletion in writing to Customer. Service Provider may retain Personal Data as required by Applicable Data Protection Laws, provided such data is retained only to the extent and for such period as required by such laws, and Service Provider shall protect the Personal Data in accordance with this DPA and ensure it is not Processed for any other purpose.

12. REPRESENTATIONS AND WARRANTIES

Each party represents and warrants that: (a) it has the authority to enter into this DPA; (b) its execution and performance of this DPA does not violate any applicable law or agreement; and (c) it shall comply with its respective obligations under Applicable Data Protection Laws. Service Provider represents and warrants that: (a) it has implemented and maintains appropriate technical and organizational measures as set out in Annex II; (b) it will promptly notify Customer of any changes that may affect its ability to fulfill its obligations under this DPA; and (c) it does not currently have actual knowledge that Applicable Data Protection Laws prevent it from fulfilling its obligations under this DPA.

13. LIABILITY AND INDEMNIFICATION

Each party's liability under this DPA is subject to and shall not exceed the limitations set out in the Agreement, except to the extent prohibited by Applicable Data Protection Laws. Notwithstanding any limitation of liability in theAgreement, each party shall be liable for and indemnify, defend, and hold harmless the other party from and against any fines, penalties, and regulatory sanctions imposed by a competent supervisory authority arising from that party's breach of its obligations under Applicable Data Protection Laws.

14. DATA PROTECTION OFFICER/ PRIVACY CONTACT

Service Provider's data protection officer or privacy contact can be reached at: privacy@boostr.com or Boostr, Inc., c/o CTO, 228 Park Ave S, PMB 73310, New York, NY 10003.

ANNEX I – DETAILS OF PROCESSING

This Annex I forms part of the Data Processing Agreement and describes the subject matter, nature, purpose, and details of the Processing activities performed by Service Provider on behalf of Customer.

Field Details
Controller / Business Customer Name as referenced on the Agreement
Processor / Service Provider Boostr, Inc, 228 Park Ave S, PMB 73310, New York, NY 10003
Subject Matter Provision of SaaS services as described in the Agreement
Nature of Processing Collection, storage, retrieval, use, disclosure to authorized Sub-processors, deletion/return upon termination
Purpose of Processing To provide the Services to Customer, including account management, authentication, analytics, customer support, billing, and service improvement
Duration of Processing For the term of the Agreement and for such period thereafter as required for deletion/return obligations
Types of Personal Data Name, email address, IP address, usage data, device identifiers, account credentials (hashed), phone number, physical address. Sensitive Personal Data: [None]
Categories of Data Subjects Customer's employees, contractors, end users, customers, and other individuals whose Personal Data is uploaded to or generated through the Services
Legal Basis (GDPR) Performance of a contract (Art. 6(1)(b)); Compliance with legal obligations (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)); Consent where applicable
Business Purpose (CCPA) Providing, managing, and improving the Services; auditing; detecting security incidents; debugging; performing services on behalf of Customer

ANNEX II - TECHNICAL AND ORGANIZATIONAL MEASURES

Service Provider has implemented and maintains the following technical and organizational measures to ensure the security of Personal Data:

A. Access Controls

Role-based access control (RBAC) limiting access to Personal Data on a need-to-know basis
Multi-factor authentication (MFA) required for all administrative access to production systems
Regular access reviews and prompt revocation upon personnel changes
Privileged access management (PAM) controls for elevated access

B. Encryption

Encryption of Personal Data at rest using AES-256 or equivalent
Encryption of Personal Data in transit using TLS 1.2 or higher
Encryption key management procedures including key rotation

C. Physical Security

Personal Data hosted in SOC 2 Type II or ISO 27001 certified data centers
Physical access controls including badge access, CCTV, and visitor logs
Environmental controls including fire suppression and climate control

D. Network Security

Firewall and intrusion detection/prevention systems (IDS/IPS)
Regular vulnerability scanning and penetration testing
Web application firewall (WAF) for public-facing applications
Network segmentation to isolate production environments

E. Operational Security

Formal information security policy, reviewed and updated at least annually
Security awareness training for all personnel handling Personal Data
Background checks for personnel with access to Personal Data (where permitted by law)
Incident response plan tested at least annually

F. Backup and Recovery

Regular automated backups with encryption
Documented disaster recovery and business continuity plans that address data protection in accordance with industry standards, with high-level summaries available to Customer upon reasonable request and subject to confidentiality obligations
Recovery testing conducted at least annually, with summary results available to Customer upon reasonable request subject to confidentiality protections and Boostr's security policies

G. Vendor/Sub-processor Management

Security assessments of Sub-processors prior to engagement in accordance with industry standards
Contractual security requirements substantially similar to those in this DPA imposed on all Sub-processors
Ongoing monitoring of Sub-processor compliance using commercially reasonable efforts, with notification to Customer within thirty (30) days of material non-compliance issues that come to Boostr's actual attention

H. Privacy by Design

Data minimization principles applied to all Services in accordance with industry standards and Service Provider's reasonable determination of operational requirements necessary to provide the Services
Pseudonymization applied where technically feasible and ap

ANNEXIII – SUB-PROCESSOR LIST

The following Sub-processors are authorized to process personal data in connection with the provision of the services. Service Provider shall update this list and provide notice to Customer as specified in Section 4.2 of the DPA.

Sub-processor Purpose Location Transfer Mechanism
Google Cloud Platform Infrastructure hosting US SCCs / Adequacy Decision
Sendgrid Transactional email US SCCs
Google Cloud Platform doing business as Looker Data Sciences Service analytics US SCCs / DPF
Tray.io Integration services US SCCs / DPF

ANNEX IV - STANDARD CONTRACTUAL CLAUSES

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to countries not recognized as providing adequate protection for personal data, the applicable Standard Contractual Clauses shall be deemed incorporated into and form part of this DPA as follows:

EU SCCs (Controller-to-Processor): European Commission Implementing Decision 2021/914, Module 2 (Controller to Processor), Clause 17 Option 1 (governing law: Ireland), Clause 18 (forum: Courts of Ireland).

UK Addendum: International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0), issued by the UK Information Commissioner's Office.

Swiss Addendum: The Swiss Federal Data Protection and Information Commissioner's addendum to the EU Standard Contractual Clauses, as amended or replaced from time to time and automatically incorporated by reference.

The parties agree that the SCCs are supplemented by this DPA to the extent permitted by the SCCs, and that this DPA shall be interpreted consistently with the SCCs. In the event of any conflict or inconsistency between the SCCs and this DPA, the SCCs shall take precedence to the extent required by applicable law.