DATA PROCESSING ADDENDUM

a

This Data Processing Addendum (this “DPA”) supplements and is incorporated into the OneClick Terms of Service (the “Agreement”) between OneClickApp, LLC, a Utah limited liability company (“OneClick”), and the customer identified in the applicable Order Form or online subscription (“Customer”). This DPA applies to OneClick’s Processing of Personal Information on behalf of Customer in connection with the Services. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

This DPA automatically forms part of the Agreement with respect to Personal Information subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Act Respecting the Protection of Personal Information in the Private Sector (Quebec), as amended by Law 25, and analogous U.S. state and Canadian federal or provincial privacy laws (together, “Applicable Privacy Laws”). Customer may also elect to execute this DPA by countersigning the signature block at the end of this document, in which case it applies to all Personal Information Processed by OneClick on Customer’s behalf.

1. Definitions

In this DPA, the following capitalized terms have the meanings below. Other capitalized terms are defined in the Agreement or in the body of this DPA.

“Business” has the meaning given under CCPA/CPRA.

“Business Purpose” means the provision of the Services to Customer, the performance of OneClick’s obligations under the Agreement and this DPA, and the other purposes set forth in Section 3 of this DPA.

“Controller” has the meaning given under the applicable Applicable Privacy Law, and has the same meaning as “Business” under CCPA/CPRA.

“Data Subject” means an identified or identifiable natural person to whom Personal Information relates.

“Data Subject Request” means a request from a Data Subject to exercise rights under Applicable Privacy Laws, including rights to access, correct, delete, or obtain a copy of Personal Information, or to opt out of the sale or sharing of Personal Information or its use for targeted advertising.

“Personal Information” means any information within Customer Data that (a) identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device, and (b) is subject to an Applicable Privacy Law. “Personal Information” includes “personal data” as defined under non-California Applicable Privacy Laws.

“Processor” has the meaning given under the applicable Applicable Privacy Law, and has the same meaning as “Service Provider” under CCPA/CPRA.

“Security Incident” means a confirmed unauthorized access to, acquisition of, or disclosure of Personal Information Processed by OneClick on behalf of Customer.

“Sell” “Sale,” “Share,” and “Sharing” have the meanings given under CCPA/CPRA.

“Sensitive Personal Information” has the meaning given under the applicable Applicable Privacy Law, and includes “sensitive data” under non-California Applicable Privacy Laws.

“Service Provider” has the meaning given under CCPA/CPRA.

“Subprocessor” means a third party engaged by OneClick to Process Personal Information on Customer’s behalf in connection with the Services.

“Process” and “Processing” mean any operation or set of operations performed on Personal Information, including collection, recording, organization, storage, retrieval, consultation, use, disclosure, transmission, alignment, combination, restriction, erasure, or destruction.

2. Scope and Roles of the Parties

2.1 Scope. This DPA applies to OneClick’s Processing of Personal Information contained in Customer Data in connection with the Services.

2.2 Roles. With respect to Personal Information Processed under this DPA, Customer is the Business (under CCPA/CPRA) or Controller (under other Applicable Privacy Laws), and OneClick is the Service Provider (under CCPA/CPRA) or Processor (under other Applicable Privacy Laws).

2.3 Order of Precedence. In the event of a conflict between this DPA and the Agreement with respect to the Processing of Personal Information, this DPA controls. In all other respects, the Agreement controls.

2.4 Compliance. Each Party will comply with its obligations under Applicable Privacy Laws in connection with its Processing of Personal Information under the Agreement and this DPA. Customer is solely responsible for determining whether Personal Information it submits to the Services is subject to Applicable Privacy Laws and for complying with its obligations as the Business or Controller, including providing required notices to Data Subjects and obtaining any required consents.

3. Processing of Personal Information

3.1 Instructions. OneClick will Process Personal Information only on Customer’s documented instructions, except where required by law. Customer instructs OneClick to Process Personal Information as follows: (a) as described in the Agreement, this DPA, and the Documentation; (b) as initiated by Authorized Users through their use of the Services; (c) to respond to Customer’s reasonable written requests consistent with the Agreement; and (d) to comply with applicable law. Customer represents that these instructions comply with Applicable Privacy Laws.

3.2 Details of Processing. The subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Personal Information Processed under this DPA are described in Annex 1.

3.3 Permitted Uses. OneClick will Process Personal Information only for the Business Purpose, including to (a) provide, maintain, secure, and improve the Services; (b) perform OneClick’s obligations under the Agreement; (c) detect and prevent fraud, abuse, and security threats; (d) generate Usage Data, De-Identified Data, and Aggregated Data as permitted by the Agreement; and (e) comply with law.

3.4 Restrictions. OneClick will not: (a) Sell or Share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than the Business Purpose, including for any commercial purpose other than the Business Purpose; (c) retain, use, or disclose Personal Information outside the direct business relationship between OneClick and Customer; or (d) combine Personal Information with personal information received from or on behalf of another person, or collected from OneClick’s own interactions with a consumer, except as permitted under CCPA/CPRA and other Applicable Privacy Laws for a Service Provider or Processor.

3.5 De-Identified and Aggregated Data. Notwithstanding Section 3.4, OneClick may create and use De-Identified Data and Aggregated Data derived from Personal Information in accordance with the Agreement and Applicable Privacy Laws. OneClick will not attempt to re-identify De-Identified Data and will maintain reasonable technical and contractual safeguards against re-identification.

3.6 Notice of Noncompliance. OneClick will notify Customer if it determines that it can no longer meet its obligations under Applicable Privacy Laws with respect to Personal Information Processed under this DPA. Upon such notice, Customer may take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information.

4. Confidentiality of Personnel

OneClick will ensure that personnel authorized to Process Personal Information are (a) informed of the confidential nature of the Personal Information, (b) bound by written confidentiality obligations or appropriate statutory obligations of confidentiality, and (c) granted access to Personal Information on a need-to-know basis.

5. Subprocessors

5.1 General Authorization. Customer grants OneClick general authorization to engage Subprocessors to Process Personal Information in connection with the Services. OneClick maintains a list of current Subprocessors, available upon written request to privacy@oneclickapp.com.

5.2 Subprocessor Obligations. Before engaging a Subprocessor, OneClick will enter into a written agreement with the Subprocessor that imposes data-protection obligations no less protective than those in this DPA with respect to the Processing of Personal Information, including the restrictions in Section 3.4.

5.3 Notice of New Subprocessors. OneClick will provide Customer with notice of the engagement of any new Subprocessor that will Process Personal Information, either by email to the contact on file for the Customer account or through a designated portal, at least thirty (30) days before the new Subprocessor begins Processing Personal Information.

5.4 Right to Object. If Customer has a reasonable, good-faith objection to a new Subprocessor on data-protection grounds, Customer will notify OneClick in writing within fifteen (15) days of receiving OneClick’s notice. The Parties will work together in good faith to resolve the objection. If the Parties cannot resolve the objection within a reasonable period, Customer may terminate the portion of the Services that cannot be provided without the objectionable Subprocessor, on written notice, and will receive a pro rata refund of pre-paid Fees for the unused portion of the Subscription Term allocable to the terminated portion of the Services.

5.5 Liability for Subprocessors. OneClick is liable for the acts and omissions of its Subprocessors to the same extent as if OneClick performed the relevant acts or omissions itself, subject to the limitations of liability in the Agreement.

6. Security

6.1 Technical and Organizational Measures. OneClick will implement and maintain the technical and organizational security measures described in Annex 2, which are designed to protect Personal Information against unauthorized access, use, disclosure, alteration, and destruction, consistent with generally accepted industry practices for SaaS providers of similar size and scale. OneClick may update its technical and organizational measures from time to time, provided that such updates do not materially diminish the overall level of security afforded to Personal Information.

6.2 Personnel Security. OneClick will conduct background checks on personnel with access to Personal Information to the extent permitted by law and will provide periodic security and privacy training to such personnel.

7. Security Incidents

7.1 Notification. OneClick will notify Customer of a Security Incident without undue delay, and in any event no later than seventy-two (72) hours after OneClick’s confirmation of the Security Incident.

7.2 Contents. OneClick’s notification will include, to the extent then known and as the investigation progresses: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of Data Subjects and records affected; (c) the likely consequences of the Security Incident; (d) the measures taken or proposed to address the Security Incident and mitigate its adverse effects; and (e) contact information for OneClick’s response personnel.

7.3 Cooperation. OneClick will reasonably cooperate with Customer in investigating and remediating the Security Incident and will provide information reasonably necessary to enable Customer to meet its own notification obligations under applicable law.

7.4 No Acknowledgment of Fault. OneClick’s notification of a Security Incident is not an acknowledgment of fault or liability.

8. Data Subject Rights

8.1 Customer Responsibility. As between the Parties, Customer is responsible for responding to Data Subject Requests relating to Personal Information Processed on its behalf.

8.2 OneClick Cooperation. Taking into account the nature of the Processing, OneClick will provide reasonable assistance, through appropriate technical and organizational measures and insofar as possible, to enable Customer to fulfill its obligation to respond to Data Subject Requests. OneClick may charge a reasonable fee for assistance that is disproportionate or that falls outside the features made available in the Services.

8.3 Direct Requests. If OneClick receives a Data Subject Request directly from a Data Subject regarding Personal Information Processed on Customer’s behalf, OneClick will, without substantive response, refer the Data Subject to Customer or forward the request to Customer for response, except where OneClick is required by law to respond directly.

9. Audits and Inspections

9.1 Documentation. OneClick will make available to Customer, on reasonable written request, information reasonably necessary to demonstrate OneClick’s compliance with this DPA, including OneClick’s then-current independent third-party audit reports (such as SOC 2 Type II) or summaries thereof, subject to confidentiality obligations.

9.2 Audits. To the extent the information described in Section 9.1 is insufficient to demonstrate compliance and Customer has a reasonable, good-faith basis to request an audit, Customer may audit OneClick’s compliance with this DPA once per twelve (12) month period, subject to the following: (a) Customer will provide at least thirty (30) days’ prior written notice; (b) the audit will be conducted during normal business hours, in a manner that does not unreasonably interfere with OneClick’s operations, and subject to OneClick’s reasonable safety, security, and confidentiality requirements; (c) the audit will be performed by Customer or by an independent auditor that is not a competitor of OneClick, bound by confidentiality obligations; (d) Customer will bear its own costs and the reasonable costs incurred by OneClick in connection with the audit, except where the audit reveals a material breach by OneClick; and (e) Customer will provide OneClick with a copy of the audit report, which will be treated as OneClick’s Confidential Information.

9.3 Regulatory Audits. OneClick will cooperate with audits or inspections conducted by a supervisory authority with jurisdiction over Customer’s Processing of Personal Information.

10. Data Protection Impact Assessments and Risk Assessments

OneClick will provide Customer, upon reasonable written request, with information reasonably necessary to enable Customer to conduct data protection impact assessments or risk assessments required under Applicable Privacy Laws, taking into account the nature of the Processing and the information available to OneClick.

11. Deletion and Return of Personal Information

11.1 On Termination. Upon termination or expiration of the Agreement, OneClick will return or delete Personal Information in accordance with Section 8.6 of the Agreement, including the ninety (90) day post-termination export window.

11.2 Exceptions. OneClick may retain Personal Information to the extent (a) required by law; (b) contained in routine backup or archival systems not readily accessible and subject to retention schedules, until deleted in the ordinary course; or (c) retained as De-Identified Data or Aggregated Data in accordance with the Agreement. OneClick will continue to protect Personal Information retained under this Section 11.2 in accordance with this DPA.

12. California Consumer Privacy Rights (CCPA/CPRA)

12.1 Service Provider Certification. OneClick certifies that it understands and will comply with the restrictions set forth in Sections 3.3 and 3.4 of this DPA and its obligations as a Service Provider under CCPA/CPRA.

12.2 Permitted Business Purposes. The Business Purposes for which Customer discloses Personal Information to OneClick are described in Section 3.3 of this DPA, the Agreement, and the Documentation. OneClick will Process Personal Information only for those Business Purposes.

12.3 Prohibitions. Without limiting Section 3.4, OneClick will not: (a) Sell or Share Personal Information; (b) retain, use, or disclose Personal Information outside the direct business relationship between the Parties; (c) retain, use, or disclose Personal Information for any purpose other than the Business Purposes specified in the Agreement and this DPA, including for any commercial purpose other than the Business Purposes; or (d) combine Personal Information with personal information from other sources, except as permitted for a Service Provider under CCPA/CPRA.

12.4 Sensitive Personal Information. OneClick will Process Sensitive Personal Information only for the purposes permitted under CCPA/CPRA for Service Providers and only as necessary to perform the Services.

12.5 Customer Remediation Rights. Customer has the right, upon written notice, to take reasonable and appropriate steps to (a) ensure that OneClick uses Personal Information in a manner consistent with Customer’s obligations under CCPA/CPRA and (b) stop and remediate unauthorized use of Personal Information.

12.6 Notice of Inability to Comply. OneClick will notify Customer if OneClick determines that it can no longer meet its obligations under CCPA/CPRA.

12.7 Subcontracting. OneClick will engage Subprocessors that Process Personal Information only pursuant to a written contract that requires the Subprocessor to observe the restrictions in Sections 3.3 and 3.4 and to comply with the applicable obligations of a Service Provider or contractor under CCPA/CPRA.

13. Other State Privacy Laws

For Personal Information subject to Applicable Privacy Laws other than CCPA/CPRA, OneClick acts as a Processor and will Process Personal Information in accordance with this DPA. The terms of this DPA are intended to satisfy the processor-contract requirements of such Applicable Privacy Laws, including by:

• Processing Personal Information only on Customer’s documented instructions (Section 3.1);

• Ensuring the confidentiality of authorized personnel (Section 4);

• Engaging Subprocessors only under written contracts imposing equivalent obligations (Section 5);

• Implementing appropriate security measures (Section 6 and Annex 2);

• Notifying Customer of Security Incidents (Section 7);

• Assisting Customer with Data Subject Requests (Section 8);

• Making available information necessary to demonstrate compliance and allowing audits (Section 9);

• Assisting Customer with data protection impact assessments (Section 10); and

• Returning or deleting Personal Information at the end of the engagement, subject to permitted exceptions (Section 11).

14. Canadian Privacy Laws

14.1 Scope. This Section 14 applies to Personal Information subject to PIPEDA or a Canadian provincial privacy law (together, “Canadian Privacy Laws”). With respect to such Personal Information, OneClick acts as a service provider to Customer and Processes Personal Information on Customer’s behalf and under its accountability.

14.2 Cross-Border Transfers. Customer acknowledges and instructs OneClick that Personal Information may be transferred to, stored in, and Processed in the United States. OneClick will maintain comparable levels of protection for Personal Information Processed in the United States through the contractual, technical, and organizational measures set forth in this DPA. Customer is responsible for providing any notices to, and obtaining any consents from, Data Subjects as required under Canadian Privacy Laws in connection with such cross-border transfers.

14.3 Accountability. OneClick will Process Personal Information subject to Canadian Privacy Laws in a manner consistent with Customer’s accountability obligations under those laws, including by complying with the confidentiality, security, Subprocessor, Security Incident, Data Subject Request assistance, and deletion provisions of this DPA.

14.4 Breach Notification. Where required, OneClick will provide Customer with information reasonably necessary to enable Customer to meet its breach-reporting obligations under Canadian Privacy Laws, including reporting to the Office of the Privacy Commissioner of Canada or applicable provincial commissioner and notification to affected Data Subjects, consistent with Section 7 of this DPA.

14.5 Quebec Law 25. For Personal Information of residents of Quebec, Customer acknowledges that the Act Respecting the Protection of Personal Information in the Private Sector, as amended by Law 25, imposes additional obligations on Customer, including privacy impact assessment requirements for transfers of Personal Information outside Quebec. OneClick will provide Customer, upon reasonable written request, with information reasonably necessary to enable Customer to conduct such assessments, consistent with Section 10 of this DPA.

15. Liability

15.1 Limitation. The limitations of liability in the Agreement, including the aggregate cap in Section 14.2 of the Agreement, apply to liability arising out of or relating to this DPA, regardless of whether any claim is framed under the Agreement or this DPA. Each Party’s liability under the Agreement and this DPA, in the aggregate, is subject to the Agreement’s limitations.

15.2 No Expansion. Nothing in this DPA expands or increases either Party’s liability beyond what is set forth in the Agreement.

16. General

16.1 Term. This DPA takes effect on the Effective Date of the Agreement (or, if later, the date this DPA is countersigned) and continues for the duration of the Agreement. Sections of this DPA that by their nature should survive termination will survive, including Sections 1, 3.4, 3.5, 5.5, 7, 11, 12, 14, 15, and 16.

16.2 Modifications. OneClick may update this DPA from time to time (a) to reflect changes in Applicable Privacy Laws, (b) to reflect changes in the Services, or (c) as otherwise required or appropriate, consistent with the notice requirements in Section 16 of the Agreement. Modifications will not materially diminish Customer’s rights or OneClick’s obligations under this DPA without Customer’s consent, except as required by law.

16.3 Severability. If any provision of this DPA is held unenforceable, the remaining provisions remain in full force and effect, and the unenforceable provision will be modified to the minimum extent necessary to render it enforceable while preserving its intent.

16.4 Governing Law; Dispute Resolution. This DPA is governed by the laws of the State of Utah, and disputes arising out of or relating to this DPA are subject to the dispute-resolution provisions in Section 15 of the Agreement.

16.5 Notices. Notices under this DPA will be provided in accordance with the Agreement. Privacy-related notices to OneClick may be sent to privacy@oneclickapp.com.

16.6 Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement between the Parties with respect to the Processing of Personal Information and supersedes all prior agreements on that subject.

Signatures

This DPA may be executed in counterparts, including by electronic signature, each of which is an original and all of which together constitute one agreement. Customers who wish to countersign this DPA may do so below; countersignature is not required for the DPA to take effect where Applicable Privacy Laws apply.

Annex 1 — Details of Processing

This Annex 1 describes the Processing of Personal Information by OneClick on behalf of Customer under the Agreement and this DPA.

Annex 2 — Technical and Organizational Security Measures

OneClick maintains a written information-security program that includes administrative, physical, and technical safeguards designed to protect Personal Information against unauthorized access, use, disclosure, alteration, and destruction. The program includes the measures described below, which OneClick may update from time to time consistent with Section 6.1 of this DPA.

Governance

• Documented information-security policies reviewed at least annually and approved by management.

• Designated personnel responsible for the information-security program.

• Periodic risk assessments of systems that Process Personal Information.

Access Controls

• Role-based access controls and the principle of least privilege for personnel access to systems that Process Personal Information.

• Multi-factor authentication for administrative access to production systems.

• Periodic review of user access and timely revocation of access upon role change or termination.

• Unique user identifiers and prohibition on shared credentials for access to production systems.

Encryption

• Encryption of Personal Information in transit over public networks using current industry-standard protocols.

• Encryption of Personal Information at rest in production databases and backups using current industry-standard algorithms.

• Secure key management practices, with cryptographic keys stored separately from encrypted data.

Network and Infrastructure Security

• Network segmentation and firewalls separating production environments from other environments.

• Intrusion-detection or intrusion-prevention capabilities on production networks.

• Logging and monitoring of security-relevant events, with alerting for anomalous activity.

• Vulnerability scanning of production systems and timely remediation of identified vulnerabilities based on risk.

Application Security

• Secure software development practices, including code review and static or dynamic analysis.

• Periodic penetration testing of the Services by qualified personnel or third parties.

• Change management for production releases.

Personnel Security

• Background checks on personnel with access to Personal Information, to the extent permitted by law.

• Written confidentiality obligations for personnel with access to Personal Information.

• Periodic security and privacy training.

Physical Security

• Production systems hosted with reputable cloud-infrastructure providers that maintain physical security controls including access restrictions, surveillance, and environmental controls.

Business Continuity and Incident Response

• Documented incident-response procedures, reviewed and tested at least annually.

• Regular backups of production data, with periodic restoration testing.

• Business-continuity and disaster-recovery planning appropriate to the Services.

Subprocessor Management

• Assessment of Subprocessor security practices before engagement.

• Written contracts with Subprocessors imposing data-protection obligations consistent with this DPA.

• Periodic re-assessment of material Subprocessors.