Geocodio Data Processing Agreement

This data processing agreement ("DPA" or "Agreement") is made on [date] by and between the party named on the signature page below ("Controller"), and Dotsquare LLC, dba Geocodio, a US company, having its registered office at 440 Monticello Ave, Ste 1802 #43146, Norfolk VA 23510 USA ("Geocodio" or "Processor"), together the "Parties." This DPA is supplemental to any main agreement entered into between the parties which governs the provision of the Services by Processor to Controller. This Agreement governs the processing of Personal Data that the Controller transmits to the Processor through the Processor's Services. The Parties acknowledge that the Controller may, in some cases, itself act as a processor on behalf of its own customers or other third-party controllers. Where this is the case, the protections set out in this Agreement extend to those third-party controllers, and the Controller remains responsible for managing all communications, instructions, and requests from such third parties. The Processor will not be required to communicate directly with the Controller's customers or other downstream parties. This DPA applies to the Services provided to the Controller under the agreements signed for the Controller's account. Where the Controller has signed a separate agreement with the Processor that addresses data processing, audit rights, security review obligations, or related matters, the terms of that signed agreement shall prevail with respect to the matters it addresses, and any conflict between such agreement and this DPA shall be resolved in favor of the signed agreement.

Definitions

In this DPA, the following terms shall have the following meanings: "Applicable Data Protection Law" means all applicable international, federal, national and state privacy and data protection laws that apply to the processing of Personal Data that is the subject matter of the Agreement (including, where applicable, European Data Protection Law and UK Data Protection Law); "Controller" means the entity that determines the purposes and means of the processing of Personal Data; "Processor" means an entity that processes Personal Data on behalf of the Controller; "European Data Protection Law" means: (i) prior to 25 May 2018, the EU Data Protection Directive 95/46/EC, and any applicable national implementation of it; and (ii) on and after 25 May 2018, the EU General Data Protection Regulation 2016/679 ("EU GDPR") and any applicable national laws made under it; "UK Data Protection Law" means the UK General Data Protection Regulation ("UK GDPR") as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018 ("DPA 2018"), and any other applicable UK data protection laws; "GDPR" means, collectively, the EU GDPR and the UK GDPR; "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Subject and duration

(1) The Processor and other data processing entities as listed in Clause 7 of this Agreement perform Cloud IT Services for the Controller. The data processing services are listed in Appendix 1. Cloud IT Services are defined as so-called "distributed data processing services" which are not characterized through a conventional bilateral cooperation between Processor and Controller, but are generated by multiple Processors with alternating processing duties. Notwithstanding, according to the GDPR, one Processor must be appointed as the responsible party for the collective services. This is the Processor as stated above.

(2) As personal data will be processed on behalf of the Controller and according to their instructions for this matter, or an access to personal data cannot be excluded by performing these Cloud IT Services, the services are commissioned data processing in accordance with the EU GDPR and the UK GDPR.

(3) The terms "personal data", "processing", "block/blocking", "consent", "cross-border", "collection", "Third party", "Controller" and "Processor" are to be interpreted according to the definitions given in Article 4 of the EU GDPR and Article 4 of the UK GDPR. The terms "written form" or "written" mean that a document must be signed by the issuer with their name in their own hand. The term "text form" means the declaration must be made in a document or in another manner suitable for its permanent reproduction in writing, the person making the declaration must be named and the completion of the declaration must be shown through the reproduction of a signature of the name or otherwise.

(4) This agreement shall – unless otherwise agreed – become effective when signed by both Parties and shall apply as long as the Processor processes personal data on behalf of the Controller. However, it does not end before the obligation to delete and return relevant documents and data has been fulfilled by the Processor.

Extent, type and purpose of the data processing, data types and data subjects

Extent, type and purpose of the data processing, the data types as well as the groups of data subjects are described in Appendix 1.

Technical and organizational measures

(1) The Processor warrants and undertakes to employ reasonable and appropriate technical and organizational security measures for the data processing. A description of these measures is published on the Processor's public website at https://www.geocod.io/security and is summarized in Appendix 2 of this Agreement. The publicly available documentation, together with the Processor's published Privacy Statement and Data Retention Policy, constitutes the Processor's documentation of its technical and organizational measures for the purposes of Article 28(3)(h) of the EU GDPR and the UK GDPR.

(2) The Processor may update its technical and organizational measures from time to time, provided that any such updates do not materially decrease the overall level of protection of Personal Data. The current version of these measures is at all times available on the Processor's public website. The Processor is not required to provide additional or bespoke documentation of these measures to the Controller beyond what is publicly available.

(3) The Processor shall reasonably assist the Controller, taking into account the nature of the processing and the information available to the Processor, in meeting the Controller's obligations under Articles 30 (records of processing), 32 (security), 33 and 34 (breach notification), 35 (data protection impact assessments), and 36 (prior consultation) of the EU GDPR and the corresponding provisions of the UK GDPR. Such assistance shall be provided through the information made available on the Processor's public website and through the Processor's standard support channels.

Correction, erasure and blocking of data

The Processor shall not correct, erase or block personal data provided by the Controller unless the Controller instructs them to do so.

Duties of the Processor

(1) The Processor hereby confirms that they know and are aware of the relevant European and UK data protection regulations. The Processor's internal operating procedures shall comply with the specific requirements of an effective data protection management.

(2) The Processor warrants and undertakes that all employees involved in the data processing procedures are familiar with the relevant data protection regulations. The Processor assures that those employees are bound to maintain confidentiality as provided by the EU GDPR and the UK GDPR. The Processor shall monitor its own compliance with the applicable data protection regulations.

(3) The Processor's Data Protection Officer is Mathias Hansen, CTO, [email protected].

(4) Personal data processed for different Controllers are processed separately; measures to ensure separate handling are summarized in Appendix 2.

(5) The Processor's data processing centers are located in:

• Self-Serve: Nuremberg, Germany; Falkenstein, Germany; and Fairfax County, VA, USA.

• Enterprise: Morrow County, OR, USA and Fairfax County, VA, USA. (6) The Processor shall at all times have in place an officer who is responsible for assisting the Controller (a) in responding to inquiries concerning the commissioned data processing, received from data subjects and (b) in completing all legal information and disclosure requirements which apply to the Controller and are associated with the commissioned data processing. This officer can be reached at [email protected]. The Processor shall take no steps in response to any enquiry received from data subjects or Third Parties except on written instructions by the Controller. As far as a data subject addresses the Processor to enforce his or her claims established in the EU GDPR or the UK GDPR, the Processor shall forward this request promptly to the Controller.

Cloud Subcontractors

(1) The following companies provide Cloud IT services for the Processor on a contractual basis and are considered Cloud Subcontractors. The Processor maintains a current list of its Cloud Subcontractors on its public website at https://www.geocod.io/gdpr.

Hosting and infrastructure:

• Amazon Web Services (Amazon.com, Inc.) (Seattle, Washington, USA) — Enterprise hosting and account database backups

• Hetzner Online GmbH (Gunzenhausen, Germany) — Self-Serve hosting (EU)

  Customer support and product operations:

• Intercom, Inc. (Dublin, Ireland) — Customer support

• Sentry, Inc. (San Francisco, CA, USA) — Error tracking

• Laravel Nightwatch — Error tracking and performance monitoring

  Billing and accounting:

• Stripe, Inc. (San Francisco, CA, USA) — Payment processing

• Intuit, Inc. (QuickBooks) (Mountain View, CA, USA) — Invoicing and accounting

  Communications:

• Bento — Transactional and marketing email

• Satismeter — Customer satisfaction surveys

  (2) The Processor will reflect any addition or replacement of a Cloud Subcontractor on its public Privacy Statement at https://www.geocod.io/gdpr. The Controller may object to the engagement of a new Cloud Subcontractor on reasonable data protection grounds by providing written notice to [email protected] within thirty (30) days of the change being reflected on the Privacy Statement. The Parties will work in good faith to resolve any such objection. If the Parties cannot resolve the objection, the Controller may exercise its termination for convenience rights as set out in the main agreement governing the Controller's account with the Processor.

  (3) The Processor ensures that each Cloud Subcontractor's processing is carried out under a written contract imposing data protection obligations substantially equivalent to those imposed on the Processor under this Agreement.

  (4) Access to personal data may only be granted to a Cloud Subcontractor that complies with the obligations of this Agreement.

  (5) Ancillary services provided to the Processor by third-party service providers that support the Processor's operations but do not involve the processing of Personal Data — such as telecommunications, cleaning, or facility management services — shall not be regarded as subcontracts for the purposes of this Agreement. The Processor shall, however, enter into legally binding and adequate agreements with such third-party service providers regarding the protection and security of any Controller data accessible by them.

Verification of compliance

(1) The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the EU GDPR and the UK GDPR through the documentation published on the Processor's public website, including:

• The Privacy Statement at https://www.geocod.io/gdpr

• The Security overview at https://www.geocod.io/security

• The Data Retention Policy at https://www.geocod.io/data-retention-policy

• This Agreement and its Appendices The Parties agree that the information made available through the above resources is sufficient to satisfy the Controller's right to receive information necessary to demonstrate the Processor's compliance with Article 28(3)(h) of the EU GDPR and the UK GDPR. (2) The Processor is not required to provide bespoke security questionnaires, third-party audit reports (such as SOC 2 or ISO 27001), penetration test results, system test results, or other supplementary documentation under this Agreement. Such materials, where they exist, are made available only to customers of the Processor's Enterprise platform, and Controller understands they have elected to use the Self-Serve platform, which does not include the right to any such materials or reviews. (3) On-site audits, inspections, and security reviews of the Processor's premises or systems are not provided under this Agreement. Where a Controller requires on-site audit rights or additional security review materials, such arrangements may be available under a separate signed agreement with the Processor, at the Controller's expense and subject to mutually agreed scope, timing, and confidentiality terms. Controllers may contact [email protected] to discuss available options. (4) Nothing in this Clause 8 limits the Processor's obligation under Clause 9 to notify the Controller of personal data breaches or other matters affecting compliance with applicable data protection law.

Obligation to report violations of provisions to protect personal data

The Processor shall promptly notify the Controller of any failures, errors or inaccuracies in the operating procedures which implicate menace to personal data provided by the Controller as well as of any suspicion of data protection infringements committed by employees, the Cloud Subcontractor or other Third Parties which concern personal data provided by the Controller. In addition, the Processor shall promptly inform the Controller if Processor discovers that Processor's technical and organizational measures do not comply with legal requirements.

Instructions of the Controller

(1) The Controller is solely responsible for compliance with the EU GDPR, the UK GDPR, and other data protection provisions. Controller is in particular liable for the admissibility of the data processing and for the protection of the data subjects' rights according to the EU GDPR, the UK GDPR, and other data protection provisions. (2) The Controller is entitled to give instructions to the Processor on the extent, type and methods of the data processing. Generally, instructions can be given orally. However, instructions must be issued in written form or in text form if the Processor asks the Controller to do so. (3) The Processor has to process the personal data provided by the Controller exclusively on behalf of the Controller and in accordance with Controller's instructions. (4) The Processor shall promptly notify the Controller if Processor believes that an instruction of the Controller does not comply with the applicable legal provisions of data protection. (5) The Controller shall promptly notify the Processor if failures or irregularities are recognized in the course of the examination of the data processing results.

International data transfers

(1) Where the Processor transfers Personal Data of EU data subjects to a country outside the European Economic Area that is not subject to an adequacy decision, such transfers are made pursuant to the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) or another lawful transfer mechanism. (2) Where the Processor transfers Personal Data of UK data subjects to a country outside the United Kingdom that is not subject to UK adequacy regulations, such transfers are made pursuant to the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism approved under the UK GDPR. Where applicable, the Processor relies on the UK Extension to the EU-US Data Privacy Framework.

Termination of the contract

(1) On termination or expiration of this agreement, the Processor shall return all documents and storage media as well as all results of the data processing which concern the commissioned data processing and contain personal data provided by the Controller. All other personal data concerning the commissioned data processing shall promptly be destroyed, respectively erased. This provision shall not affect potential statutory duties of the Parties to preserve records for retention periods set by law, statute or contract. (2) The Controller can terminate the contractual relationship without notice if the Processor severely violates this agreement or the regulations of the EU GDPR or the UK GDPR and the Controller can therefore not reasonably be expected to continue the data processing until the expiry of the notice period or the agreed termination of contract.

Governing Law

(1) For Controllers established in the European Economic Area, this Agreement shall be governed by the law of the Member State in which the relevant Controller of the personal data in question is established. (2) For Controllers established in the United Kingdom, this Agreement shall be governed by the laws of England and Wales. (3) For Controllers established outside the EEA and the United Kingdom, this Agreement shall be governed by the law applicable to the main agreement between the Parties.

Cooperation with supervisory authorities

(1) The Controller agrees to deposit a copy of this contract with the relevant supervisory authority if it so requests or if such deposit is required under the applicable data protection law. (2) The Parties acknowledge that the relevant supervisory authority (including the UK Information Commissioner's Office ("ICO") and EU data protection authorities) retains the statutory rights granted to it under applicable data protection law, including any rights of investigation. Nothing in Clause 8 of this Agreement limits the statutory rights of supervisory authorities. (3) The Processor shall promptly inform the Controller about the existence of any legislation applicable to it or any subprocessor that would prevent the Processor from meeting its obligations under this Agreement.

Final provisions

(1) The Parties shall keep confidential all business secrets and data security measures they gain knowledge of in the context of the contractual relationship. (2) In case one Party is subject to further obligations of secrecy and has informed the other Party in written form hereof, the other Party is obliged to comply with those obligations as well. (3) In case any of the Controller's property rights are at risk in the office premises of the Processor due to measures taken by Third parties (e.g. forfeitures and garnishments), insolvency proceedings or any other events, the Processor shall promptly inform the Controller hereof. A right of retention for the Processor is excluded with regard to storage media and data bases of the Controller. (4) Additional agreements must be agreed upon in written form. (5) In case individual provisions of this agreement are invalid, this shall not affect the validity of the remainder of the agreement.

Appendix 1

This Appendix forms part of the Agreement and must be completed and signed by the parties.

Data controller [Controller's description of their services — filled in per agreement]

Data processor The data processor is a provider of cloud-based location and data matching software services, primarily relating to the conversion of address data to latitude/longitude and latitude/longitude to address data, and the append of general location-based information to that location (including but not limited to political districts), as better described at https://www.geocod.io

Data subjects [Filled in per agreement]

Categories of data The personal data transferred concern the location data categories of data.

Special categories of data (if appropriate) No special categories of data shall be transferred.

Processing operations The personal data transferred will be subject to the following basic processing activities: transfer of data and data subject information via API and/or file upload.

DATA CONTROLLER Name: [filled in per agreement] Signature:

DATA PROCESSOR Name: Michele Hansen Signature:

Appendix 2: Summary of technical and organizational measures

This Appendix provides a summary of the technical and organizational measures implemented by the Processor. The complete and current description of these measures is published at https://www.geocod.io/security and is incorporated into this Agreement by reference.

1. Physical Access Controls: Reasonable measures to prevent physical access by unauthorized persons to facilities housing systems that process personal data.

2. System Access Controls: Reasonable measures to prevent personal data from being used without authorization, including authentication, documented authorization processes, change management processes, and access logging.

3. Data Access Controls: Reasonable measures to ensure that personal data is accessible and manageable only by properly authorized staff, with role-based access controls and least-privilege principles.

4. Transmission Controls: Reasonable measures to ensure personal data cannot be read, copied, modified, or removed without authorization during electronic transmission, including encryption in transit.

5. Input Controls: Reasonable measures to verify whether and by whom personal data has been entered into, modified in, or removed from data processing systems.

6. Data Backup: Regular, secured, and encrypted backups to protect against accidental destruction or loss.

7. Logical Separation: Personal data collected for different purposes is logically segregated to ensure separate processing.

8. Encryption at Rest: Personal data is encrypted at rest in accordance with industry standards. The Processor may update these measures from time to time without amendment to this Agreement, provided that any update does not materially decrease the overall level of protection. The current version is at all times available at https://www.geocod.io/security.