Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Master Services Agreement (“MSA”) between EcoVeraZ, Inc. and the customer (“Customer”) and governs the processing of Customer Personal Data by EcoVeraZ in connection with the EcoVeraZ platform.

This DPA is required when Customer processes personal data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or comparable data-protection laws.

Customer is the data controller of Customer Personal Data. EcoVeraZ is the data processor, acting on Customer's documented instructions.

• Subject matter: provision of the EcoVeraZ platform to Customer per the MSA.
• Duration: the term of the MSA.
• Nature + purpose: hosting, processing, and analyzing Customer data for the purposes of the EcoVeraZ platform.
• Type of data: Customer's business operational data, employee names + email addresses (tenant administrators + assigned users), demo-request leads.
• Categories of data subjects: Customer's employees and authorized agents.

• Process Customer Personal Data only on Customer's documented instructions (including those in the MSA + this DPA).
• Ensure persons authorized to process Customer Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (see Privacy Policy § Security).
• Assist Customer in responding to data-subject requests (access, rectification, erasure, portability).
• Notify Customer without undue delay of any Personal Data Breach affecting Customer's data.
• Make available to Customer the information necessary to demonstrate compliance with this DPA.

Customer authorizes EcoVeraZ to engage subprocessors to process Customer Personal Data, subject to:

• EcoVeraZ publishes a current list of subprocessors.
• EcoVeraZ imposes obligations on subprocessors that are no less protective than this DPA.
• EcoVeraZ provides at least 30 days' advance notice of new subprocessors. Customer may object on reasonable grounds.
• EcoVeraZ remains liable for subprocessor performance.

Where Customer Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country without an adequacy decision, the EU Standard Contractual Clauses (SCCs) Module 2 (controller-to-processor) apply, with this DPA serving as the agreement.

Customer may select a primary processing region (EU, US, or Asia-Pacific) at onboarding. Cross-region transfers within EcoVeraZ's own infrastructure are governed by the SCCs.

EcoVeraZ will notify Customer of any Personal Data Breach affecting Customer Personal Data within 72 hours of becoming aware. The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records concerned, likely consequences, and measures taken or proposed to address the breach.

Customer may request, no more than once per calendar year, a copy of EcoVeraZ's most recent third-party audit reports (SOC 2, ISO 27001) under NDA. On-site audits may be conducted at Customer's expense with reasonable advance notice and during normal business hours, not exceeding once per calendar year unless required by Supervisory Authority.

On termination of the MSA, EcoVeraZ will, at Customer's choice, return all Customer Personal Data to Customer or delete it within 90 days, except where retention is required by applicable law.

In the event of conflict between this DPA and the MSA, this DPA prevails with respect to the processing of Customer Personal Data.

For DPA execution, subprocessor change notifications, or to request a copy of the audit reports under NDA, contact legal@ecoveraz.com.