Data Processing Addendum (DPA)

Terms not otherwise defined have the meanings given in applicable data-protection laws, including the California Consumer Privacy Act ("CCPA"), the General Data Protection Regulation 2016/679 ("GDPR"), and the UK Data Protection Act 2018. "Personal Data" means information relating to an identified or identifiable natural person that Customer or its end users provide to REIntel through the Service.

For Personal Data processed in connection with the Service, Customer is the Controller (or Business under CCPA) and REIntel is the Processor (or Service Provider under CCPA). Each party will comply with the obligations applicable to its role under applicable data-protection laws.

• Nature and purpose: provision of the Service as described in the Terms of Service.
• Duration: the term of the underlying agreement, plus a reasonable wind-down period.
• Categories of data subjects: Customer's authorized end users.
• Categories of Personal Data: identifiers (email, hashed IP), account/profile data, usage telemetry, billing metadata (handled by Stripe).

REIntel will:

• Process Personal Data only on documented instructions from Customer, including with regard to transfers to a third country, unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures (described in Section 7).
• Assist Customer, taking into account the nature of processing, in fulfilling Customer's obligations to respond to requests from data subjects.
• Make available to Customer all information necessary to demonstrate compliance with this DPA.
• Not sell or share Personal Data, as those terms are defined under CCPA.

Customer authorizes REIntel to engage the subprocessors listed in our Privacy Policy. REIntel will provide Customer with at least thirty (30) days' notice before adding or replacing a subprocessor, during which Customer may object on reasonable data-protection grounds. REIntel will impose data-protection terms on each subprocessor that are no less protective than those in this DPA.

Where Personal Data is transferred outside the European Economic Area, United Kingdom, or Switzerland to a country not deemed adequate, the parties agree to incorporate the relevant Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) by reference, with REIntel acting as data importer and Customer as data exporter. Each party will sign or otherwise execute the SCCs upon Customer's reasonable request.

REIntel maintains the following technical and organizational measures:

• Encryption of data in transit using TLS 1.2 or later.
• Encryption of data at rest where supported by underlying infrastructure (Supabase, Stripe).
• Least-privilege access controls, with production database access limited to named operators using individual credentials.
• Salted-hash identifiers (e.g., HMAC-SHA256 of IP addresses) for analytics, so raw identifiers are not stored.
• Regular review of subprocessor compliance reports (SOC 2 / ISO 27001 where available).
• Logging and monitoring of administrative access to production data.
• Incident-response procedures for confirmed security events.

REIntel will notify Customer without undue delay, and in no event later than seventy-two (72) hours, after becoming aware of a confirmed Personal Data Breach affecting Customer's Personal Data. The notification will include the information required by applicable law, to the extent reasonably available to REIntel.

REIntel will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in responding to requests from data subjects exercising rights under applicable data-protection laws.

Customer may, no more than once per twelve (12) months and on at least thirty (30) days' written notice, request reasonable information demonstrating REIntel's compliance with this DPA. REIntel will respond to a reasonable security questionnaire and, where independently audited reports exist (e.g., SOC 2 from underlying subprocessors), provide a copy under reasonable confidentiality restrictions.

Upon termination or expiration of the underlying agreement, REIntel will, at Customer's choice, delete or return all Personal Data processed on Customer's behalf, unless retention is required by applicable law. Customer may export account data through self-service tooling at any time during the term.

Each party's liability arising out of or related to this DPA is subject to the limitation-of-liability provisions of the underlying agreement.

This DPA is governed by the same law that governs the underlying agreement, except that the SCCs (where incorporated) are governed by the law specified in those clauses.