DATA PROCESSING AND SECURITY ADDENDUM

This Data Processing and Security Addendum (the "DPSA") supplements the Master Services Agreement available at www.fixedopsinnovations.com/terms (the "MSA") and applies to FixedOps Innovations' processing of Client Data, Customer Information, and Personal Information in connection with the Services. Capitalized terms not defined in this DPSA have the meanings given to them in the MSA or the applicable Activation Agreement.

1. Scope and Purpose

This DPSA describes FixedOps Innovations' obligations regarding Client Data, Customer Information, and Personal Information made available to FixedOps Innovations in connection with the Services. This DPSA is incorporated into and made part of the MSA and each applicable Activation Agreement.

The DPSA is intended to address FixedOps Innovations' permitted processing, security safeguards, subprocessors and service providers, security incident handling, data retention and deletion, data export, Client responsibilities, and related data protection commitments.

2. Client Data, Customer Information, and Personal Information

“Client Data” means data, records, content, and information made available to FixedOps Innovations by or on behalf of Client in connection with the Services, including customer, estimate, service, invoice, claim, transaction, communication, document, workflow, configuration, operational, compliance, and related information.

“Customer Information” means nonpublic personal information, personal information, personally identifiable information, protected customer data, or other customer-related information contained in Client Data.

"Personal Information" means nonpublic personal information, personally identifiable information, protected customer data, or other information that identifies or can reasonably be associated with an individual, to the extent contained in Client Data or Customer Information.

3. Permitted Processing

FixedOps Innovations may access, receive, process, use, transmit, store, and disclose Client Data, Customer Information, and Personal Information solely as reasonably necessary to provide, support, secure, monitor, improve, and administer the Services, comply with the MSA and applicable Activation Agreement, comply with applicable law, respond to Client requests, maintain security and audit records, and as otherwise expressly permitted in this DPSA.

FixedOps Innovations will not process Client Data, Customer Information, or Personal Information for purposes unrelated to the Services except as expressly permitted by the MSA, the applicable Activation Agreement, this DPSA, or applicable law.

4. No Sale or Unrelated Use

FixedOps Innovations will not sell, rent, disclose, or otherwise make available Client Data, Customer Information, or Personal Information for unrelated marketing, advertising, or commercial purposes.

FixedOps Innovations may disclose Client Data, Customer Information, and Personal Information to service providers, subprocessors, contractors, vendors, professional advisors, or other third parties only as reasonably necessary to provide, support, secure, monitor, improve, or administer the Services, comply with applicable law, protect the Services, enforce agreements, or as otherwise permitted by the MSA, applicable Activation Agreement, or this DPSA.

5. Security Safeguards

FixedOps Innovations will maintain reasonable administrative, technical, and physical safeguards designed to protect Client Data, Customer Information, and Personal Information against unauthorized access, use, disclosure, alteration, or destruction.

Such safeguards may include access controls, least-privilege permissions, authentication controls, encryption or other protective measures for data in transit and at rest where appropriate, logging and monitoring, vulnerability management, backup and recovery practices, personnel confidentiality obligations, incident response procedures, vendor review practices, and other safeguards appropriate to the nature of the Services and information processed.

6. Security Incidents

FixedOps Innovations will maintain and follow an information security incident response procedure designed to identify, investigate, contain, remediate, and document Security Incidents involving Client Data, Customer Information, or Personal Information.

FixedOps Innovations will notify Client of a confirmed unauthorized access to or disclosure of Customer Information or Personal Information as required by applicable law and in accordance with FixedOps Innovations' then-current information security and incident response policies.

FixedOps Innovations will provide information reasonably available to FixedOps Innovations to assist Client in evaluating the incident and meeting Client's own legal or regulatory obligations, to the extent such information does not compromise FixedOps Innovations' security, legal position, investigation, privilege, obligations to other customers or third parties, or ability to protect the Services.

7. Subprocessors and Service Providers

FixedOps Innovations may use service providers, subprocessors, contractors, vendors, and other third parties to provide, support, secure, monitor, improve, and administer the Services.

FixedOps Innovations will maintain a list of material subprocessors and service providers that process Client Data, Customer Information, or Personal Information on FixedOps Innovations' behalf.

FixedOps Innovations will require such subprocessors and service providers to protect Client Data, Customer Information, and Personal Information under confidentiality and data protection obligations appropriate to the nature of the services provided and information processed.

Client acknowledges that certain systems, providers, platforms, or recipients may be Client-controlled systems, Client-selected systems, Client-authorized recipients, public data sources, or external dependencies rather than FixedOps Innovations subprocessors.

8. Data Retention and Deletion

FixedOps Innovations will retain Client Data, Customer Information, and Personal Information only as reasonably necessary to provide, support, secure, monitor, improve, and administer the Services, comply with legal or regulatory obligations, resolve disputes, maintain security and audit records, support incident response, preserve legitimate business records, and meet applicable contractual obligations.

Following termination or expiration of the applicable Activation Agreement, FixedOps Innovations will delete or de-identify Client Data, Customer Information, and Personal Information in accordance with FixedOps Innovations' then-current data retention practices, unless retention is required or permitted by law, contractual obligation, backup or archive practices, security needs, audit requirements, dispute resolution needs, tax/accounting requirements, insurance requirements, or other legitimate business purposes.

Backup copies may persist until overwritten, expired, or deleted according to applicable backup lifecycle rules. FixedOps Innovations is not required to delete information from immutable, archived, or operational backups before the ordinary expiration of those backups, provided such information remains protected and is not restored except as necessary for business continuity, security, legal, compliance, or operational purposes.

9. Data Export

Upon Client's reasonable written request made before termination or within a reasonable period after termination of the applicable Activation Agreement, FixedOps Innovations will make commercially reasonable efforts to provide Client with an export of Client Data then available in the Services, in a format reasonably determined by FixedOps Innovations, to the extent technically available, legally permitted, and not inconsistent with FixedOps Innovations' security, contractual, legal, or operational obligations.

FixedOps Innovations is not required to create custom reports, recreate deleted information, extract information from backups, provide information that is not reasonably available, or disclose information that would compromise FixedOps Innovations security, another customer, third-party information, trade secrets, confidential architecture, or legal obligations.

10. Client Responsibilities

Client is responsible for obtaining and maintaining all rights, permissions, authorizations, notices, and consents necessary for FixedOps Innovations to process Client Data, Customer Information, and Personal Information as contemplated by the MSA, the applicable Activation Agreement, and this DPSA.

Client is responsible for the accuracy, completeness, legality, and appropriateness of Client Data, Customer Information, and Personal Information made available to FixedOps Innovations, and for managing access by Client's Authorized Users.

Client remains responsible for Client-managed systems, Client-controlled Management Software, Client-side workflows, Client-authorized recipients, Client personnel, Client devices, Client network access, and Client decisions or instructions provided to FixedOps Innovations.

11. Personnel and Contractor Confidentiality

FixedOps Innovations will limit access to Client Data, Customer Information, and Personal Information to personnel, contractors, service providers, and subprocessors who have a legitimate need to access such information for the purpose of providing, supporting, securing, monitoring, improving, or administering the Services.

FixedOps Innovations will require personnel and contractors with access to Client Data, Customer Information, or Personal Information to be subject to confidentiality obligations appropriate to the nature of the information and their role.

12. Security Documentation and Compliance Information

Upon reasonable written request, FixedOps Innovations may make available summary information regarding FixedOps Innovations' information security practices and safeguards relevant to the Services.

Following completion of applicable audits or assessments, FixedOps Innovations may make available SOC 2 or similar compliance reports, summaries, security questionnaires, or other compliance information, subject to confidentiality obligations, access restrictions, and any limitations reasonably imposed by FixedOps Innovations, its service providers, or the applicable auditor.

FixedOps Innovations may withhold or limit disclosure of information that could compromise the security of the Services, reveal confidential technical architecture, expose vulnerabilities, disclose third-party confidential information, or interfere with FixedOps Innovations' legal, security, or compliance obligations.

13. Aggregated and De-Identified Information

FixedOps Innovations may create, use, retain, and disclose aggregated, anonymized, or de-identified information derived from use of the Services for analytics, service improvement, security, reporting, product development, benchmarking, or other legitimate business purposes, provided the information does not identify Client, Client's customers, individual users, or specific individuals.

14. Relationship to MSA

This DPSA supplements the MSA and applicable Activation Agreement. If there is a conflict between this DPSA and the MSA with respect to data processing, privacy, or security matters, this DPSA will control only with respect to that subject matter, unless the applicable Activation Agreement expressly states otherwise.

15. Survival

FixedOps Innovations' obligations regarding confidentiality, protection, retention, deletion, and permitted use of Client Data, Customer Information, and Personal Information will survive termination or expiration of the MSA or applicable Activation Agreement for so long as FixedOps Innovations retains such information.

Referenced Documents