Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the Customer identified in the order form or self-service signup ("Customer") and Rivolq LLC, Monroe, Louisiana ("Rivolq"). It supplements and forms part of the Terms of Service or other written agreement between the parties governing Customer's use of the Service (the "Principal Agreement").

This DPA takes effect on the effective date of the Principal Agreement. In the event of a conflict between this DPA and the Principal Agreement with respect to the processing of Personal Data, this DPA controls. The Annexes form an integral part of this DPA.

Where the Service is used to process Personal Data subject to the EU or UK GDPR, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller to processor), are incorporated by reference and the elections set out in Section 8 apply. The UK International Data Transfer Addendum (Version B1.0, 2022) is incorporated by reference for transfers subject to UK GDPR. For transfers from Switzerland, the EU SCCs apply with the adaptations required by the Swiss Federal Act on Data Protection.

Capitalized terms not defined here have the meaning given in the Principal Agreement or in applicable Data Protection Law.

• "Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Principal Agreement, including the EU GDPR, UK GDPR, the Swiss Federal Act on Data Protection, the CCPA/CPRA and other US state privacy statutes, and PIPEDA.
• "Personal Data" means any information that constitutes "personal data," "personal information," or an equivalent term under Data Protection Law that is processed by Rivolq on behalf of Customer through the Service.
• "Processing" has the meaning given in applicable Data Protection Law and includes any operation performed on Personal Data, whether or not by automated means.
• "Controller," "Processor," "Data Subject," "Business," "Service Provider," and "Sub-processor" have the meanings given in applicable Data Protection Law.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

For Personal Data processed through the Service, Customer is the Controller (and, under CCPA, the Business) and Rivolq is the Processor (and Service Provider). Each party will comply with its obligations under Data Protection Law.

Rivolq will process Personal Data only:

• To provide the Service in accordance with the Principal Agreement, this DPA, and Customer's reasonable, documented instructions;
• As required by law (in which case Rivolq will inform Customer of the legal requirement before processing, unless prohibited by law);
• Or as otherwise permitted by Data Protection Law in its capacity as Processor or Service Provider.

The Principal Agreement, this DPA, the Service's configuration, and Customer's ordinary use of the Service constitute Customer's documented instructions. Rivolq will inform Customer if, in Rivolq's reasonable opinion, an instruction infringes Data Protection Law.

Annex I describes the subject matter, duration, nature, purpose, categories of Data Subjects, and categories of Personal Data processed.

Customer represents and warrants that:

• It has and will maintain a lawful basis to collect Personal Data and to disclose it to Rivolq for processing under this DPA;
• It has provided all required notices to, and obtained all required consents from, Data Subjects;
• It will respond to Data Subject requests as Controller and will use the rights-related tools and APIs that the Service exposes;
• It is responsible for configuring the Service (roles, retention policies, integrations, and SSO) in compliance with Data Protection Law and for the security of credentials it issues to Authorized Users;
• It will not submit, and will not permit any Authorized User to submit, GDPR Article 9 special-category data, criminal-conviction data, Personal Data of children under 16, full payment card numbers or bank account numbers, government-issued identifiers, or other restricted data unless separately agreed in writing.

Rivolq will:

• Process Personal Data only on Customer's documented instructions and as permitted by Section 3;
• Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations;
• Implement and maintain the technical and organizational measures set out in Annex II;
• Assist Customer in fulfilling its obligations to respond to Data Subject requests (Section 7) and to maintain security, breach notification, and (where required) data protection impact assessments and prior consultations (Section 6 and Section 9);
• At Customer's choice, delete or return all Personal Data on termination of the Principal Agreement, subject to retention required by law and Section 10;
• Make available the information reasonably necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 9.

Rivolq will:

• Notify Customer without undue delay, and in any event within 72 hours of confirming a Personal Data Breach affecting Customer's Personal Data;
• Provide, as available and on a rolling basis, the nature of the Breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the Breach and mitigate adverse effects;
• Cooperate with Customer's reasonable investigation and remediation;
• Document Personal Data Breaches, including the facts, effects, and remedial actions taken.

Rivolq's notification of a Personal Data Breach is not an acknowledgement of fault or liability. Routine unsuccessful access attempts, port scans, and similar activity that does not result in unauthorized access to Personal Data are not Personal Data Breaches.

Taking into account the nature of the processing, Rivolq will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to requests by Data Subjects to exercise their rights under Data Protection Law. The Service provides Customer with self-service tools to access, correct, export, and delete Personal Data within a workspace.

If Rivolq receives a request directly from a Data Subject relating to Personal Data that Rivolq processes on behalf of Customer, Rivolq will, unless legally prohibited, promptly redirect the request to Customer and will not respond to the request directly except on Customer's instruction.

Rivolq currently hosts production Personal Data in the United States. Where Customer transfers Personal Data subject to EU GDPR, UK GDPR, or Swiss data protection law to Rivolq in the United States, the parties rely on the following safeguards:

• EU SCCs, Module Two (controller to processor) for EU transfers. For the purposes of the SCCs: (i) Clause 7 (docking) applies; (ii) Clause 9 option 2 (general written authorization) applies with the 30-day notice period set out in Section 11; (iii) Clause 11 does not include the optional independent dispute-resolution mechanism; (iv) Clause 17 option 1 applies, with the law of Ireland as the governing law; (v) Clause 18(b) selects the courts of Ireland; (vi) Annexes I, II, and III to the SCCs are populated by Annexes I, II, and III to this DPA.
• The UK International Data Transfer Addendum (Version B1.0, 2022) applies to UK transfers and incorporates the SCCs above; in the event of conflict, the Addendum controls for UK transfers.
• For Swiss transfers, the EU SCCs apply with these adaptations: references to "Member State" do not allow Data Subjects in Switzerland to exclude their place of habitual residence; the FDPIC is the competent supervisory authority; and the SCCs protect the data of legal entities until entry into force of the revised Swiss Federal Act on Data Protection (already in force as of 1 September 2023).

If a change in sub-processors or infrastructure requires processing outside the regions described in Annex III, Rivolq will give Customer advance notice and ensure appropriate safeguards consistent with Data Protection Law.

Rivolq will implement and maintain the technical and organizational measures set out in Annex II. Rivolq will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA. Customer's audit rights may be satisfied through:

• Rivolq's written responses to reasonable security and compliance questionnaires;
• A current Security Overview document and the Trust Center;
• Third-party audit reports, penetration test summaries, and certifications when available (see Annex II § 12 for the current compliance roadmap).

If the above is not sufficient to demonstrate compliance with this DPA, or where required by a supervisory authority or following a verified Personal Data Breach materially affecting Customer, Customer (or an independent third-party auditor reasonably acceptable to both parties and bound by confidentiality) may conduct a remote audit on at least 30 days' written notice, no more than once per 12-month period (except following a Breach or where required by Data Protection Law), during normal business hours, in a manner that does not interfere unreasonably with Rivolq's operations, at Customer's expense. The auditor will not access other customers' data, source code, or facilities. Each party bears its own costs unless the audit reveals a material non-compliance, in which case Rivolq will bear reasonable costs of the audit and remediation.

On expiry or termination of the Principal Agreement, Rivolq will, at Customer's choice exercised within 30 days of termination, return Personal Data to Customer through the Service's export functionality or delete it.

• Customer may export Personal Data through the Service for 30 days after termination;
• After the export period, Rivolq will delete Personal Data from active systems within an additional 30 days;
• Audit and security logs may be retained for up to 12 months after termination for security and compliance purposes, after which they are deleted or anonymized;
• Backups are rotated according to the hosting provider's standard schedule (typically up to 30 days) and are protected by access controls until rotated.

Rivolq is not required to delete Personal Data to the extent retention is required by law, in which case Rivolq will continue to protect the data in accordance with this DPA until deletion is permitted.

11.1General Authorization

Customer grants Rivolq a general authorization to engage Sub-processors to provide the Service. A current list of Sub-processors is maintained in Annex III and on the Trust Center.

11.2Notice and Objection

Rivolq will give Customer at least 30 days' advance notice of any addition or replacement of a Sub-processor through the Trust Center and by notice to the administrative contact on the Customer's account. Customer may reasonably object on data-protection grounds within that period. The parties will work in good faith to resolve the objection. If they cannot, Customer may terminate the affected portion of the Service on written notice, and Rivolq will refund prepaid, unused fees for that portion for the remainder of the then-current term.

11.3Sub-processor Obligations

Rivolq will impose on each Sub-processor data-protection obligations no less protective than those imposed on Rivolq under this DPA, and remains liable to Customer for the performance of each Sub-processor's obligations under this DPA.

Customer authorizes Rivolq to send prompts that may include Personal Data to its AI Sub-processor for the purpose of generating responses that the Service displays to Customer. Rivolq has commercial arrangements with Anthropic under which data submitted through the API is not used to train Anthropic's generally available models. Where Customer enables the "bring-your-own-key" option, Customer's chosen AI provider acts as a Sub-processor of Customer, not of Rivolq, and Customer is responsible for the agreement with that provider.

Annex IV contains the service-provider commitments required by the CCPA/CPRA and supplements this DPA where Customer is a "Business" subject to those laws.

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set out in the Principal Agreement. To the extent applicable Data Protection Law (including the SCCs) prohibits limiting a party's liability to Data Subjects, the parties acknowledge that limitation. Liability among the parties is governed by the Principal Agreement.

This DPA is effective from the effective date of the Principal Agreement and continues until Rivolq ceases to process Personal Data on behalf of Customer. Sections 6 (Personal Data Breach), 8 (International Transfers, with respect to retained data), 9 (Audits, for one year), 10 (Return and Deletion), 13 (CCPA / CPRA), and 14 (Liability) survive termination. In the event of a conflict, the order of precedence is: (1) the SCCs and UK Addendum, (2) this DPA, (3) Annex IV (CCPA), (4) the Principal Agreement.

This DPA is governed by the laws of the State of Louisiana, USA, consistent with the Principal Agreement, except that the SCCs and UK Addendum are governed as set out in those instruments. Where Data Protection Law requires the application of a particular jurisdiction's law to a particular processing activity, that law applies to that activity to the extent required.

Privacy and data-protection notices to Rivolq: privacy@rivolq.com. Security incidents: security@rivolq.com. Notices to Customer may be sent to the administrative email address on the Customer's account.

A.List of Parties

Data Exporter (Controller): The Customer identified in the order form or self-service signup. Contact: the administrator email associated with the Customer's organization in the Service.

Data Importer (Processor): Rivolq LLC, Monroe, Louisiana. Privacy contact: privacy@rivolq.com.

B.Description of Transfer

C.Competent Supervisory Authority

Where the Customer is established in the EEA, the competent authority is the supervisory authority of the EU Member State in which the Customer is established, or, where the Customer is not established in the EEA, the supervisory authority of the Member State in which the Customer's EU representative is located, or otherwise the Irish Data Protection Commission as a default fallback. Where the Customer is established in the UK, the Information Commissioner's Office (ICO). Where the Customer is established in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC).

Rivolq implements and maintains the following technical and organizational measures, reviewed at least annually:

1.Pseudonymization and Encryption

• TLS 1.2 or higher for all data in transit between clients, edge, and origin.
• Encryption at rest as provided by the underlying infrastructure (PostgreSQL on Heroku and object storage on Supabase).
• Passwords stored only as bcrypt hashes; AI provider keys (for bring-your-own-key) and other application secrets encrypted at the application layer using authenticated encryption with keys derived from an environment-injected master secret.
• Production secrets stored in the hosting platform's encrypted environment store; never committed to source control.

2.Confidentiality, Integrity, Availability, and Resilience

• Multi-tenant isolation enforced at the application layer (organization-scoped queries) and at the database layer (PostgreSQL row-level security).
• Role-based access control with least privilege for Authorized Users; separate elevated-privilege "support" and "superuser" roles for Rivolq personnel, with explicit, audited bypass and a documented business reason required for any access to Customer Data.
• Multi-factor authentication available to all users (TOTP and WebAuthn / passkeys); enterprise SSO via Google, Microsoft Entra ID, and SAML; configurable MFA enforcement.
• Rate limiting on authentication endpoints and bot mitigation (Cloudflare Turnstile) on signup and other sensitive flows.
• Centralized, rotated audit logging of authentication and administrative events.
• CSRF tokens, signed httpOnly Secure SameSite cookies, security headers (HSTS, content-type, X-Frame-Options, Referrer-Policy, Permissions-Policy).
• High-availability hosting on managed platforms with redundant infrastructure and automated daily backups.
• Error and performance monitoring via Sentry; structured application logs.

3.Restoration of Availability

• Automated daily database backups retained per host provider rotation (typically up to 30 days).
• Documented recovery procedures with periodic restoration testing.
• Statelessness of application tier permits horizontal recovery without data loss beyond the last committed transaction.

4.Regular Testing and Evaluation

• Static application security testing and linting on every change.
• Code review required for all production changes.
• Vulnerability monitoring of third-party dependencies and a documented patching cadence; emergency patching for high-severity vulnerabilities.
• Annual third-party penetration testing on the production Service (planned as part of the SOC 2 readiness program).

5.User Identification and Authorization

• Unique user accounts; no shared logins. Service accounts have separately scoped API keys with hashed-at-rest storage and audit logging of token issuance and revocation.
• Configurable session timeouts; account lockout on repeated failed authentication; mandatory password complexity.

6.Protection of Data in Transit and at Rest

See Section 1 above. Object storage (floor plans, attachments, exports) is accessed only through short-lived signed URLs scoped to the requesting Authorized User's organization.

7.Physical Security

Production infrastructure is hosted in third-party data centers operated by Heroku (Salesforce) and Supabase, which maintain physical security controls including 24/7 staffing, biometric or badge-based access controls, camera surveillance, and environmental protections. Rivolq personnel do not have physical access to production infrastructure.

8.Logging and Monitoring

• Authentication, administrative actions, exports, deletions, and elevated-privilege access are recorded in tamper-resistant audit logs.
• Real-time error and exception monitoring with on-call rotation for severity-1 alerts.
• Workspace-level audit trail exposed to Customers ("Decision Ledger" and activity logs).

9.Personnel Security

• Confidentiality obligations in employment and contractor agreements.
• Security and privacy training on hire and at least annually.
• Access provisioned on the principle of least privilege; access reviewed periodically and revoked on role change or departure.

10.Vendor and Sub-processor Management

Rivolq evaluates sub-processors for adequacy of security and privacy controls and imposes contractual commitments at least as protective as those in this DPA. The current list of sub-processors is in Annex III.

11.Incident Response

• Documented incident-response procedure with defined roles, containment, eradication, and recovery steps.
• Breach notification within 72 hours of confirmation, as set out in Section 6 of the DPA body.
• Post-incident review with root-cause analysis and corrective actions.

12.Compliance Roadmap

Rivolq is currently executing a SOC 2 Type I readiness program with the intent to pursue SOC 2 Type II attestation. Rivolq is not currently SOC 2, ISO 27001, HIPAA, or PCI-DSS certified, and does not represent otherwise. The Trust Center publishes the current status of these initiatives.

Rivolq engages the following sub-processors to process Personal Data in connection with the Service. Rivolq will give at least 30 days' advance notice of any new or replacement sub-processor through the Trust Center and to the administrative contact on the Customer's account.

Optional sub-processors (Google Places, Mapbox, Microsoft, OpenWeather) are engaged only where the corresponding feature or integration is enabled in the Customer workspace.

This Annex applies to Personal Information of California residents that Rivolq processes on behalf of Customer. Rivolq is a "Service Provider" as defined in the CCPA/CPRA. Rivolq will not:

• Sell or share Personal Information for cross-context behavioral advertising;
• Retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the service agreement and this DPA, including not retaining, using, or disclosing Personal Information outside of the direct business relationship between Rivolq and Customer;
• Combine Personal Information received from or on behalf of Customer with Personal Information received from or on behalf of any other party, except as permitted by Cal. Code Regs. tit. 11, § 7050(b)(4).

Rivolq certifies that it understands these restrictions and will comply with them, and will provide the same level of privacy protection as required by the CCPA/CPRA. Customer has the right, upon reasonable notice, to take reasonable and appropriate steps to ensure Rivolq uses Personal Information consistent with Customer's obligations under the CCPA/CPRA, and to remediate unauthorized use. Rivolq will notify Customer if it makes a determination it can no longer meet its obligations under the CCPA/CPRA.

© 2026 Rivolq LLC. All rights reserved.