Data Processing Agreement

This Data Processing Agreement ("DPA") supplements and is incorporated into the Modern BizOps Terms of Service (https://modernbizops.com/terms) between Modern BizOps LLC("Modern BizOps," "we," "us") and the client that accepts it ("Client," "you"). It governs our processing of Client Data that contains personal information. If the Terms and this DPA conflict on a data-protection matter, this DPA controls.

1. Definitions

Terms not defined here have the meaning given in the Terms or in applicable privacy law.

• Client Data means data you provide or that we retrieve from systems you connect, as described in the Terms.
• Personal Information means information within Client Data that identifies or relates to an identifiable individual, as defined by applicable privacy law (including the CCPA/CPRA and other US state privacy laws).
• Applicable Privacy Law means privacy and data-protection laws that apply to our processing of Personal Information under this DPA, including the California Consumer Privacy Act as amended by the CPRA, other US state privacy laws, and, where relevant to your industry, the Gramm-Leach-Bliley Act (GLBA) and SEC Regulation S-P.
• Process / Processing means any operation performed on Personal Information.
• Subprocessor means a third party we engage to process Personal Information on our behalf.
• Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information.

2. Roles of the parties

For Personal Information in Client Data, you are the controller / business and we are the processor / service provider. We process Personal Information only on your documented instructions, which include the Terms, this DPA, your Order, and your configuration and use of the Platform. We are not a "third party" under the CCPA/CPRA with respect to your Personal Information, and we do not "sell" or "share" it as those terms are defined.

If we believe an instruction violates Applicable Privacy Law, we will tell you and may pause that processing.

3. Scope of processing

The details of our processing are:

• Subject matter: delivery of the revenue operations audit, analysis, coaching, and related deliverables described in your Order.
• Duration: the term of your engagement, plus the return-or-deletion period in Section 11.
• Nature and purpose: accessing, collecting, organizing, analyzing, and reporting on Client Data to produce your deliverables, and operating and securing the Platform.
• Types of Personal Information: contact and professional details of your staff and customers, CRM and pipeline records, support and marketing records, transactional and financial records contained in connected systems, and access credentials for connected systems. The exact set depends on which systems you connect.
• Categories of data subjects: your personnel, your customers and prospects, and other individuals whose information appears in the systems you connect.

You are responsible for ensuring you have the right and any necessary notices or consents to provide Client Data to us and to connect the systems you choose.

4. Our obligations

We will:

(a) Purpose limitation. Process Personal Information only to provide the Services and for no other purpose. We will not retain, use, or disclose it outside our direct business relationship with you, and we will not combine it with data from other sources except to perform a service you have requested. We certify we understand and will comply with these restrictions (CCPA/CPRA service-provider certification).

(b) No sale or sharing. Never sell or share Personal Information, and never use it for cross-context behavioral advertising.

(c) Read-only where available. Request read-only access to connected systems wherever the integration supports it, consistent with our Security and Data Handling Overview.

(d) Confidentiality. Limit access to Personal Information to personnel who need it to deliver the Services and who are bound by confidentiality obligations.

(e) Security. Maintain administrative, technical, and physical safeguards appropriate to the risk, as described in our Security and Data Handling Overview (https://modernbizops.com/security), including encryption of Personal Information in transit and at rest, access controls, and credential protection. These safeguards are designed to meet the "reasonable security" standard under Applicable Privacy Law and, where your industry requires it, the safeguards expectations of the GLBA Safeguards Rule and SEC Regulation S-P.

(f) Assist with individual rights. Provide reasonable assistance, taking into account the nature of the processing, to help you respond to requests from individuals to access, correct, delete, or obtain a copy of their Personal Information, and to honor opt-outs. If we receive such a request directly, we will forward it to you rather than respond on your behalf, unless you instruct otherwise.

(g) Assist with compliance. Provide information reasonably necessary to help you meet your own obligations, including data protection assessments and regulatory inquiries, to the extent the information is within our control.

5. Subprocessors

You authorize us to use Subprocessors to provide the Services. We will:

• impose data-protection obligations on each Subprocessor that are no less protective than this DPA;
• remain responsible for each Subprocessor's performance; and
• maintain a current list of Subprocessors in our Security and Data Handling Overview and give you advance notice of any new Subprocessor that processes Personal Information, with a reasonable opportunity to object on reasonable data-protection grounds.

Artificial intelligence providers.Some Services use AI providers (currently including Anthropic, OpenAI, and Google) as Subprocessors. We use these providers through their business or enterprise API tiers. Under those tiers' terms, Personal Information we send is not used to train the providers' models, and the providers may use it only to return results to us. We will not enable any model-training use of your Personal Information without your prior consent.

6. Security Incidents

If we become aware of a Security Incident affecting your Personal Information, we will notify you without undue delay after we become aware of it. The notice will describe, to the extent known, the nature of the incident, the data and individuals affected, the likely consequences, and the measures taken or proposed. We will cooperate reasonably with your investigation and remediation. We aim to notify you quickly enough to help regulated clients meet their own notification deadlines, including the customer-notification timeline under SEC Regulation S-P. Our notice is not an acknowledgment of fault.

7. GLBA and SEC Regulation S-P (financial-industry clients)

Where you are a financial institution subject to the GLBA or an entity subject to SEC Regulation S-P, we acknowledge that Personal Information may include "nonpublic personal information" or "customer information" as those rules define it. With respect to that information we will: maintain safeguards appropriate to its sensitivity as described in Section 4(e); use and disclose it only as permitted by this DPA and as needed to deliver the Services; and support your service-provider oversight obligations by making our security documentation available for your due diligence and monitoring (Section 9). We do not become a financial institution or a regulated entity by performing the Services.

8. Professional and legal confidentiality clients

Where you are an attorney, accountant, or other regulated professional, Personal Information we process for you may be subject to professional privilege or confidentiality duties you owe your own clients. We will treat that information as Confidential Information, process it only as needed to deliver the Services, and not assert any right to use or disclose it that would be inconsistent with those duties. Nothing here waives any privilege.

9. Audit and oversight

To support your due-diligence and monitoring obligations, we will, on reasonable request and no more than once per year unless a regulator or a Security Incident requires otherwise: provide our current Security and Data Handling Overview and any security certifications or summaries we maintain; respond to a reasonable written security questionnaire; and make a knowledgeable representative available to discuss our controls. Any audit will respect our confidentiality and security obligations to other clients and will not require access to our systems or other clients' data.

10. International transfers

We process and store Personal Information in the United States. If you direct us to process data subject to non-US transfer requirements, the parties will put any additional terms in place that the law requires before that processing begins.

11. Return and deletion

On termination or expiration of your engagement, or earlier on your written request, we will return or delete Personal Information in our possession within 30 days, at your choice, except for copies we are required to retain by law or that exist in routine backups, which we will protect and delete on our normal cycle. On request, we will confirm deletion in writing.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms. This DPA does not expand either party's aggregate liability beyond those limits.

13. Term and order of precedence

This DPA takes effect when you accept it (by clickwrap or signature) and continues while we process Personal Information for you. It survives termination of the Terms until all Personal Information is returned or deleted. On any data-protection matter, this DPA prevails over the Terms and any Order.

Acceptance

Clickwrap. By accepting the Terms of Service at account creation, you accept this DPA. We record the version you accepted and the date and time of acceptance.

Countersigned (on request). Regulated clients who require a signed copy may execute below. A signed copy supplements, and does not replace, your clickwrap acceptance.