Data Processing Addendum

Between Consumer Dividends Holding Corp ("Processor") and the Customer identified below ("Controller")

This Data Processing Addendum ("DPA") supplements the master Terms of Service between Controller and Processor and forms part of the agreement governing Controller's use of the Processor's products (Numidian, ListingPro, or others as applicable). It applies whenever Processor processes personal data on behalf of Controller.

In case of conflict between this DPA and the master Terms of Service with respect to personal data processing, this DPA controls.

1. Definitions

Terms used in this DPA have the meaning given to them in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and other applicable data protection laws. Where those laws use different terms for the same concept (controller vs. business; processor vs. service provider), the equivalent applies.

2. Subject matter and duration

Processor processes personal data on behalf of Controller for the duration of Controller's subscription or paid access term, plus any post-termination retention required to deliver final outputs or comply with law. The subject matter is the operation of the Processor's products and the support functions surrounding them.

3. Nature and purpose of processing

Processor processes personal data only:

• To deliver the product to Controller (generate reports, deliver outputs, store history per the applicable tier).
• To provide support when Controller requests it.
• To bill, account, and comply with legal obligations.
• To improve aggregate, non-identifying usage patterns (no personal data used for this).

Processor does not use personal data submitted by Controller to train, fine-tune, or improve any language model.

4. Categories of data and data subjects

Numidian: case facts about employment situations, which may reference individuals (employees, applicants, decision-makers). Data subjects include those individuals as well as the Controller's own personnel and clients.

ListingPro: property details, which may reference owners, buyers, agents, and other parties involved in a transaction.

Across products, Processor also processes:

• Controller's account and billing information (email address, payment reference).
• Controller's usage patterns at the aggregate level.

Special category data (GDPR Article 9) should not be submitted to either product. Where Controller chooses to submit it (for example, a Numidian case involving a disability accommodation), Controller represents that it has the lawful basis to do so.

5. Processor obligations

Processor agrees to:

a. Process only on documented instructions. Processor processes personal data only on Controller's documented instructions, including the master Terms of Service and this DPA. If Processor reasonably believes an instruction violates applicable law, Processor will notify Controller.

b. Ensure confidentiality. Processor ensures that any personnel authorized to process personal data are under an obligation of confidentiality.

c. Implement appropriate security measures. Processor maintains technical and organizational measures appropriate to the risk, including TLS encryption in transit, access controls, isolated databases per product, logging of access to production systems, and incident response procedures. A summary of measures is available on request.

d. Engage subprocessors only with notice. Processor's current subprocessors are listed in its public Subprocessor List. Processor may add or replace subprocessors with at least 30 days' prior notice (published on the Subprocessor List page or emailed to Controller's billing contact). Controller may object to a new subprocessor on reasonable grounds; if the parties cannot resolve the objection, Controller may terminate the affected service and receive a pro-rata refund.

e. Assist with data subject rights. Where Processor receives a request from a data subject relating to data Processor processes on Controller's behalf, Processor will forward the request to Controller without responding (other than to confirm receipt) and will assist Controller in responding within applicable legal deadlines.

f. Assist with security, breach, and impact assessment obligations. Processor will provide reasonable assistance with Controller's obligations under GDPR Articles 32-36 and equivalent laws, taking into account the nature of the processing.

g. Notify of personal data breach without undue delay. Processor will notify Controller within 72 hours of becoming aware of a personal data breach affecting Controller's data, with information sufficient to allow Controller to meet its own notification obligations.

h. Return or delete data. At the end of the service, Processor will, at Controller's option, return or delete all personal data, except where retention is required by law.

i. Demonstrate compliance. Processor will make available, on request and subject to confidentiality, the information necessary to demonstrate compliance with this DPA. Processor will permit audits (no more than once every 12 months absent a known breach), conducted at Controller's expense, on reasonable notice, during business hours, and without disrupting operations.

6. International transfers

Processor processes personal data primarily on infrastructure located in the United States. Where personal data of EU/UK data subjects is transferred to the US:

• Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference and the parties agree to be bound by them. Where Controller is itself a processor, Module 3 applies instead.
• For UK transfers, the UK International Data Transfer Addendum to the EU SCCs is incorporated by reference.
• Processor will assist with transfer impact assessments on reasonable request.

If the parties' agreement is terminated due to an inability to transfer data lawfully, no penalty applies, and Processor will return or delete personal data per Section 5(h).

7. CCPA / CPRA terms

Processor is a "service provider" as defined in the CCPA. Processor:

• Does not sell personal information. Does not share personal information for cross-context behavioral advertising.
• Does not retain, use, or disclose personal information for any purpose other than the business purposes specified in the agreement.
• Does not combine personal information received from or on behalf of Controller with personal information from another source, except as expressly permitted by the CCPA.
• Will notify Controller if it determines it can no longer meet its obligations as a service provider.

8. Liability

The liability provisions in the master Terms of Service apply to claims arising under this DPA. Nothing in this DPA increases or expands Processor's liability beyond the master Terms of Service except to the minimum extent required by applicable law.

9. Term and termination

This DPA takes effect on the date the parties enter into their master agreement and remains in effect for as long as Processor processes personal data on Controller's behalf. Sections that by their nature should survive (security, breach notification, return or deletion, international transfers, liability) survive termination.

10. Order of precedence

In case of conflict between (a) this DPA, (b) the Standard Contractual Clauses incorporated under Section 6, and (c) the master Terms of Service, the order of precedence (highest to lowest) is: Standard Contractual Clauses, this DPA, master Terms of Service.

11. Signatures

Processor: Consumer Dividends Holding Corp

By: ________________________________

Name: Andrey Sawinski

Title: Founder

Date: _______________

Email: support@consumerdividends.com

Controller: ________________________________

By: ________________________________

Name: ________________________________

Title: ________________________________

Date: _______________

Email: ________________________________

To request a countersigned copy, email support@consumerdividends.com with this completed form attached.