DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum ("DPA") forms part of the Terms of Service and any applicable agreement between Wild RiverDog Development Group, LLC, a Texas limited liability company ("Processor," "Company," "GrowthForgeOS™," "we," "us," or "our"), and the customer, business, organization, or entity using the Services ("Controller," "Customer," or "you").

This DPA applies whenever Customer uploads, stores, transmits, processes, manages, or otherwise makes available Personal Data through GrowthForgeOS™.

1. PURPOSE

The purpose of this DPA is to define the responsibilities of the parties regarding the processing of Personal Data and to establish terms that comply with applicable data protection laws, including:

• General Data Protection Regulation (GDPR)

• UK GDPR

• Data Protection Act 2018

• California Consumer Privacy Act (CCPA)

• California Privacy Rights Act (CPRA)

• Other applicable privacy and data protection laws

2. DEFINITIONS

For purposes of this DPA:

"Controller" means the entity that determines the purposes and means of processing Personal Data.

"Processor" means the entity that processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, whether automated or manual.

"Data Subject" means the individual to whom Personal Data relates.

"Subprocessor" means any third party engaged by Processor to assist in providing the Services.

3. RELATIONSHIP OF THE PARTIES

The parties acknowledge and agree that:

• Customer acts as the Data Controller.

• GrowthForgeOS™ acts as the Data Processor.

• Customer determines the purposes and means of processing Personal Data.

• GrowthForgeOS™ processes Personal Data solely on Customer's behalf.

Nothing in this DPA shall be interpreted as creating joint-controller status between the parties.

4. CUSTOMER RESPONSIBILITIES

Customer represents and warrants that it:

• Has lawful authority to collect Personal Data.

• Has provided all legally required notices.

• Has obtained all legally required consents.

• Has established a lawful basis for processing.

• Has authority to transfer Personal Data to Processor.

• Complies with applicable privacy laws.

Customer is solely responsible for:

• Privacy notices

• Consent collection

• Marketing permissions

• Data subject rights compliance

• Lawful processing requirements

• Regulatory compliance obligations

5. PROCESSOR OBLIGATIONS

Processor shall:

• Process Personal Data only to provide the Services.

• Process Personal Data in accordance with Customer instructions.

• Implement commercially reasonable security measures.

• Limit access to authorized personnel.

• Require personnel with access to Personal Data to maintain confidentiality.

• Assist Customer with applicable privacy obligations where reasonably required.

Processor shall not sell Customer Personal Data.

6. NATURE OF PROCESSING

Processor may process Personal Data for purposes including:

• CRM functionality

• Contact management

• Marketing automation

• Email communications

• SMS communications

• Appointment scheduling

• Funnel operation

• Website functionality

• Membership functionality

• Customer support

• Workflow automation

• AI-powered features

• Analytics

• Reporting

• Service delivery

7. CATEGORIES OF PERSONAL DATA

Depending upon Customer's use of the Services, Personal Data may include:

• Names

• Email addresses

• Telephone numbers

• Mailing addresses

• IP addresses

• Business information

• Contact records

• Communication history

• Marketing preferences

• Customer notes

• Appointment information

• User-generated content

Customer determines what Personal Data is submitted.

8. SPECIAL CATEGORIES OF DATA

Customer agrees not to upload or process:

• Protected health information (PHI)

• Biometric identifiers

• Social Security numbers

• Passport numbers

• Government identification numbers

• Financial account credentials

• Sensitive personal information

unless expressly authorized in writing by Processor.

GrowthForgeOS™ is not intended for HIPAA-regulated data unless a separate written agreement expressly authorizes such use.

9. SECURITY MEASURES

Processor shall maintain commercially reasonable administrative, technical, and organizational safeguards designed to protect Personal Data against:

• Unauthorized access

• Unauthorized disclosure

• Accidental loss

• Destruction

• Alteration

• Misuse

Security measures may include:

• Access controls

• Authentication systems

• Encryption where appropriate

• Logging and monitoring

• Vendor security reviews

• Secure infrastructure providers

No system can guarantee absolute security.

10. SUBPROCESSORS

Customer acknowledges and agrees that Processor may utilize Subprocessors to provide the Services.

Current Subprocessors may include, without limitation:

• GoHighLevel

• LeadConnector

• Amazon Web Services (AWS)

• Google Cloud

• Google Workspace

• OpenAI

• Anthropic

• Meta

• Stripe

• Twilio

• Mailgun

• SendGrid

• Cloudflare

• Zoom

• Calendly

• Analytics providers

• Hosting providers

• Customer support providers

Processor may add, replace, or remove Subprocessors as necessary to operate the Services.

11. INTERNATIONAL DATA TRANSFERS

Customer acknowledges that Personal Data may be processed in:

• United States

• European Union

• United Kingdom

• Other countries where Processor or Subprocessors operate

Customer authorizes such transfers as necessary to provide the Services.

Where required, Processor shall rely upon legally recognized transfer mechanisms.

12. DATA SUBJECT REQUESTS

To the extent legally required and reasonably feasible, Processor will assist Customer in responding to:

• Access requests

• Correction requests

• Deletion requests

• Restriction requests

• Portability requests

• Objection requests

Customer remains solely responsible for responding to such requests.

13. SECURITY INCIDENTS

In the event Processor becomes aware of a confirmed Security Incident affecting Customer Personal Data, Processor will:

• Investigate the incident.

• Take reasonable steps to mitigate harm.

• Notify Customer without undue delay when legally required.

• Provide available information reasonably necessary to assist Customer.

Processor does not guarantee detection of every security event.

14. AUDITS

Customer acknowledges that GrowthForgeOS™ is a shared SaaS platform.

Processor is not obligated to allow onsite audits.

Reasonable security documentation may be provided upon written request when legally required.

15. DATA RETENTION

Processor shall retain Personal Data only as necessary:

• To provide the Services.

• To comply with legal obligations.

• To enforce agreements.

• To resolve disputes.

Upon termination of Services:

• Customer is responsible for exporting its data.

• Processor may delete Customer data after applicable retention periods.

• Recovery of deleted data may not be possible.

16. LIMITATION OF LIABILITY

The liability limitations contained in the Terms of Service apply to this DPA and are incorporated herein by reference.

Nothing in this DPA expands Processor's liability beyond the limitations stated in the Terms of Service.

17. TERM

This DPA remains effective for so long as Processor processes Personal Data on behalf of Customer.

18. ORDER OF PRECEDENCE

If a conflict exists between this DPA and the Terms of Service regarding Personal Data processing, this DPA shall control solely with respect to Personal Data processing obligations.

All other provisions of the Terms of Service remain in full force and effect.

19. CONTACT INFORMATION

Questions regarding this DPA may be directed to:

Wild RiverDog Development Group, LLC

14900 Avery Ranch Blvd., Suite C200

Austin, Texas 78717

[email protected]

20. INCORPORATION BY REFERENCE

This Data Processing Addendum is incorporated into and made part of the GrowthForgeOS™ Terms of Service.

By using GrowthForgeOS™, Customer acknowledges and agrees to this DPA.