Effective as of April 20, 2026

This Data Processing Addendum (this “DPA”) forms part of and supplements the Rad CRM Terms of Service Agreement (the “Agreement”), the Website Terms of Use (the “Website Terms”), and the Rad CRM Privacy Policy (the “Privacy Policy”), eachbetween Rad CRM, LLC (“Processor”) and Customer (“Controller”), and applies to the extent Processor processes Personal Data on behalf of Controller in connection with the Service. Processor and Controller are each individually referred to herein as a “Party” and collectively as the “Parties.” Unless otherwise defined in this DPA, all capitalized terms used herein will have the meanings ascribed to them in the Agreement or, if not defined therein, the Website Terms or Privacy Policy, respectively.

RECITALS
WHEREAS, Processor and Controller have entered into and agreed to be bound by the terms of the Agreement;

WHEREAS, Controller has read, understands, and agrees to the Processor’s Website Terms and Privacy Policy; and

WHEREAS, the Parties wish to set forth the terms and conditions under which Controller gives Processor permission to Process certain data that the Controller submits to and through the Service.

NOW THEREFORE, in consideration of the mutual promises, covenants, terms, and conditions set forth herein, and for other good and valuable consideration, the receipt, adequacy, and sufficiency of which are hereby acknowledged, the Parties agree as follows.

ADDENDUM

1. Scope and Term

1.1. Role of the Parties
Customer is either a Controller of Customer Personal Data, or a Processor of Customer Personal Data acting on another Controller’s behalf (e.g. Customer’s Affiliate) while passing down relevant processing instructions to Processor. Processor Processes Customer Personal Data solely on behalf of Controller and in accordance with Controller’s Documented Instructions, including as set forth in the Website Terms and the Privacy Policy.

1.2. Term of the DPA
The term of this DPA coincides with the Term of the Agreement and terminates upon expiration or termination of the Agreement (or, if later, the date on which Processor ceases all Processing of Customer Personal Data).

2. Definitions

2.1. Terms

• “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of personal data under the Agreement.
• “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• “Customer Personal Data” means personal data contained in Customer Data and/or Customer Materials that Processor processes under the Agreement solely on behalf of Customer. For clarity, Customer Personal Data includes any Personal Data included in the attachments provided by Customer or its Authorized Users in any technical support requests.
• “Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information”, or similar terms as defined in Applicable Data Protection Laws.
• “Processing” (and “Process” and “Processed”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction.
• “Processor” means the Company, in its capacity as an entity which processes Personal Data on behalf of the Controller.
• “Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data Processed by Processor and/or its Sub-processors. For the purposes of this definition, “Customer Data Processed” includes Personal Data and Customer Data.
• “Sub-processor” means any third party (including Company Affiliates and/or other Subcontractors) engaged by Company to Process Customer Personal Data.

3. Personal Data Processing Responsibilities

3.1. This DPA, the Agreement, and Customer’s use of the Service (including relevant configurations and settings) and any related Support Services constitute Customer’s documented instructions regarding Processor’s processing of Customer Personal Data (collectively the “Documented Instructions”).

3.2. Processor will process Personal Data only:

• To provide and support the Services and any Support Services requested by Controller;
• As instructed by Controller, whether in the Documented Instructions or otherwise; and/or
• In any manner required by any applicable law, regulation, or in cooperation with a legal court or law enforcement order.

3.3. Processor will not sell Customer Personal Data or use it for its own independent commercial purposes.

3.4. Controller authorizes Processor to engage Sub-processors to support the Services. Company will impose data protection obligations on Sub-processors that are no less protective than those set forth in this DPA and remains responsible for their performance.

3.5. Controller represents, warrants, and acknowledges that:

• All Documented Instructions comply and at all times will remain in compliance with all Applicable Data Protection Laws. Processor is not and will not be responsible for monitoring or otherwise ensuring Controller’s compliance with Applicable Data Protection Laws;
• It is responsible for determining whether the Service and any related Support Services are appropriate for the Processing of Customer Data under Applicable Data Protection Laws;
• It has all necessary rights, consents, and legal bases to provide Personal Data to Processor;
• It has provided all required notices to all relevant Data Subjects;
• It will comply with all Applicable Data Protection Laws, privacy laws, and communications laws and regulations; and
• Controller is solely responsible for the content and legality of all Customer Personal Data.

4. Confidentiality

Processor will use commercially reasonable efforts to ensure that all personnel and Subcontractors that are authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and the reasonable administrative, technical, and organizational safeguards as described in the Section 5.1 below.

5. Security

5.1. Safeguards. Processor has implemented and will maintain appropriate, commercially reasonable technical and organizational safeguard measures designed to protect the security, confidentiality, integrity, and availability of Customer Personal Data and protect against Security Incidents. Controller is responsible for configuring the Service and using features and functionalities made available by Processor to maintain appropriate security in light of the nature of any given Customer Personal Data. The Company’s current technical and organizational measures are described in Schedule

1. Controller acknowledges that the Security Measures are subject to technical progress and development and that Processor may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Service during a Subscription Term. Controller acknowledges that no security measures are 100% secure and Processor’s efforts may not be successful, although Processor will make best commercially reasonable efforts to keep Customer Personal Data secure.

5.2. Security Incidents. Processor will notify Controller without undue delay and, where feasible, within no later than seventy-two (72) hours after becoming aware of a confirmed Security Incident that leads to a breach of Customer Personal Data. Processor must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects, and remediate the cause to the extent within Processor’s reasonable control. Upon Controller’s request and taking into account the nature of the Processing and the information available to Processor, Processor must assist Controller by providing information reasonably necessary for Controller to meet its Security Incident notification obligations under Applicable Data Protection Laws. Any notification of a Security Incident is not an acknowledgment by Processor of fault or liability on its part nor on the part of any of its Affiliates, Subcontractors, or Sub-processors.

6. Data Subject Rights

Processor will provide reasonable assistance to Controller in responding to Data Subject requests. If Processor receives a request directly, it will notify Controller and not respond except as required by law.

7. International Data Transfers

Processor may process Personal Data in the United States and other jurisdictions where it or its Sub-processors operate. Where required by applicable law, Processor will implement appropriate safeguards for cross-border data transfers.

8. Return and Deletion

Upon termination, Processor will delete or return Personal Data at Controller’s direction, unless retention is required by law.

9. Limitation of Processing Role

Processor acts solely as a processor or service provider and does not determine the purposes or means of processing Personal Data.

10. Liability Alignment

10.1 Limitation of Liability

THIS DPA IS SUBJECT TO THE LIMITATIONS OF LIABILITY SET FORTH IN THE TERMS OF THE SERVICE AGREEMENT. TO THE FULLEST EXTENT PERMITTED BY LAW, PROCESSOR SHALL NOT BE LIABLE FOR:

• Controller’s compliance or non-compliance with applicable laws and regulations, including Applicable Data Laws and other legal or contractual obligations;
• The legality, completeness, or accuracy of Personal Data; and
• Controller’s Documented Instructions and/or use of the Service.

10.2 Indemnification

ALL INDEMNIFICATION OBLIGATIONS OF CUSTOMER/CONTROLLER UNDER THE TERMS OF THE AGREEMENT APPLY FULLY TO THIS DPA AND SHALL NOT BE LIMITED BY ANY CAP ON DAMAGES TO THE EXTENT PERMITTED BY LAW.