Data Processing Addendum

1. Introduction

This Data Processing Addendum ("DPA") is part of the Agency Master Services Agreement ("MSA") between Fire Call, LLC ("Fire Call") and the Agency identified at signup ("Customer" or "you"). It governs Fire Call's processing of personal information on the Customer's behalf in connection with the Service.

This DPA applies to the extent Fire Call processes personal information that is subject to applicable U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and other comparable state laws that may apply to the personal information of the Customer's clients and other data subjects. To the extent the European Union General Data Protection Regulation ("EU GDPR") or the United Kingdom GDPR ("UK GDPR") applies to a transfer of personal information through the Service, the mechanism in Section 10 governs.

If a term is used but not defined in this DPA, it has the meaning given in the MSA. If the MSA and this DPA conflict on a matter of personal information processing, this DPA controls.

2. Definitions

For purposes of this DPA:

• "Personal Information" means any Customer Data that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular individual or household.
• "Sensitive Personal Information" means Personal Information that meets the definition of "sensitive personal information" under CCPA/CPRA or "sensitive data" under any other applicable U.S. state privacy law, including precise geolocation, government identifiers, and any data revealing protected characteristics.
• "Data Subject" means the individual to whom Personal Information relates, typically your insurance client or someone on whose property an inspection is conducted.
• "Controller" (sometimes called "business") means the party that determines the purposes and means of processing Personal Information. For Personal Information processed through the Service, the Customer is the Controller.
• "Processor" (sometimes called "service provider" or "contractor" under CCPA/CPRA) means a party that processes Personal Information on behalf of a Controller. Fire Call is the Processor.
• "Subprocessor" means a third party engaged by Fire Call to process Personal Information on Fire Call's behalf.
• "Process" means any operation performed on Personal Information, including collection, storage, use, disclosure, transmission, or deletion.
• "Security Incident" means a confirmed unauthorized access to, acquisition of, or disclosure of Personal Information processed by Fire Call.
• "Deidentified" means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual or household, in the sense set forth in Cal. Civ. Code §1798.140(m) and equivalent provisions of other applicable state privacy laws.

3. Roles and Scope of Processing

The parties acknowledge that, with respect to Personal Information processed through the Service, the Customer is the Controller and Fire Call is the Processor acting on the Customer's documented instructions.

The Customer's documented instructions are set forth in the MSA, this DPA, the Service documentation, and the Customer's configuration of and use of the Service. Fire Call will not process Personal Information for any purpose other than performing the Service and complying with applicable law.

Categories of Personal Information. The Personal Information Fire Call processes on the Customer's behalf typically includes: contact information (name, email, phone number) of the Customer's clients; property addresses and related location information; photos of properties, including any individuals or objects incidentally captured in those photos; inspection records and hazard reports; metadata associated with inspection submissions (timestamps, device information, IP address); identity-verification and session forensics captured when a Data Subject completes one-time-passcode verification (IP address, user-agent, the email address the inspection link was issued to, and the time the session was established); and email delivery metadata for each transactional email Fire Call sends on the Customer's behalf (recipient address, subject line, timestamp, delivery status, and the message identifier returned by Fire Call's email delivery provider). Fire Call does not retain the body of those emails. Email delivery metadata is retained for ninety (90) days from the date of sending, then deleted or anonymized.

Sensitive Personal Information. The parties acknowledge that some Personal Information processed through the Service may meet the definition of Sensitive Personal Information under CCPA/CPRA or a comparable provision of another applicable state law — for example, precise geolocation derived from photo metadata, or images that incidentally reveal protected characteristics. Fire Call will process Sensitive Personal Information only for the purposes set forth in Cal. Civ. Code §1798.121(a) and the purposes described in this DPA (i.e., providing and operating the Service for the Customer), and will not use Sensitive Personal Information to infer characteristics about a Data Subject for any purpose other than those uses.

Categories of Data Subjects. Data Subjects typically include the Customer's insurance clients (property owners), individuals authorized by those clients to participate in inspections, and the Customer's own staff who use the Service.

Purposes of Processing. Fire Call processes Personal Information solely to (a) provide and operate the Service for the Customer, (b) communicate with Data Subjects in the course of providing the Service, including conducting inspections and offering remediation services to property owners as described in the MSA, (c) maintain security and prevent fraud, (d) generate Deidentified and aggregated analytics to improve the Service, and (e) comply with legal obligations.

4. Fire Call's Obligations

Fire Call will:

• Process Personal Information only on the Customer's documented instructions, including as set forth in the MSA and this DPA
• Not sell or share Personal Information (as those terms are defined under CCPA/CPRA), and not use Personal Information for cross-context behavioral advertising
• Not retain, use, or disclose Personal Information for any purpose outside the scope of the Service or the specific business purposes set forth in this DPA, including for Fire Call's own commercial purposes, except to (i) maintain Deidentified or aggregated data, (ii) comply with legal obligations, or (iii) detect and prevent security incidents and fraud
• Not combine Personal Information received from the Customer with Personal Information received from or about other sources, except to perform the Service or as legally permitted
• Ensure that personnel authorized to process Personal Information are bound by appropriate confidentiality obligations
• Provide the Customer with reasonable assistance to enable the Customer to comply with its own obligations under applicable privacy laws, including responding to Data Subject requests and conducting data protection impact assessments
• Notify the Customer if Fire Call determines it can no longer meet its obligations under applicable privacy law, and in that case, work with the Customer in good faith to remediate or stop processing the affected Personal Information

CCPA/CPRA service-provider certification. Fire Call certifies that it understands the restrictions set forth in this Section 4 and in Cal. Civ. Code §1798.140(ag) and §1798.140(j), and that it will comply with them. Fire Call further certifies that it will provide the same level of privacy protection as is required of businesses by the CCPA/CPRA, and grants the Customer the right (consistent with Section 9 of this DPA) to take reasonable and appropriate steps to ensure that Fire Call uses Personal Information in a manner consistent with the Customer's obligations under the CCPA/CPRA, and to stop and remediate unauthorized use of Personal Information.

Deidentified data. Where Fire Call creates or uses Deidentified data permitted under this DPA, Fire Call will (a) take reasonable measures to ensure the information cannot be associated with an identifiable individual or household, (b) publicly commit to maintain and use the information only in Deidentified form and not to attempt to reidentify it, except for the limited purposes of testing whether deidentification was effective, and (c) contractually obligate any recipient of the Deidentified data to comply with the foregoing.

5. Security Measures

Fire Call will implement and maintain administrative, technical, and physical safeguards designed to protect Personal Information from unauthorized access, use, disclosure, alteration, or destruction. Fire Call's security program is evolving, and the safeguards below describe a combination of measures already in place and measures Fire Call is actively building out. As Fire Call's security program matures, these safeguards include or will include:

• Encryption of Personal Information in transit using TLS 1.2 or higher, and at rest using AES-256 or an equivalent industry-standard algorithm
• Centralized management of secrets and credentials with restricted access, and rotation of long-lived secrets on exposure or role change. Fire Call is documenting a scheduled rotation cadence as its security program matures.
• Role-based access controls limiting access to Personal Information to personnel with a legitimate need
• Multi-factor authentication for administrative access to underlying infrastructure providers, with progressive enforcement of MFA across all administrative accounts as Fire Call's security program matures
• Audit logging of access to and changes affecting Personal Information, retained for a commercially reasonable period sufficient to support incident investigation. Audit logging includes administrative actions, authentication events (including failed sign-in attempts and rate-limit violations on sensitive endpoints), inspection-status transitions, and bulk-export access, with IP address and user-agent captured where applicable to support forensic review
• Network security controls appropriate to a cloud-hosted Service, including controls provided by Fire Call's infrastructure providers
• Periodic review and testing of security controls. Fire Call is working toward annual penetration testing of the production Service by a qualified internal or third-party tester as part of its broader security program.
• Monitoring of security advisories affecting the Service and its dependencies, including through automated tooling provided by Fire Call's source code repository platform, and remediation of identified vulnerabilities on a risk-prioritized basis taking into account severity and exposure
• Use of version control for the source code underlying the Service, and use of automated dependency vulnerability alerts for that source code
• Backup procedures using the automated backup capabilities of Fire Call's cloud database provider. Fire Call is documenting recovery point and recovery time objectives as part of its broader security program.
• Incident response practices designed to support the notification commitments in Section 8. Fire Call is documenting its incident response procedures as part of its broader security program.

Fire Call may update its security measures from time to time, provided that updates do not materially reduce the overall level of protection.

6. Subprocessors

The Customer authorizes Fire Call to engage Subprocessors to process Personal Information in connection with the Service. As of the effective date of this DPA, Fire Call uses the following Subprocessors:

• Amazon Web Services, Inc. — cloud infrastructure (database, file storage, compute), United States
• Google LLC (Firebase) — authentication and identity verification, United States
• Google LLC (Gemini) — AI-assisted processing of inspection-related documents and images, United States
• Stripe, Inc. — payment processing for Customer subscriptions, United States
• DocuSign, Inc. — electronic signature for contractor and client agreements, United States
• Resend, Inc. — transactional email delivery, United States
• Mapbox, Inc. — mapping and geocoding services, United States
• Railway Corp. — application hosting and deployment, United States
• Twilio Inc. — SMS delivery of one-time passcodes for inspection identity verification, United States

Fire Call will impose data protection obligations on each Subprocessor that are substantially similar to those in this DPA. Fire Call remains responsible to the Customer for each Subprocessor's acts and omissions in processing Personal Information as if they were Fire Call's own.

Fire Call will maintain an up-to-date list of Subprocessors at /subprocessors and will notify the Customer of any addition or replacement of a Subprocessor at least thirty (30) days before the change takes effect, by email to the Customer's administrator or by in-product notice.

The Customer may object to a new or replacement Subprocessor on reasonable data protection grounds by sending written notice to legal@firecall.us within thirty (30) days of Fire Call's notice. The parties will work in good faith to resolve the objection. If the parties cannot agree, the Customer may terminate the affected subscription as its exclusive remedy and receive a pro-rated refund of prepaid fees for the unused portion of the then-current billing period.

7. Data Subject Rights

The Customer is responsible for responding to requests from Data Subjects exercising their rights under applicable privacy law, including rights to know, access, correct, delete, port, opt out of certain processing, and limit the use of Sensitive Personal Information.

If Fire Call receives a request directly from a Data Subject relating to Personal Information processed on the Customer's behalf, Fire Call will (a) not respond to the substance of the request except to acknowledge receipt and refer the Data Subject to the Customer, and (b) promptly forward the request to the Customer.

Taking into account the nature of the processing, Fire Call will provide reasonable assistance to enable the Customer to fulfill its obligations to respond to Data Subject requests, including by providing access to relevant records through the Service or, where the Service does not provide self-service access, by responding to a reasonable number of written requests from the Customer at no additional charge.

8. Security Incident Notification

Fire Call will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after Fire Call becomes aware of a confirmed Security Incident affecting the Customer's Personal Information. For purposes of this Section, Fire Call "becomes aware" of a Security Incident when a member of Fire Call's incident-response or security team has formed a reasonable belief, after appropriate triage of the underlying alert or report, that a Security Incident has occurred. Routine alerts that are determined on investigation not to involve unauthorized access to Personal Information are not Security Incidents.

Notification will be sent by email to the Customer's administrator on file with the Service, with a follow-up by in-product notice where reasonably possible. The notification will, to the extent known at the time, describe the nature of the Security Incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the incident and mitigate harm.

Fire Call will continue to update the Customer as more information becomes available, and will reasonably cooperate with the Customer's good-faith efforts to investigate, mitigate, and remediate the Security Incident, including by providing relevant logs and records and, upon the Customer's reasonable request, sharing a written summary of the root-cause analysis and remediation steps once those have been completed.

Fire Call's notification of, or response to, a Security Incident is not an acknowledgment by Fire Call of fault or liability.

9. Audit Rights

Fire Call will, no more than once per year and at the Customer's reasonable request, provide the Customer with a summary of Fire Call's then-current security practices and any third-party security certifications or audit reports Fire Call holds (such as SOC 2 Type II). The Customer agrees that, to the extent these materials are available, they are the Customer's primary means of verifying Fire Call's compliance with this DPA.

SOC 2. Fire Call is working toward SOC 2 Type II certification covering the Trust Services Criteria for Security (and, as appropriate, Availability and Confidentiality), and will use commercially reasonable efforts to pursue the certification as Fire Call's security program matures and as the Customer base and regulatory environment make doing so commercially reasonable. Until that report is available, Fire Call will make available, upon reasonable request and subject to confidentiality, a written description of its security program sufficient for the Customer to perform a vendor risk assessment.

If applicable law requires the Customer to conduct an on-site audit, the parties will agree in advance on the scope, timing, and protocols for the audit, which will be conducted during normal business hours, with reasonable notice, in a manner that does not unreasonably interfere with Fire Call's business, and subject to confidentiality obligations. The Customer will bear its own costs and Fire Call's reasonable costs of supporting any on-site audit.

10. International Data Transfers

Fire Call processes Personal Information in the United States. The Service is offered to, and intended for use by, customers and Data Subjects located in the United States. The Customer represents that it will not knowingly use the Service to process Personal Information of Data Subjects located in the European Economic Area, the United Kingdom, or Switzerland, except as expressly agreed in writing between the parties under the mechanism in this Section.

If, and only to the extent that, the parties agree in writing to use the Service to process Personal Information subject to the EU GDPR, UK GDPR, or Swiss Federal Act on Data Protection ("FADP"), the following apply automatically and are incorporated by reference into this DPA:

• For transfers from the EEA to the United States, the European Commission's Standard Contractual Clauses approved by Implementing Decision (EU) 2021/914 (the "EU SCCs"), Module Two (Controller-to-Processor), are incorporated by reference. The Customer is the data exporter; Fire Call is the data importer. The optional docking clause and the optional language on independent dispute resolution are not adopted. Clause 7 (Docking Clause) is adopted. Clause 9(a), Option 2 (general written authorization for subprocessors, with notice as set forth in Section 6 of this DPA) applies. Clause 11(a) optional language is not adopted. Clause 17 (Option 1): the SCCs are governed by the law of the Republic of Ireland. Clause 18(b): disputes will be resolved in the courts of Ireland. Annex I.A identifies the parties as set forth in this DPA. Annex I.B describes the data transfer as set forth in Section 3 of this DPA. Annex I.C identifies the Irish Data Protection Commission as the competent supervisory authority. Annex II describes the technical and organizational measures set forth in Section 5 of this DPA. Annex III lists the Subprocessors set forth in Section 6 of this DPA.
• For transfers from the United Kingdom, the parties incorporate the International Data Transfer Addendum issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018 (the "UK Addendum"), which amends the EU SCCs as required for UK-originating transfers. Table 1 of the UK Addendum identifies the parties as set forth in this DPA; Tables 2 and 3 refer to the EU SCCs as adopted above and the Annexes as set forth in this DPA; Table 4 (party that may end the Addendum if the Approved Addendum changes) is the data importer (Fire Call).
• For transfers subject to the Swiss FADP, the EU SCCs apply with the references to the GDPR interpreted as references to the FADP and the competent supervisory authority interpreted as the Swiss Federal Data Protection and Information Commissioner.

The parties may execute a separate transfer-mechanism schedule to record the agreement contemplated by this Section. Until such a schedule is executed, the Customer must not use the Service to process Personal Information subject to the EU GDPR, UK GDPR, or FADP.

11. Return or Deletion of Personal Information

During the term of the MSA, Personal Information is available for self-service export at any time through the Service's in-product export feature, consistent with MSA Section 14 (which defines the "Export Window" as the period of in-product export access — i.e., the entire term). The Customer is responsible for exporting Personal Information before cancellation or termination takes effect. On termination or expiration of the MSA, Fire Call will delete Personal Information from its systems within a reasonable time, except for copies retained (a) as required by law, (b) in routine backups that are deleted on a regular cycle, or (c) in Deidentified or aggregated form.

Insurance-recordkeeping retention. The parties acknowledge that the Customer may be subject to insurance industry recordkeeping requirements that require retention of Personal Information beyond the Export Window. The Customer is responsible for exporting Personal Information within the Export Window in order to satisfy those obligations, or, in the alternative, electing the extended-retention or read-only escrow option referred to in MSA Section 14 (which may carry an additional fee). Personal Information retained under any extended-retention arrangement remains subject to this DPA.

The Customer may, during the term of the MSA, request earlier deletion of specific Personal Information by submitting a written request through the Service or to legal@firecall.us. Fire Call will fulfill the request within a reasonable time, subject to the exceptions in the first paragraph of this Section.

12. Liability

The limitations of liability in the MSA apply to claims arising out of or relating to this DPA. The parties acknowledge that this DPA does not create separate or additional liability beyond what the MSA provides.

13. Children's Data

The Service is not directed to children under thirteen (13) years of age, and Fire Call does not knowingly collect Personal Information from children under thirteen. The Customer represents and warrants that it will not knowingly use the Service to collect or process Personal Information from children under thirteen.

The parties acknowledge that, in the ordinary course of residential property inspections, photographs may incidentally capture children who happen to be present on or near the inspected property. Such incidental capture is not the "collection" of information from those children for purposes of the Children's Online Privacy Protection Act, but the parties will treat any such images consistent with the Sensitive Personal Information protections in Section 3 and the security measures in Section 5. If Fire Call or the Customer becomes aware that Personal Information of a child under thirteen has been knowingly collected through the Service, the party becoming aware will promptly notify the other, and Fire Call will delete the information except as required to retain by law.

14. Insurance Sector Compliance

The parties acknowledge that the Customer is or may be subject to (a) the Gramm-Leach-Bliley Act and its implementing regulations, including the FTC Standards for Safeguarding Customer Information (the "Safeguards Rule"), (b) the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500), (c) the NAIC Insurance Data Security Model Law as adopted in the Customer's state(s) of licensure, and (d) other state insurance department regulations governing vendor oversight and consumer information security (collectively, "Insurance Sector Regulations").

Fire Call agrees to maintain practices designed to support the Customer's compliance with Insurance Sector Regulations, including by (i) implementing administrative, technical, and physical safeguards consistent with the Safeguards Rule and 23 NYCRR Part 500 §500.11 (third-party service provider security policy expectations), (ii) using encryption of Personal Information in transit and at rest as described in Section 5, (iii) implementing multi-factor authentication for administrative access to systems processing Personal Information as described in Section 5, (iv) providing notice of Security Incidents on the timeline set forth in Section 8 so that the Customer can meet its own regulator-notification deadlines (which, under 23 NYCRR §500.17(a), can be as short as seventy-two (72) hours), and (v) reasonably cooperating with the Customer's vendor due-diligence inquiries and reasonable annual reassessments.

The Customer remains solely responsible for its own compliance with Insurance Sector Regulations, including for adopting its own information security program, designating a chief information security officer or equivalent where required, performing risk assessments, and making any notifications or filings to its regulators that those regulations require.

15. Changes to This DPA

Fire Call may update this DPA from time to time. When we do, we will publish the updated version at a new version-specific URL (for example, /dpa/v4-YYYY-MM-DD) and note the new effective date. The version of this DPA you accepted at signup remains accessible at its version-specific URL for the life of your account. The change process and notice requirements set forth in the MSA for updates to the MSA also apply to updates to this DPA, including the affirmative re-acceptance requirement for material changes.

16. Contact

Privacy-related questions and requests under this DPA should be directed to: legal@firecall.us