This Data Processing Agreement ("DPA") is entered into between FieldCrest Ventures LLC ("Company" or "Processor") and the subscribing enterprise entity ("Customer" or "Controller") and is incorporated into and forms part of the Agreement between the parties. Capitalized terms not defined herein have the meanings assigned in the Terms of Use.

DPA-1. Roles of the Parties

Customer is the Data Controller with respect to personal data of its end users and personnel that is processed through the Service. Company is the Data Processor, processing personal data solely on behalf of and under the instructions of Customer in connection with providing the Service.

DPA-2. Scope of Processing

Processor will process personal data solely to: (i) provide the Service as described in the Agreement; (ii) maintain, improve, and secure the Service infrastructure; (iii) ensure compliance with applicable law; and (iv) fulfill any instruction from Controller provided in accordance with this DPA. Processor will not process personal data for any purpose other than those set forth herein without Controller's prior written consent.

DPA-3. Types of Data and Data Subjects

The personal data processed under this DPA may include: account registration information; usage and activity data; technical and device information; API and programmatic access logs; and integration metadata. Data subjects may include Customer's employees, contractors, and authorized end users of the Service.

DPA-4. Processing Instructions

Processor will process personal data only in accordance with Customer's documented instructions, including those set forth in the Agreement and this DPA. If Processor is required by applicable law to process personal data other than as instructed, Processor will inform Customer of that requirement before processing (unless prohibited by law). Customer's instructions must comply with applicable law; Processor is not responsible for the lawfulness of instructions.

DPA-5. Confidentiality of Processing

Processor will ensure that all personnel authorized to process personal data are subject to confidentiality obligations, whether by contract or applicable professional duty, with respect to that personal data.

DPA-6. Security Measures

Processor will implement and maintain appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Measures include:

• Encryption of personal data at rest and in transit using industry-standard protocols
• Access controls limiting personal data access to authorized personnel on a need-to-know basis
• Monitoring and logging of access to systems processing personal data
• Regular security reviews and vulnerability assessments
• Incident response procedures for confirmed data breaches
• Step-up authentication for high-value operations
• Row-level security on all database tables containing personal data

DPA-7. Subprocessors

Customer provides general authorization for Processor to engage subprocessors for hosting, analytics, payment processing, and related services. Processor will: (i) maintain an updated list of subprocessors available upon request; (ii) impose data protection obligations on subprocessors substantially equivalent to those in this DPA; and (iii) remain responsible for the performance of subprocessors with respect to personal data. Processor will provide Customer with 30 days' notice before engaging a new subprocessor that will process Customer's personal data.

DPA-8. International Data Transfers

Personal data may be transferred to and processed in the United States. For transfers of personal data from the EEA, UK, or other jurisdictions requiring transfer safeguards, Processor will implement Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms as required by applicable law. Customer authorizes such transfers as necessary to provide the Service.

DPA-9. Data Subject Rights

Processor will, to the extent technically feasible, assist Customer in fulfilling data subject rights requests under applicable law, including requests for access, correction, deletion, portability, and objection. Processor will promptly forward to Customer any data subject rights requests it receives that relate to Customer's personal data.

DPA-10. Data Breach Notification

Processor will notify Customer of any confirmed personal data breach affecting Customer's personal data within 72 hours of becoming aware of the breach (where feasible), or as soon as reasonably practicable thereafter. Notification will include: (i) a description of the nature of the breach; (ii) categories and approximate number of data subjects and records affected; (iii) likely consequences of the breach; and (iv) measures taken or proposed to address the breach. Processor's obligation to notify does not imply admission of fault or liability.

DPA-11. Data Protection Impact Assessments

Where required by applicable law, Processor will provide reasonable assistance to Customer in conducting data protection impact assessments (DPIAs) related to processing under this DPA, to the extent such assistance is within Processor's knowledge and capabilities.

DPA-12. Audit Rights

Customer may audit Processor's compliance with this DPA no more than once per year, upon 30 days' written notice, and subject to execution of a confidentiality agreement. Audits may be conducted by Customer or a mutually agreed third-party auditor and shall not unreasonably disrupt Processor's operations. Processor may satisfy audit obligations by providing third-party audit reports or certifications where available.

DPA-13. Data Retention and Deletion

Upon termination of the Agreement, Processor will, at Customer's election, delete or return all personal data and delete existing copies, except to the extent Processor is required by applicable law to retain such data. Processor will certify deletion in writing upon Customer's request.

DPA-14. Liability

Processor's liability under this DPA is subject to the limitations set forth in Section 13 of the Agreement. Nothing in this DPA creates liability on the part of Processor for decisions made by Customer as Data Controller or for the lawfulness of Customer's processing instructions.

DPA-15. Governing Law

This DPA is governed by the laws of the State of Florida, without regard to conflict of law principles, consistent with the governing law provisions of the Agreement.