Data Processing Agreement

1. Parties

The parties to this DPA are Incorporate Now Inc, a Florida corporation with an office at 100 S. Dixie Hwy., 3rd Floor, West Palm Beach, FL 33401 (the "Processor"), and the Customer identified in the Account that accepts the Terms (the "Controller"). This DPA is incorporated into the Terms and applies automatically when the Controller is established in the EEA, the UK, or Switzerland, or when the Controller processes personal data of individuals located in any of those jurisdictions through the Service. Controllers in other jurisdictions may opt this DPA into their contract by emailing legal@mailnow.ai.

Where the Controller is itself a processor on behalf of one of its own customers (a "Customer-of-Customer"), this DPA also covers Processor's handling of personal data on behalf of that Customer-of-Customer; the Controller confirms that it has the authority of the Customer-of-Customer to enter into this DPA on the Customer-of-Customer's behalf.

2. Definitions

The following terms have the meanings given to them in Article 4 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"): personal data, processing, controller, processor, sub-processor, data subject, supervisory authority, and personal data breach. Where this DPA applies to processing subject to the UK GDPR (as defined in section 3 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019), those terms have the equivalent meanings under the UK GDPR.

In addition:

• "Applicable Data Protection Law" means the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection (the "FADP"), and any other data protection or privacy laws of the EEA member states, the UK, or Switzerland that apply to the processing of personal data under this DPA.
• "EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 and in force on 21 March 2022.
• "Customer Personal Data" means personal data that the Processor processes on behalf of the Controller in the course of providing the Service, including the contents of Mail Items and Checks and the other categories of personal data described in Annex I.
• "Service" has the meaning given in the Terms and includes the mailnow.ai web application and the related mail-handling and check-deposit services.

3. Subject Matter, Duration, Nature, and Purpose of Processing

The subject matter, duration, nature, purpose, categories of data subjects, and categories of personal data processed under this DPA are set out in Annex I. The duration of the processing is the term of the Terms, plus any period during which the Processor lawfully retains Customer Personal Data after termination as described in Section 11 or as required by applicable law.

4. Controller and Processor Obligations

Controller instructions. The Processor will process Customer Personal Data only on the Controller's documented instructions, including with regard to international transfers. The Terms, this DPA (including its Annexes), the configuration the Controller selects in the Service, and the legitimate use of the Service by the Controller and its Authorized Users together constitute the Controller's documented instructions. If the Processor is required by EU, EU member state, UK, Swiss, or U.S. law to process Customer Personal Data otherwise, the Processor will (where legally permitted) inform the Controller of that requirement before processing.

Confidentiality of personnel. The Processor will ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality, whether contractual or statutory.

Security. The Processor will implement and maintain the technical and organizational measures described in Annex II to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, in accordance with GDPR Article 32.

Sub-processors. The Processor may engage sub-processors only on the conditions set out in Section 5.

Assistance with data subject requests. The Processor will provide the Controller with reasonable assistance — taking into account the nature of the processing and the information available to the Processor — to enable the Controller to respond to requests from data subjects exercising their rights under Applicable Data Protection Law, as further described in Section 9.

Assistance with security, breach notification, DPIAs, and prior consultations. The Processor will provide the Controller with reasonable assistance in complying with the Controller's obligations under GDPR Articles 32 to 36 (security, personal data breach notification to supervisory authorities and to data subjects, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to the Processor. To the extent that the assistance required is materially in excess of standard support and the Service's built-in features, the Processor may charge a reasonable cost-recovery fee.

Deletion and return. On termination of the Terms, the Processor will delete or return Customer Personal Data as set out in Section 11.

Demonstrating compliance. The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with GDPR Article 28, and will allow for and contribute to audits as set out in Section 10.

Controller responsibilities. The Controller represents and warrants that (a) it has all rights, consents, and lawful bases necessary under Applicable Data Protection Law for the Processor to process Customer Personal Data as contemplated by the Terms and this DPA, (b) its instructions to the Processor comply with Applicable Data Protection Law, and (c) it has provided all required notices to data subjects.

5. Sub-processors

The Controller provides general written authorization for the Processor to engage the sub-processors listed at /legal/subprocessors (the live Annex III to this DPA) and to engage additional sub-processors from time to time, provided that the Processor:

• maintains an up-to-date public list of sub-processors at the URL above, which the Controller is responsible for periodically reviewing. Where reasonably practicable, the Processor will use commercially reasonable efforts to announce the intended addition of a new sub-processor on that page in advance of the new sub-processor beginning to process Customer Personal Data and, where the Controller has subscribed for change notices, by email; such advance notice is provided as a courtesy and is not guaranteed;
• imposes on each sub-processor data protection obligations no less protective than those set out in this DPA (including, where applicable, the EU SCCs and the UK Addendum); and
• remains liable to the Controller for the performance of each sub-processor's obligations.

The Controller may object on reasonable data-protection grounds to the appointment of a new sub-processor by sending written notice to legal@mailnow.ai within thirty (30) days after the new sub-processor is published on the sub-processor list (or, if earlier, after the Controller otherwise becomes aware of the change). If the parties cannot resolve the objection in good faith within a further thirty (30) days, the Controller may terminate the affected portion of the Service on written notice; fees prepaid for the unused portion of the affected Service will be refunded on a pro-rata basis as the Controller's exclusive remedy.

6. International Transfers

The Processor is established in the United States, and it processes Customer Personal Data in the United States and in any other jurisdiction in which it or its sub-processors operate. Where Customer Personal Data is transferred from the EEA, the UK, or Switzerland to a country that has not been the subject of an adequacy decision under Applicable Data Protection Law, the parties agree to the additional terms below.

6.1 EU SCCs

The parties incorporate the EU SCCs into this DPA by reference and agree that they will apply to such transfers, with the following selections:

• Module Two (Controller-to-Processor) applies where the Controller is itself a controller of the Customer Personal Data.
• Module Three (Processor-to-Processor) applies where the Controller is itself a processor on behalf of a Customer-of-Customer, in which case the Controller acts as the data exporter on behalf of that controller.
• The optional docking clause in Clause 7 is included.
• Clause 9(a) (Use of sub-processors): Option 2 (general written authorization) applies, with a notice period of thirty (30) days, consistent with Section 5 of this DPA.
• Clause 11 (Redress): the optional independent dispute resolution mechanism is not selected.
• Clause 17 (Governing law): Option 1 applies, and the EU SCCs are governed by the law of the EEA member state in which the data exporter is established. Where the data exporter is not established in an EEA member state, the parties select the laws of the Republic of Ireland.
• Clause 18 (Choice of forum and jurisdiction): the courts of the EEA member state whose law applies under Clause 17 have exclusive jurisdiction; where the laws of the Republic of Ireland apply, the courts of the Republic of Ireland have exclusive jurisdiction.
• Annex I (Parties), Annex II (Technical and organizational measures), and Annex III (Sub-processors) of the EU SCCs are populated by Annex I, Annex II, and Annex III of this DPA, respectively. The competent supervisory authority for purposes of EU SCC Annex I.C is the supervisory authority of the EEA member state whose law applies under Clause 17, and where the laws of the Republic of Ireland apply, the Irish Data Protection Commission.

6.2 UK Addendum

For transfers of personal data subject to the UK GDPR, the parties incorporate the UK Addendum into this DPA by reference. The UK Addendum is read together with the EU SCCs as set out in Section 6.1, with the following Table selections:

• Table 1 (Parties): as set out in Annex I of this DPA.
• Table 2 (Selected SCCs, Modules, and selected clauses): the EU SCCs as incorporated by Section 6.1.
• Table 3 (Appendix Information): as set out in Annexes I, II, and III of this DPA.
• Table 4 (Ending the Addendum when the Approved Addendum changes): neither party may end the UK Addendum on the basis of changes to the Approved Addendum (i.e., the box is left unticked for both Importer and Exporter).

6.3 Swiss transfers

For transfers of personal data subject to the FADP, the EU SCCs as incorporated by Section 6.1 apply, with the adjustments specified by the Swiss Federal Data Protection and Information Commissioner (the "FDPIC"): (a) references to the GDPR are read as references to the FADP where the FADP applies; (b) the term "EU member state" does not exclude data subjects in Switzerland from enforcing their rights in their place of habitual residence; (c) the competent supervisory authority is the FDPIC; and (d) until the entry into force of the revised FADP, the EU SCCs also protect personal data of legal entities to the extent required by the prior FADP.

7. Security Measures

The Processor's technical and organizational measures designed to protect Customer Personal Data are set out in Annex II. The Processor may update those measures from time to time, provided that the updates do not materially reduce the overall level of protection.

8. Personal Data Breach

The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours of the Processor's confirmation that a personal data breach affecting Customer Personal Data has occurred. The notice will include, to the extent then known to the Processor, the information required under GDPR Article 33(3): a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and records concerned), the likely consequences, the measures taken or proposed to address the breach and mitigate its effects, and the contact point for further information. The Processor will keep the Controller updated as material new information becomes available.

A notice under this Section is not, and will not be construed as, an admission of fault or liability by the Processor. The Controller remains responsible for any notifications it is required to make to supervisory authorities and to data subjects.

9. Data Subject Rights

The Processor will, taking into account the nature of the processing and the information available to it, provide the Controller with reasonable assistance to respond to requests from data subjects exercising their rights of access, rectification, erasure, restriction of processing, data portability, objection, or rights related to automated decision-making under Applicable Data Protection Law. Where the Service includes built-in features that allow the Controller to address a request directly (for example, by exporting, editing, or deleting Customer Personal Data through the Service), the Controller will use those features in the first instance.

If a data subject contacts the Processor directly with a request relating to Customer Personal Data, the Processor will, without undue delay, redirect the data subject to the Controller and inform the Controller of the request, except where the Processor is required by law to respond directly.

10. Audit

The Processor will respond to a written security questionnaire from the Controller no more than once per calendar year, free of charge. On at least sixty (60) days' prior written notice, and no more than once per calendar year, the Controller (or an independent auditor mandated by the Controller and reasonably acceptable to the Processor, which is not a competitor of the Processor) may conduct an on-site audit of the Processor's policies, procedures, and records relevant to the processing of Customer Personal Data. The Processor will permit an additional audit, or a more frequent audit, where (a) a supervisory authority requires it, or (b) a confirmed personal data breach has affected Customer Personal Data and the Controller reasonably wishes to verify remediation.

Audits will be conducted during normal business hours, will not unreasonably interfere with the Processor's operations, and will respect the confidentiality and security of the Processor's other customers' data. The Controller will bear its own costs for any audit and will reimburse the Processor's reasonable time-and-materials costs of supporting the audit.

11. Return or Deletion of Personal Data

On termination or expiry of the Terms, the Controller may, for a period of thirty (30) days, continue to access the Service in read-only mode (or as otherwise made available by the Processor) for the sole purpose of exporting Customer Personal Data. After that 30-day period, the Processor will delete Customer Personal Data from its production systems within a further thirty (30) days, except to the extent that the Processor is required by EU, EU member state, UK, Swiss, or U.S. law to retain some or all of the Customer Personal Data (for example, USPS Form 1583 records, financial recordkeeping obligations, or anti-money-laundering records). Customer Personal Data residing in routine encrypted backups will be overwritten in the ordinary course on the Processor's standard backup rotation, which is described in our Privacy Policy.

12. Liability and Indemnity

Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms, except to the extent that such exclusions or limitations are unenforceable under GDPR Article 82 or equivalent provisions of Applicable Data Protection Law. Nothing in this DPA limits a data subject's rights against either party under Applicable Data Protection Law.

13. Conflict

In the event of any conflict or inconsistency among (a) the EU SCCs (or, where applicable, the UK Addendum) as incorporated by Section 6, (b) the body of this DPA, and (c) the Terms, the order of precedence is: first, the EU SCCs (or the UK Addendum, as applicable); second, this DPA; and third, the Terms. To the extent this DPA grants the Controller rights or imposes Processor obligations more protective than the Terms with respect to the processing of Customer Personal Data, this DPA controls.

14. Acceptance

By using the Service, the Customer accepts this DPA on behalf of itself and, where applicable, on behalf of any Customer-of-Customer it represents. The Customer confirms that the individual accepting the Terms on its behalf has the authority to bind the Customer (and any Customer-of-Customer it represents) to this DPA. No counter-signed paper copy is required for this DPA to take effect; for Customers that require an executed copy for procurement purposes, please email legal@mailnow.ai.

15. Contact

Privacy and DPA-related notices to the Processor must be sent to legal@mailnow.ai with a copy by mail to: Incorporate Now Inc, 100 S. Dixie Hwy., 3rd Floor, West Palm Beach, FL 33401, Attn: Legal.

The Processor has not yet appointed a representative in the EU under GDPR Article 27 or in the UK under Article 27 of the UK GDPR. The Processor will appoint such representatives before offering the Service to data subjects in the EEA or the UK, and will identify them here once appointed.

Annex I — Description of Processing

A. List of parties

Data exporter: the Controller, as identified in the Account that accepts the Terms. Activities relevant to the data transferred: receiving virtual mailbox, mail-handling, and check-deposit services from the Processor. Role: controller (or, where the Controller is itself a processor for a Customer-of-Customer, processor). Contact: as recorded in the Account; if not provided, the Account's primary administrator. Signature and date: deemed signed on the date the Customer first accepted the Terms.

Data importer: Incorporate Now Inc, 100 S. Dixie Hwy., 3rd Floor, West Palm Beach, FL 33401, United States. Activities relevant to the data transferred: providing the Service. Role: processor. Contact: legal@mailnow.ai. Signature and date: deemed signed on the date the Customer first accepted the Terms.

B. Description of transfer

Categories of data subjects:

• the Controller's personnel and Authorized Users;
• the Controller's end customers and Customers-of-Customers;
• individuals who send mail to, or are named in mail addressed to, the Controller;
• payees and payors named on Checks received by the Controller;
• any other individuals whose personal data is contained in business correspondence handled by the Controller through the Service.

Categories of personal data:

• identification and contact data (names, postal addresses, email addresses, telephone numbers);
• the contents of business correspondence, including any personal data appearing in scanned mail and OCR output;
• financial data, including bank routing and account numbers visible on the face of Checks, check amounts, check numbers, payee and payor identifiers, and signatures;
• credentials of integrations the Controller chooses to connect, stored encrypted at rest;
• account profile data and authentication metadata synchronized from the authentication provider listed at /legal/subprocessors;
• billing identifiers and metadata returned by the payment processor listed at /legal/subprocessors;
• usage, request, and audit logs generated in the course of providing the Service.

Sensitive data: the Service is not intended to process special categories of personal data within the meaning of GDPR Article 9 or data relating to criminal convictions and offences within the meaning of GDPR Article 10. However, such data may incidentally appear in mail content. The Processor applies the same technical and organizational measures (described in Annex II) to such data when it appears.

Frequency of the transfer: continuous, for the duration of the Terms.

Nature of the processing: receipt and physical handling of mail addressed to the Controller; opening, scanning, and digitization of mail; OCR-based text extraction; AI-assisted summarization, categorization, and matching; storage and display of mail and check records in the Service; physical deposit of Checks at the Controller's instruction; transactional and notification email delivery; back-up and restore.

Purposes of the data transfer and further processing: performance of the Service for the Controller, security of the Service, compliance with the Processor's legal obligations, and the other purposes described in the Privacy Policy.

Period for which the personal data will be retained: for the duration of the Terms, plus the post-termination retention periods set out in Section 11 of this DPA and in the Privacy Policy, subject to longer retention required by law.

Sub-processor processing: see Annex III.

C. Competent supervisory authority

For transfers governed by the EU SCCs, the competent supervisory authority is the supervisory authority of the EEA member state whose law applies under EU SCC Clause 17, and where the laws of the Republic of Ireland apply, the Irish Data Protection Commission. For transfers governed by the UK Addendum, the competent supervisory authority is the UK Information Commissioner's Office. For transfers governed by the FADP, the competent supervisory authority is the FDPIC.

Annex II — Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons, the Processor implements the following technical and organizational measures designed to ensure a level of security appropriate to the risk (GDPR Article 32). These measures supplement, and should be read together with, the security disclosures in our Privacy Policy.

1. Encryption

• TLS is used for all connections to the Service and for transmissions to sub-processors that support it.
• Stored documents (including scanned mail and check images) and database contents are encrypted at rest.
• Long-lived secrets stored on behalf of the Controller are encrypted at rest with application-managed keys.

2. Access control and tenant isolation

• Authentication is delegated to the authentication provider listed at /legal/subprocessors; password material is held by that provider and is not visible to the Processor.
• The Service is multi-tenant at the customer/company layer. Server-side authorization checks scope every list, detail, download, object-serving, and export endpoint to the Controller's tenant.
• Internal administrative roles are separated from customer-facing roles, with the principle of least privilege applied to both.
• Access by Processor personnel to production systems is restricted to those with a documented need; privileged access requires individual accounts and is logged.

3. Secret management

• Production secrets (API keys, webhook signing keys, database credentials) are stored in the platform's managed secret store and injected into the runtime environment.
• Secrets are not committed to source control; pre-merge controls and dependency audits are run regularly.

4. Audit logging and monitoring

• Administrative actions on Controller records (mail items, checks, users, deposits, bank accounts) are recorded in an audit timeline visible to the Controller's administrators.
• Server-side request, error, and webhook logs are retained for a commercially reasonable period and reviewed in incident investigation.

5. Backup and restore

• Database and document storage are backed up on a 30-day rolling cycle. Backups are encrypted at rest.
• Restore procedures are tested periodically.

6. Vulnerability management and secure SDLC

• Dependencies are tracked and audited; a documented dependency-audit process is run on a regular cadence.
• Code changes go through review before they reach production.
• Static application security testing and secret-scanning are performed in development workflows.

7. Incident response

• The Processor maintains an incident-response process that defines triage, containment, eradication, recovery, and post-incident review steps.
• Confirmed personal data breaches affecting Controller data are reported to the Controller in line with Section 8.

8. Vendor and sub-processor risk management

• The Processor maintains the public sub-processor list at /legal/subprocessors and reviews material sub-processors before engagement.
• Sub-processors are bound by data protection terms no less protective than those in this DPA.

9. Physical security at the Mail Operations Center

• The facility where physical mail is received, opened, scanned, and (where applicable) deposited operates under access controls limited to authorized personnel.
• Personnel handling physical mail are subject to background checks appropriate to their role.
• Physical mail awaiting scanning, forwarding, deposit, or shredding is stored in restricted-access areas.
• Mail to be destroyed is destroyed using cross-cut shredding or an equivalent process.

10. Personnel

• Personnel with access to Customer Personal Data are bound by written confidentiality obligations.
• Personnel are trained on the handling of mail, checks, and customer data, including their data-protection responsibilities.

Annex III — Sub-processors

The current list of sub-processors authorized under this DPA is published at /legal/subprocessors. That page is the live Annex III to this DPA. The Processor will update it from time to time as described in Section 5.