This Data Processing Addendum ("DPA") supplements the CoverPin Master License and Support Agreement (the "Agreement") entered into by and between the customer signing this DPA ("Customer") and CoverPin Inc. ("CoverPin"). By executing this DPA, Customer enters into this Addendum on behalf of itself and, where applicable under relevant Data Protection Laws, in the name and on behalf of its Affiliates (as defined below). This DPA incorporates the terms of the Agreement, and any terms not defined herein shall have the meaning ascribed in the Agreement.

1. DEFINITIONS
   "Affiliate," "Customer Account Data," "Customer Information," "Data Exporter," "Data Importer," "Data Protection Laws," "EU SCCs," "ex-EEA Transfer," "ex-UK Transfer," "Personal Data," "Personal Data Breach," "Services," "Standard Contractual Clauses," "Sub-Processor," and "UK SCCs" shall have the meanings assigned to them in the corresponding sections of this DPA, consistent with GDPR, CCPA, and other applicable frameworks.

2. DATA PROCESSING
   The parties agree that Customer may act as a controller or processor and that CoverPin acts as a processor, except where expressly stated otherwise. Customer shall ensure all Personal Data provided is lawfully collected and that its instructions comply with Data Protection Laws. CoverPin shall process Personal Data only as instructed by Customer and in accordance with the Agreement and this DPA. Upon termination of the Services, CoverPin shall return or delete Personal Data, unless retention is required by law.

3. CONFIDENTIALITY
   CoverPin shall ensure that any individual it authorizes to process Personal Data is subject to appropriate confidentiality obligations. Disclosure to advisors, auditors, or third parties shall be permitted where necessary to fulfill contractual obligations.

4. SUB-PROCESSORS
   Customer provides general written authorization for CoverPin to engage Sub-Processors. CoverPin shall provide advance notice of new Sub-Processors and allow for reasonable objections on data protection grounds. CoverPin shall remain liable for its Sub-Processors' compliance with equivalent data protection obligations.

5. SECURITY MEASURES
   CoverPin shall implement technical and organizational measures to protect Personal Data, including encryption, access controls, backup and restoration procedures, and periodic security assessments, as described in Exhibit C.

6. TRANSFERS OF PERSONAL DATA
   CoverPin may transfer Personal Data internationally as necessary for the performance of the Agreement, subject to implementation of appropriate safeguards such as the EU SCCs, UK SCCs, or other lawful transfer mechanisms. Specific provisions for ex-EEA, ex-UK, and Swiss transfers, as well as supplementary measures and audit rights, are detailed in the exhibits to this DPA.

7. DATA SUBJECT RIGHTS
   CoverPin shall assist Customer in responding to Data Subject Requests in accordance with applicable Data Protection Laws. Customer remains responsible for initiating and directing such requests.

8. AUDIT RIGHTS
   CoverPin shall maintain documentation evidencing compliance with this DPA and will provide audit access as required, subject to confidentiality and frequency limitations, as further detailed in Section 8 and Exhibit C.

9. PERSONAL DATA BREACH
   CoverPin shall notify Customer without undue delay upon becoming aware of a Personal Data Breach and shall provide reasonable cooperation to support Customer’s compliance with notification obligations.

10. CUSTOMER ACCOUNT DATA
    CoverPin shall act as an independent controller for Customer Account Data and will process such data in accordance with applicable laws and its published privacy policy.

11. CONFLICT
    In the event of conflict, the following order of precedence shall apply: (1) Standard Contractual Clauses, (2) this DPA, (3) the Agreement, and (4) CoverPin’s privacy policy.

12. EXECUTION
    This DPA shall become legally binding upon execution by both parties. Execution may be completed via electronic signature or as otherwise permitted by law.