Data Processing Addendum

This Data Processing Addendum ("DPA") is entered into between WorkSlate, Inc. ("WorkSlate" or "Processor") and the Customer identified in the applicable Order Form or Terms of Service ("Customer" or "Controller"). This DPA supplements the Terms of Service and governs WorkSlate's processing of personal data on behalf of Customer. In the event of conflict between this DPA and the Terms of Service, this DPA controls with respect to data protection matters.

1. Definitions

• "Controller" means the entity determining the purposes and means of processing personal data. Customer is the Controller of Customer Data.
• "Processor" means the entity processing personal data on behalf of the Controller. WorkSlate is the Processor.
• "Personal Data" means any information relating to an identified or identifiable natural person under applicable Data Protection Laws.
• "Data Protection Laws" means all applicable laws governing processing of personal data, including GDPR, UK GDPR, CCPA/CPRA, and PIPEDA.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and Council.
• "Sub-processor" means any third party engaged by WorkSlate to process Personal Data on WorkSlate's behalf.
• "Security Incident" means a confirmed breach of security leading to unauthorized destruction, loss, alteration, or access to Personal Data.
• "AI Processing" means any processing of Personal Data using artificial intelligence, machine learning, or automated decision-making systems as further described in the AI Addendum.

2. Scope and Role of the Parties

Customer instructs WorkSlate to process Personal Data solely to provide the Services described in the Terms of Service and Schedule A. WorkSlate shall process Personal Data only on Customer's documented instructions unless required by applicable law. Customer warrants that it has a lawful basis to transfer Personal Data to WorkSlate for processing.

3. Customer Instructions

• Provide the field and home service management platform and customer portal
• Send transactional and, where consented, marketing communications
• Process payments and manage billing records
• Provide customer support
• Power AI-assisted features as described in the AI Addendum, subject to Customer's configuration and consent settings
• Comply with legal obligations applicable to WorkSlate

4. Confidentiality of Personal Data

WorkSlate shall ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations. Access shall be limited to personnel who require it to perform the Services.

5. Security Measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and least-privilege principles
• Multi-factor authentication for internal systems
• Regular vulnerability assessments, penetration testing, and audits
• Incident response and breach notification procedures
• Employee security training
• AI-specific safeguards as described in the AI Addendum

6. Sub-processors

6.1 Customer provides general authorization for WorkSlate to engage Sub-processors. A current list is maintained at getworkslate.com/legal/subprocessors and includes AI model providers where applicable.

6.2 WorkSlate will provide thirty (30) days advance notice of any intended addition or replacement of a Sub-processor. Customer may object within fifteen (15) days. If the objection cannot be resolved, Customer may terminate the affected Services without penalty.

6.3 WorkSlate shall impose data protection obligations on Sub-processors substantially equivalent to this DPA and shall remain liable for their acts and omissions.

7. AI Processing

Where WorkSlate processes Personal Data using AI features, such processing is subject to the additional terms in the AI Addendum. AI Processing shall only occur to the extent: (a) necessary to provide the Services; (b) permitted by Customer's configuration and consent settings; and (c) consistent with applicable Data Protection Laws, including restrictions on automated decision-making with significant effects under GDPR Article 22.

8. Data Subject Rights

WorkSlate shall provide reasonable assistance to Customer in fulfilling Data Subject rights requests under applicable law. If WorkSlate receives a Data Subject request directly, it will promptly forward to Customer and take no action without Customer's authorization, except as required by law.

9. Data Protection Impact Assessments

Upon reasonable request, WorkSlate will cooperate to assist Customer in conducting DPIAs or prior regulatory consultations, including where AI Processing is involved.

10. Security Incidents

10.1 WorkSlate shall notify Customer within seventy-two (72) hours of becoming aware of a confirmed Security Incident involving Customer's Personal Data.

10.2 Notification will include: (a) nature of the incident; (b) categories and approximate number of Data Subjects and records affected; (c) likely consequences; and (d) measures taken or proposed.

11. International Data Transfers

For transfers of Personal Data from the EEA, UK, or Switzerland to the U.S., such transfers shall be governed by Standard Contractual Clauses (Module 2: Controller to Processor, EU Commission Decision 2021/914) and the UK International Data Transfer Addendum (IDTA), both incorporated herein by reference. In the event of conflict between the SCCs and this DPA, the SCCs shall prevail with respect to international transfer obligations.

12. Audit Rights

Upon Customer's written request (no more than once per calendar year), WorkSlate shall provide compliance evidence including SOC 2 Type II reports, certifications, or questionnaire responses. On-site audits require advance agreement on scope, timing, and cost.

13. Return and Deletion of Personal Data

Upon termination, WorkSlate shall, at Customer's election, return or securely delete all Personal Data within thirty (30) days, subject to the Permanent Account Deletion Terms. WorkSlate may retain Personal Data as required by applicable law; such retention remains subject to confidentiality and security obligations herein.

14. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing limits either party's liability to Data Subjects or supervisory authorities as required by applicable Data Protection Laws.

15. Governing Law

This DPA is governed by the laws of the State of Delaware, except where SCCs or the UK IDTA apply, in which case their governing law provisions take precedence for matters covered thereby.

Schedule A — Description of Processing

Nature and Purpose. WorkSlate processes Personal Data to provide field and home service management software including customer portal functionality, payment processing, SMS and email communications, scheduling, AI-assisted features, and customer support.

Categories of Data Subjects

• Customer employees, administrators, and field technicians
• Customer end customers (homeowners or business clients)

Categories of Personal Data

• Identification data: name, email, phone number, postal address
• Financial data: payment card type, last four digits, billing address
• Service data: job details, quotes, invoices, service history, equipment records
• Communication data: SMS consent records, email opt-in records, message logs
• Device and usage data: IP address, browser type, session data
• AI interaction data: inputs and outputs related to AI-assisted features

Sensitive Categories. WorkSlate does not intentionally collect sensitive categories. Customer shall not submit sensitive categories without prior written agreement and appropriate safeguards.

Sub-processors. Full list at getworkslate.com/legal/subprocessors. Key sub-processors include payment processors (e.g., Stripe), SMS providers (e.g., Twilio), cloud infrastructure (e.g., Supabase, Vercel), and AI providers (e.g., Anthropic).