Data Processing Addendum

Effective date: June 4, 2026

This Data Processing Addendum ("DPA") forms part of and is incorporated by reference into the Master Services Agreement and applicable Order Form (together, the "Agreement") between SongBird, Inc. ("SongBird," "Flock," "we," or "Processor/Service Provider") and the dealer customer identified in the Order Form ("Client," "Dealer," or "Business/Controller"). It governs SongBird's processing of Personal Information on Client's behalf in connection with the Services. In the event of a conflict between this DPA and the rest of the Agreement on data-protection matters, this DPA controls.

1. Definitions

• "Applicable Privacy Laws" means all U.S. federal and state laws and regulations relating to the privacy and security of Personal Information that apply to a party's processing under the Agreement, including the California Consumer Privacy Act as amended by the CPRA and its regulations (the "CCPA"), other U.S. state comprehensive privacy laws, the Gramm-Leach-Bliley Act ("GLBA") and its Safeguards Rule, the Telephone Consumer Protection Act, and the CAN-SPAM Act.
• "Personal Information" (or "Personal Data") means information relating to an identified or identifiable individual that SongBird processes on Client's behalf under the Agreement, including "personal information" and "nonpublic personal information" as defined by Applicable Privacy Laws. It is part of the "Customer Content" defined in the Agreement.
• "Business," "Controller," "Service Provider," "Processor," "Sell," "Share," "Consumer," and "Process/Processing" have the meanings given under Applicable Privacy Laws.
• "Subprocessor" means a third party engaged by SongBird to process Personal Information in connection with the Services.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information processed by SongBird or its Subprocessors.

The details of the processing are set out in Schedule 1.

2. Roles of the Parties

With respect to Personal Information processed through the Services, Client is the Business/Controller and SongBird is the Service Provider/Processor acting on Client's documented instructions. Client is responsible for the accuracy, quality, and legality of the Personal Information and for having provided all required notices and obtained all required consents and authorizations for SongBird to process it for the purposes of the Services. The Agreement, this DPA, and Client's configuration and use of the Services constitute Client's documented instructions.

To the extent SongBird independently determines purposes and means of processing certain data — for example, when it operates as a Business/Controller for its own account administration, security, and de-identified/aggregated analytics under the Agreement — SongBird's Privacy Policy governs that processing, not this DPA.

3. Processing Obligations

SongBird will:

1. process Personal Information only for the purpose of providing and improving the Services as described in the Agreement and on Client's documented instructions, and not for any other purpose;
2. not Sell or Share Personal Information, and not retain, use, or disclose it outside the direct business relationship or for any purpose other than the "business purposes" specified in the Agreement, except as permitted by Applicable Privacy Laws;
3. not combine Personal Information received from or on behalf of Client with Personal Information from other sources, except as permitted for a Service Provider under the CCPA (for example, to perform a business purpose);
4. comply with the applicable obligations of a Service Provider/Processor under Applicable Privacy Laws and provide Personal Information the same level of privacy protection required of Client as a Business;
5. notify Client without undue delay if it determines it can no longer meet its obligations under Applicable Privacy Laws; and
6. ensure that persons authorized to process Personal Information are bound by appropriate confidentiality obligations.

Client may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

4. De-Identified and Aggregated Data

SongBird may create de-identified and aggregated data from Personal Information for its own purposes (including to operate, secure, benchmark, and improve the Services and develop new products), provided that it (a) takes reasonable measures to ensure the data cannot be associated with an individual, (b) publicly commits to maintain and use the data in de-identified form and not attempt re-identification, and (c) contractually obligates recipients to comply with these requirements. De-identified and aggregated data is not Personal Information.

5. Subprocessors

Client provides general authorization for SongBird to engage Subprocessors (including hosting, communications/messaging, analytics, AI, payment, and Product Partner service providers) to process Personal Information, provided SongBird: (a) imposes data-protection obligations on each Subprocessor that are substantially equivalent to those in this DPA; and (b) remains responsible for its Subprocessors' performance. A current list of Subprocessors is available on request. SongBird will provide a mechanism to notify Client of new Subprocessors and a reasonable period to object on legitimate data-protection grounds.

6. Security

SongBird will implement and maintain reasonable and appropriate administrative, technical, organizational, and physical safeguards designed to protect Personal Information against a Security Incident, taking into account the nature of the processing. These measures address, at a minimum, the safeguards summarized in Schedule 2 and the requirements of the GLBA Safeguards Rule with respect to nonpublic personal financial information processed through FlockCover, FlockFinance, and FlockProtect.

7. Security Incident Notification

SongBird will notify Client without undue delay, and in any event within seventy-two (72) hours after becoming aware of a confirmed Security Incident affecting Client's Personal Information. The notice will describe, to the extent known, the nature of the incident, the categories and approximate number of individuals and records affected, and the measures taken or proposed. SongBird will reasonably cooperate with Client's investigation and remediation. SongBird's notification is not an acknowledgment of fault. As between the parties, Client is responsible for determining whether the incident triggers legal notification obligations to regulators or individuals and for making any such notifications, unless otherwise required of SongBird by law.

8. Assistance with Consumer Rights and Compliance

Taking into account the nature of the processing, SongBird will provide reasonable assistance to enable Client to: (a) respond to verifiable Consumer requests to know/access, correct, delete, or port Personal Information, and to opt out of Sale/Share or targeted advertising; and (b) meet its obligations to maintain the security of processing and, where applicable, conduct data-protection assessments. If SongBird receives a Consumer request directed to Client's Personal Information, it will, where permitted, direct the Consumer to Client or promptly inform Client.

9. Audits

Upon reasonable prior written notice and no more than once per twelve (12) months (unless required by a regulator or following a Security Incident), SongBird will make available information reasonably necessary to demonstrate its compliance with this DPA, which may be satisfied through up-to-date third-party audit reports or certifications. Any on-site assessment will be at Client's expense, during business hours, subject to confidentiality, and conducted so as not to disrupt SongBird's operations or compromise other customers' data.

10. Return or Deletion of Personal Information

Upon termination or expiration of the Agreement, SongBird will, at Client's election and within a commercially reasonable period, return and/or delete Personal Information processed on Client's behalf, except (a) de-identified and aggregated data, and (b) Personal Information SongBird is required to retain by law or for legitimate record-keeping, which it will continue to protect under this DPA. Client is responsible for exporting its data before the end of the term.

11. International Transfers

SongBird processes Personal Information in the United States. The parties do not anticipate transfers subject to non-U.S. data-transfer mechanisms; if any apply, the parties will cooperate to put appropriate safeguards in place.

12. Liability and General

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. Except as amended by this DPA, the Agreement remains in full force. This DPA is governed by the same law and dispute-resolution provisions as the Agreement (State of Delaware). If any provision is held invalid, the remainder remains in effect.

Schedule 1 — Details of Processing

Schedule 2 — Security Measures (summary)

Access controls and least-privilege authorization; encryption of Personal Information in transit and, where appropriate, at rest; network and application security controls; logging and monitoring; secure software-development and change-management practices; vendor/Subprocessor risk management; personnel confidentiality and security training; data-retention and secure-disposal procedures; and an incident-response process. Specific controls may evolve, provided protection is not materially diminished.