DATA PROTECTION AGREEMENT

1. Definitions
   • Account Data: Information that relates to Customer’s relationship with EquiMine, that may include personal information as defined under Data Protection Laws (including but not limited first and last name, company name, business email address, payment billing address, telephone number, and IP address) to access Customer’s account and billing information, identity verification, maintain or improve performance of the Service, provide support, investigate and prevent system abuse, or fulfill legal obligations.
   • Agreement: The Service described in the underlying agreement between the parties.
   • Controller: A natural or legal person or organization which determines the purposes and means of the Processing of Personal Information. As used in this DPA, “Business” as defined in Data Protection Law shall have the same meaning as Controller.
   • Data Protection Laws: all applicable laws, rules, regulations, directives, and governmental requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of the Processing of Personal Information (as defined below), including but not limited to the General Data Protection Regulation 2016/679 (the “GDPR”); the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, (“CCPA”), together with any amending or replacement legislation, any regulations promulgated thereunder; and any equivalent or similar laws, rules, regulations, directives, and governmental requirements in applicable jurisdictions, and any laws implementing, replacing or supplementing any of them, as amended, consolidated, extended, or replaced from time to time.
   • Data Subject: means an identified or identifiable natural person to whom Personal Information relates.
   • EU Standard Contractual Clauses: The Standard Contractual Clauses incorporated by reference in Exhibit A and forming part of this DPA pursuant to the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
   • Personal Information: Any data about or relating to an identified or identifiable natural person or household Processed by Service Provider on Customer’s behalf. It includes information that is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information does not include aggregated or deidentified data, publicly available data nor Property Record Data which EquiMine licenses to Customer. As used in this DPA “personal data” shall have the same meaning as Personal Information.
   • Processing: Any operation or set of operations on Personal Information, whether or not by automatic means, including but not limited to, collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.
   • Property Record Data: Publicly available information that is lawfully made available from federal, state, or local government records and may include ownership details, such as owner’s name, address and parcel or property identification number; location and legal description, such as physical address and legal description of the property; physical characteristics, such as size and dimensions, building details, and zoning and land use; any applicable zoning classifications; valuation and tax information, such as assessed value, market value and tax history; sales and transaction history, such as sales price and dates and mortgage, lien, and encumbrance data; and court records that impact the status of a property, for example civil filings or liens against the property.
   • Security Incident: A breach of EquiMine’s security which leads to the accidental or unlawful loss, destruction, alteration, unauthorized disclosure of, or access to Personal Information.
   • Service Provider: A natural or legal person, public authority, agency, or other body which processes Personal Information on behalf of the Controller. As used in this Agreement, Service Provider shall have the same meaning as “Processor” as defined in Data Protection Laws.
   • Subprocessor: Another service provider engaged by EquiMine which Processes Personal Information.
2. Processing of Personal Information
   1. Scope: This DPA applies to the Processing of Personal Information by Service Provider to provide the Service in the Agreement. To the extent applicable, Sections 2(b)(ii) and 9, and Exhibits A and B of this DPA shall apply exclusively with regard to Account Data.
   2. Role of Parties
      1. The parties acknowledge and agree that with regard to the Processing of Personal Information for the Service under the Agreement, the Customer is the Controller, and EquiMine is the Service Provider.
      2. The parties acknowledge and agree that with regard to the Processing of Account Data, EquiMine is a Controller. EquiMine will Process Account Data as a Controller (a) in order to manage the relationship with Customer; (b) carry out EquiMine’s core business operations; (c) in order to detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Service; (d) identity verification; (e) to comply with EquiMine’s legal or regulatory obligations; and (f) as otherwise permitted under Data Protection Laws and in accordance with this DPA, the Agreement, and the EquiMine’s Privacy Policy.
   3. Instructions for Processing: The Service Provider will Process Personal Information in accordance with the instructions of the Customer for the purpose of providing the agreed-upon Service as outlined in the Agreement. Customer agrees that the DPA and Agreement constitute the entirety of Customer’s instructions. The Customer is solely responsible for ensuring the instructions comply with Data Protection Laws. Customer shall notify Service Provider without undue delay if it believes any instruction issued by Customer is inconsistent with this DPA or violates Data Protection Laws.
   4. Business Purposes for Processing: EquiMine shall Process Personal Information on behalf of Customer solely for the following limited and specific business purposes as necessary to provide the Service described in the Agreement:
      1. Enabling Customer to upload, store, manage, access, and organize Personal Information within the Customer’s designated workspace(s) on the Service platform;
      2. Facilitating Customer’s use of Service features and functionalities that involve Processing the Personal Information stored in the workspace, as initiated and directed by the Customer (e.g., generating reports, running searches, utilizing integrated communication tools);
      3. Performing necessary data hosting, backup, and recovery functions related to the Personal Information stored in the workspace;
      4. Providing technical support and troubleshooting related to the Processing of Personal Information within the workspace, upon Customer request;
      5. Implementing security measures to protect the Personal Information within the workspace, as described in Exhibit B; and
      6. Processing Personal Information as otherwise explicitly instructed by the Customer in writing and consistent with the terms of the Agreement and this DPA
   5. Compliance with Laws: Each party will comply with its obligations related to the Processing of Personal Information under Data Protection Laws. The Customer shall (i) use the Service as specified in the Agreement in compliance with Data Protections Laws; (ii) ensure that it has a lawful basis for Processing Personal Information as required by the GDPR and other Data Protection Laws; and (iii) obtain the necessary consents from Data Subjects and provide notice to Data Subjects of the use of Service Provider, where applicable.
   6. Description of Processing: The subject matter, nature, purpose, and duration of the Processing, as well as the types of data Processed and the Data Subjects, are set forth in Annex I to the EU Standard Contractual Clauses. The Service Provider will promptly notify the Customer if it believes that Customer’s instructions for Processing violate any Data Protection Laws.
   7. Processing Personal Information of California Residents: Where applicable, for the purposes of the CCPA, in relation to all Personal Information Processed on behalf of Customer by EquiMine:
      1. The Parties agree that all Personal Information Processed by EquiMine in its capacity as a Service Provider is to enable EquiMine to perform the Service in accordance with the Agreement;
      2. EquiMine will not (and does not) sell, share, or otherwise disclose any Personal Information to third parties except as provided for in the DPA;
      3. EquiMine will not combine Personal Information with the personal information it receives from, or on behalf of, another Customer, or that it processes as a Business, except as directed by Customer or expressly permitted by Data Protection Laws.
      4. EquiMine will not retain, use, or disclose any Personal Information that it Processed pursuant to the Agreement (i) for any business or commercial purpose other than for the business purpose(s) specified under the Agreement or as otherwise permitted by Data Protection Laws; or (ii) outside the direct business relationship between EquiMine and Customer, unless expressly permitted by the law. Notwithstanding the foregoing, EquiMine shall be permitted to retain, use, or disclose Personal Information for any other purpose permitted by Data Protection Laws as applicable to Service Providers.
      5. EquiMine hereby certifies that it understands the restrictions set forth in this Section 2(g) and will comply with them.
      6. EquiMine shall promptly notify Customer in writing if EquiMine determines that it can no longer meet its obligations as a Service Provider under applicable Data Protection Laws (including, without limitation, the CCPA) or this DPA.
3. Data Security &Confidentiality: The Service Provider has implemented appropriate technical and organizational measures to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as specified in the Information Security Exhibit attached hereto as Exhibit B. EquiMine shall maintain the confidentiality of all Personal Information Processed on behalf of Customer under this DPA. EquiMine shall not disclose such Personal Information to any third party except (i) as expressly permitted by Customer in writing, (ii) as necessary to perform the Service under the Agreement and in accordance with this DPA (including disclosures to approved Subprocessors as set forth in Section 5), or (iii) as required by law, provided that EquiMine shall, where legally permissible, provide Customer with prior notice of such legally required disclosure and a reasonable opportunity to contest such disclosure.
4. Retention and Deletion: The Service Provider will retain Personal Information only for as long as necessary to fulfill the purposes of Processing, as agreed in the Agreement or as required by law. Upon termination of this Agreement, the Service Provider shall return or securely delete all Personal Information as instructed by the Customer (and certify such deletion or return in writing), unless Data Protection Law requires storage of Personal Information, in which case Service Provider shall continue to comply with the obligations under this DPA.
5. Subprocessing
   1. Use of Subprocessors: The Customer acknowledges and agrees that Service Provider may use Subprocessors in connection with the provisions of the Agreement. The Service Provider has entered into a written agreement with each Subprocessor that includes terms no less protective than those in this DPA. The Service Provider shall remain liable for the actions of any Subprocessor to the same extent it is liable for its own actions or omissions under this DPA.
   2. Notification of New Subprocessor and Objection Right: Service Provider will not add or replace Subprocessors without informing Customer in writing (email to suffice) and providing Customer with an opportunity to object. If Customer does not provide notice of such objection within thirty (30) business days of receipt of such written notice, then the Subprocessor will be deemed accepted. If Customer reasonably objects, then the parties will work in good faith to achieve a reasonable resolution. If none can be reached, then the Service Provider will, at its option i) not use the new Subprocessor to Process Customer Personal Information, ii) suspend or iii) permit Customer to suspend or terminate the Agreement.
6. Data Protection Impact Assessments: Taking into account the nature of the Processing and the information available to the Service Provider, the Service Provider shall provide such information and assistance Customer reasonably requires to enable Customer’s compliance with its obligations under Data Protection Law with respect to: (i) Data Protection Impact Assessments (DPIAs); (ii) prior consultation with a supervisory authority regarding high-risk Processing; and (iii) providing the necessary documentation to demonstrate compliance with this DPA.
7. Data Subject Rights
   1. Data Subject Requests: Except as to Account Data, Customer is solely responsible for responding to any Data Subject requests. In the event that EquiMine receives a Data Subject request from a consumer which is attributable to Customer, EquiMine shall notify Customer of the Data Subject request. Notwithstanding the foregoing, EquiMine shall have no obligation to identify, or attempt to verify, the Data Subject’s request in order to determine the Data Subject’s relationship to Customer.
   2. Assistance: To the extent technically feasible, EquiMine shall assist Customer with fulfilling valid Data Subject requests as applicable to the Personal Information Processed on behalf of Customer.
8. Security Incident: In the event of a Security Incident affecting the Personal Information EquiMine Processes on behalf of the Customer, EquiMine will notify the Customer without undue delay and, where feasible, within 48 hours after becoming aware of the Security Incident. EquiMine will provide sufficient information to allow the Customer to comply with its legal obligations under Data Protection Laws.
9. Transfer of Personal Information
   1. EU/EEA: To the extent Customer’s use of the Service involves a transfer of Personal Information from the European Union, the European Economic Area and/or their member states to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws of the foregoing territories, the parties agree to the transfer of Personal Information in accordance with the EU Standard Contractual Clauses incorporated by reference hereto in Exhibit A, or in accordance with GDPR articles 44 to 49.
   2. United Kingdom: To the extent Customer’s use of the Service involves a transfer of Personal Information from the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Law of the foregoing territory, the parties agree to the transfer of Personal Information in accordance with the EU Standard Contractual Clauses, as amended by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, and incorporated by reference hereto in Exhibit A.
   3. Switzerland: To the extent Customer’s use of the Service involves a transfer of Personal Information from Switzerland to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Law of the foregoing territory, the parties agree to the transfer of Personal Information in accordance with the EU Standard Contractual Clauses, as amended by the Swiss Addendum to the EU Standard Contractual Clauses, and incorporated by reference hereto in Exhibit A.
   4. Conflicts: In the event of any express conflict between the data transfer mechanism and this DPA, the applicable data transfer mechanism shall prevail to the extent of such conflict
10. Audit and Compliance
    1. The parties acknowledge that when EquiMine is acting as a Service Provider on behalf of Customer, Customer must be able to assess EquiMine’s compliance with its obligations under Data Protection Law and this DPA.
    2. EquiMine uses external auditors to verify the adequacy of its security measures with respect to its Processing of Customer Personal Information. Upon written request and at no additional cost to Customer, EquiMine shall provide Customer, and/or its appropriately qualified third-party representative, access to reasonably requested documentation evidencing EquiMine’s compliance with its obligations under this DPA in the form of the relevant audits or certifications.
11. De-Identified and Aggregated Personal Information Nothing in this DPA shall be construed as to prohibit EquiMine from de-identifying or aggregating Personal Information, provided that EquiMine shall:
    1. Take reasonable steps to keep the information from being associated with a consumer or household.
    2. Publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that EquiMine may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of Data Protection Law.
    3. Contractually obligates any recipients of the information to comply with all provisions of this Section 11.

EXHIBIT A

TRANSFER MECHANISMS

Application of Standard Contractual Clauses Incorporated by Reference

Where Personal Information or Account Data governed by the GDPR, UK GDPR, and/or FADP is transferred to a country that does not provide an adequate level of protection for Personal Information, and no other legal transfer mechanism applies to the transfer of Personal Information or Account Data, the parties agree the following, as applicable:

1. EU Standard Contractual Clauses
   1. 1.1 In relation to Personal Information that is protected by the GDPR, the EU Standard Contractual Clauses MODULE 2 shall apply as applicable. The applicable Module is incorporated by reference and is completed as follows.
      1. 1.1.1: Clause 7, the optional docking clause does apply;
      2. 1.1.2: Clause 9(a), Option 2 will apply and the time period for prior notice of Subprocessor changes will be thirty (30) days;
      3. 1.1.3: Clause 11(a), the optional redress language will not apply;
      4. 1.1.4: Clause 17, Option 1 will apply: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland;
      5. 1.1.5: Clause 18(b): the Parties agree that those shall be the courts of Ireland; and
      6. 1.1.6: Annexes I, II and III of the EU Standard Contractual Clauses shall be deemed completed with the information set out in the Exhibit A Appendix to this DPA.
   2. 1.2 In relation to Account Data that is protected by the GDPR, the EU Standard Contractual Clauses MODULE 1 shall apply as applicable. The applicable Module is incorporated by reference and is completed as follows.
      1. 1.2.1: Clause 7, the optional docking clause will apply;
      2. 1.2.2 Clause 11, the optional redress language will not apply;
      3. 1.2.3 Clause 17, Option 1 will apply: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland;
      4. 1.2.4 Clause 18(b): the Parties agree that those shall be the courts of Ireland; and
      5. 1.2.5 Annexes I, II and III of the EU Standard Contractual Clauses shall be deemed completed with the information set out in the Exhibit A Appendix to this DPA.
2. UK Addendum to the EU Standard Contractual Clauses

   The Information Commissioner (ICO) considers the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, VERSION B1.0, in force 21 March 2022 (the “UK Addendum”) provides appropriate safeguards for the purposes of transfers of Personal Information to a third country or an international organisation in reliance on Article 46 of the UK GDPR and, with respect to data transfers from controllers to processors and/or processors to processors. The EU Standard Contractual Clauses will apply in accordance with sub-section 1 with the following modifications:

   1. 2.1: the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement
   2. 2.2: The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed this DPA.
   3. 2.3: Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information as set for the in the Exhibit A Appendix to this DPA.
   4. 2.4: For the purposes of Table 4, the parties agree that either party may end the UK Addendum as set out in Section 19 of the UK Addendum.
   5. 2.5: Any references in the EU Standard Contractual Clauses to “Directive 95/46/EC” or “Regulation (EU)2016/679” shall be interpreted as references to the UK GDPR, references to “EU”, “Union” and “Member State law” shall be interpreted as references to English law,
   6. 2.6: References to the “competent supervisory authority” and “competent courts” shall be interpreted as references to ICO and courts in England.
3. Swiss Addendum to the EU Standard Contractual Clauses Standard as applicable

   In relation to Personal Information that is protected by the FADP, the EU Standard Contractual Clauses will apply in accordance with sub-section 1 with the following modifications:

   1. 3.1: The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” shall be interpreted as the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised and in effect as of 01 September 2023, the “nFADP”) with respect to data transfers subject to the FADP.
   2. 3.2: References to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the nFADP.
   3. 3.3 References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” in the EU SCCs shall be deemed to include Switzerland. references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland", or "Swiss law."
   4. 3.4: The term “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU Standard Contractual Clauses.
   5. 3.5: References to the "competent supervisory authority" and "competent courts" will be replaced with the "Federal Data Protection and Information Commissioner of Switzerland" and the "relevant courts in Switzerland."
4. Alternative Data Transfer Mechanism

   If an Alternative Data Transfer Mechanism applies to the transfer of Personal Information or Account Data, the Alternative Data Transfer Mechanism shall apply instead of any data transfer mechanism mentioned in this DPA only to the extent that it complies with Data Protection Laws and extends to territories in which Personal Information is processed. An “Alternative Data Transfer Mechanism” means a mechanism, other than the EU Standard Contractual Clauses, that enables the lawful transfer of Personal Information and Account Data to a third country in accordance with Data Protection Laws.

APPENDIX

ANNEX I

1. LIST OF PARTIES
   1. Data exporter(s):

      Name: Customer, as defined in the Agreement and this DPA
      Address: As set forth in the Agreement or identified in Customer’s Account Data
      Contact person’s name, position and contact details: As set forth in the Agreement or identified in Customer’s Account Data

      Activities relevant to the data transferred under these Clauses: Customer’s Account Data, as defined in the Agreement

      Role: Controller

   2. Data importer(s): EquiMine d/b/a PropStream

      Name: EquiMine
      Address: 26457 Rancho Parkway South, Lake Forest, California 92630
      Contact person’s name, position and contact details: Privacy Officer, privacyinquiry@propstream.com

      Activities relevant to the data transferred under these Clauses: Processes Customer’s Account Data, as defined in the Agreement, in order to administer the Service

2. DESCRIPTION OF TRANSFER

   Categories of data subjects whose personal data is transferred

   End User/Customer

   Categories of personal data transferred

   Account Data, as defined in the DPA

   Sensitive data transferred (if applicable)

   Data Importer does not knowingly collect or transfer any special categories of data.

   The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

   Account Data will be transferred on a continuous basis as necessary for the Data Importer to provide Service to the Data Exporter pursuant to the Agreement.

   Nature and the Purposes of the data transfer and processing
   Personal Information contained in Account Data will be Processed to manage the account, including to access Customer’s account and billing information, for identity verification, to maintain or improve the performance of the Service, to provide support, to investigate and prevent system abuse, or to fulfill legal obligations

   The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

   Data Exporter will Process Personal Information for the duration of the Agreement, and as set forth in Data Exporter’s Privacy Policy and pursuant to Data Exporter’s data retention policies, unless otherwise agreed upon in writing.

   For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

   To the extent applicable, Data Exporter may engage processors to assist with the provision of the Service, including Processing Personal Information for the same subject matter, nature, and duration as the processor except as otherwise required under applicable laws.

3. COMPETENT SUPERVISORY AUTHORITY

   Identify the competent supervisory authority/ies in accordance with Clause 13

   Supervisory Authority of the EU Member State as identified in Clause 13 of the EU Standard Contractual Clauses based on the Data Exporter’s place of establishment respective to the EU or, where not established in the EEA, where its EU representative has been appointed pursuant to Article 27(1) of the GDPR.

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

• Please see Information Security Exhibit B.

ANNEX III

LIST OF SUB-PROCESSORS

The Data Exporter has provided general authorisation for the use of Subprocessors, a list of which is to be made available to the Customer on request.