Data Processing Agreement

Last Modified: May 19, 2025

This Data Processing Agreement (this “DPA”) forms a part of the Master Solution Agreement (the “Agreement”) entered into by and between OmegaFi Financial, LLC, d/b/a OmegaFi, a Delaware limited liability company (“OmegaFi”) and Customer. Any capitalized terms used in this DPA but not defined shall have the respective meanings given to them in the Agreement. The Parties enter into this DPA to comply with applicable Data Protection Laws (as defined below).

1. Certain Defined Terms. Capitalized terms used in this DPA but not otherwise defined in this DPA or the Agreement have the following meanings:
   
   a.     “Applicable Law” means all laws, rules, regulations, rulings, decrees, directives, or other requirements of any governmental authority, and all current industry self-regulatory principles that (a) apply to this DPA; (b) relate to the Parties’ rights and obligations in this DPA; or (c) apply to the collection, processing, and storage of Personal Data.
   
   b.     “Data Protection Laws” means all Applicable Laws, self-regulatory rules and guidelines, and Customer policies relating to or impacting the processing, privacy, or security of Personal Information, including the California Privacy Rights Act of 2020.
   
   c.     “Personal Information” means information processed by OmegaFi on behalf of Customer through the Service that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly to, a natural person. “Personal Information” does not include Usage Data.
   
   d.     “Usage Data” means data and information related to Customer’s and its Users’ use of the Service through system logging and other tools that automatically collect information on events that occur through use of the Service.
2. Scope. This DPA only applies to the extent that OmegaFi processes Personal Information on behalf of Customer in the course of providing the Service. This DPA does not apply to the processing of Personal Health Information (as defined in Data Protection Laws). In the event OmegaFi processes Personal Health Information on behalf of Customer, the Parties will enter into a Business Associate Agreement (as defined in Data Protection Laws) that will govern such processing. To the extent Usage Data is considered Personal Information under applicable Data Protection Laws, OmegaFi is the “controller” or “business” with respect to such Usage Data.
3. Compliance with Laws. Each Party shall comply with its obligations under applicable Data Protection Laws. Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information by OmegaFi. If applicable Data Protection Laws related to the processing of Personal Information change, OmegaFi may make any necessary amendments to this DPA.
4. Instructions. OmegaFi shall process Customer’s Personal Information in accordance with Customer’s documented lawful instructions as set forth in this DPA and the Agreement and as otherwise necessary to provide the Service (together “Processing Instructions”). Customer will ensure that its Processing Instructions comply with Applicable Laws. If, in OmegaFi’s opinion, Customer’s Processing Instructions violate applicable Data Protection Laws, OmegaFi will notify Customer. OmegaFi, may without penalty, refuse further processing of Personal Information under this DPA that it believes to be in violation of any Applicable Law, including any applicable Data Protection Laws.
5. Use of Personal Information. OmegaFi may process Personal Information to provide the Service and as otherwise provided in the Agreement and this DPA. OmegaFi shall not:
   
   a.    sell, share (as such terms are defined under applicable Data Protection Laws) or otherwise disclose any Personal Information to any third party other than its duly authorized subcontractors for purposes of performing the Service;
   
   b.    collect, retain, use, or otherwise disclose or process Personal Information, including Personal Information, for any purpose other than as necessary to provide the Service specified in the Agreement or outside of the direct business relationship between OmegaFi and Customer; provided that OmegaFi may retain, use and disclose Personal Information obtained during the course of providing Service to retain and employ a Subprocessor (as defined below), for internal purposes to build or improve the quality of its services, to detect data security incidents or protect against fraudulent or illegal activity, or as otherwise permitted by Data Protection Laws; or
   
   c.     combine Personal Information with Personal Information OmegaFi receives from, or on behalf of, another person or persons, or which OmegaFi collects from its own interactions with an individual, in each case except as expressly agreed by Customer and permitted by Applicable Laws.

OmegaFi certifies that it understands the restrictions in this Section 5 and will comply with them.

6. Security. OmegaFi will implement and maintain appropriate technical and organizational security measures designed to preserve the security and confidentiality of Customer Content processed through the Service. OmegaFi may update its security measures, provided that any updates shall not materially diminish the overall security of Personal Information or the Service.
7. Subprocessors. Customer generally authorizes OmegaFi to engage third parties to assist in the processing of Personal Information on behalf of Customer (each, a “Subprocessor”), including the Subprocessors listed on Schedule 1 to this DPA. OmegaFi shall require that each person processing Personal Information on its behalf be subject to a duty of confidentiality with respect to such Personal Information. If OmegaFi engages a Subprocessor, OmegaFi shall provide notice to Customer of that engagement by way of updating Schedule 1. Customer shall have thirty (30) days to object to such engagement by providing written notice to OmegaFi as provided in the Agreement.
8. Disposition of Personal Information Upon Termination. Upon termination of the Agreement, OmegaFi will promptly delete all Personal Information in its custody or control, except for Personal Information retained in OmegaFi’s backup files, if any, which will be deleted in the ordinary course of OmegaFi’s business in accordance with its standard data retention schedules.
9. Third Party Communications. OmegaFi shall promptly notify Customer if it receives any communication from a third party (from an individual, a governmental or otherwise) which relates to the processing of Personal Information, or to either Party’s compliance with Data Protection Laws, and shall refer such third party to Customer.
10. Compliance and Audit.
    
    a.    OmegaFi shall provide all information reasonably necessary to demonstrate compliance with this DPA.
    
    b.    OmegaFi shall allow Customer or an auditor appointed by Customer to, not more than once every twelve (12) months unless required by Applicable Law, carry out audits or other security assessment (“Security Assessment”) relating to the processing of Personal Information by OmegaFi. The scope of any Security Assessment shall be mutually agreed by the Parties in advance. Customer shall be solely responsible for all costs related to any Security Assessment, including all costs incurred by OmegaFi in connection with cooperating with such Security Assessment.
    
    c.    OmegaFi may, but is not required to, retain a qualified and independent assessor to perform an annual audit of the physical, technical, administrative, and organizational safeguards put in place by OmegaFi that relate to the protection of the security, confidentiality, or integrity of Personal Information using an appropriate and industry accepted control standard or framework and assessment procedure, or documentation of certification of compliance with, industry-accepted information security standards (“Third Party Audit”).
    
    d.    Customer agrees to first review any available Third Party Audit prior to conducting any Security Assessment.
11. Personal Information Breach. OmegaFi will notify Customer without undue delay of any unauthorized access to, or disclosure or acquisition of, to Personal Information. OmegaFi will provide Customer with information regarding the extent of data exposure, including the number and identity of affected individuals, if known, and the status of remediation efforts.
12. Conflict. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail.
13. Limitation of Liability. Notwithstanding anything to the contrary in the Agreement or this DPA and to the maximum extent permitted by Applicable Law, each Party’s liability, in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall remain subject to the limitations on liability section of the Agreement.
14. Survival. The obligations placed upon each Party under this DPA will survive so long as OmegaFi processes Personal Information on behalf of Customer.

Schedule 1

Subprocessors

OmegaFi hereby identifies the following Subprocessors: