Data Processing Agreement

"Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR. "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates. "Subprocessor" means any third party engaged by us to process Personal Data on your behalf. "Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

This DPA applies to all Processing of Personal Data by us on your behalf in connection with ShotVista. The parties acknowledge that: • You are the Controller of Personal Data • We are the Processor acting on your behalf and instructions The subject matter, duration, nature, and purpose of Processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1 of this DPA.

We shall: • Process Personal Data only on your documented instructions, unless required by law • Ensure that persons authorized to process Personal Data are bound by confidentiality • Implement appropriate technical and organizational security measures • Not engage Subprocessors without prior authorization (see our Subprocessors List) • Assist you in responding to Data Subject requests • Assist you in ensuring compliance with GDPR Articles 32-36 • Delete or return all Personal Data upon termination, unless retention is required by law • Make available information necessary to demonstrate compliance and allow for audits

You authorize us to engage Subprocessors to process Personal Data on your behalf, subject to this DPA. We maintain a list of current Subprocessors at /legal/subprocessors. We will notify you of any intended changes to Subprocessors, giving you the opportunity to object. We shall enter into written contracts with each Subprocessor imposing data protection obligations no less protective than this DPA.

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure that such transfers comply with GDPR Chapter V, using: • Standard Contractual Clauses (SCCs) approved by the European Commission • Transfers to countries with adequacy decisions • Other valid transfer mechanisms under GDPR Upon request, we will provide copies of the transfer mechanisms in place.

We shall notify you without undue delay (and in any event within 48 hours) after becoming aware of a Security Incident affecting your Personal Data. Notification shall include: • Description of the nature of the incident • Categories and approximate number of Data Subjects affected • Likely consequences of the incident • Measures taken or proposed to address the incident We shall cooperate with you in the investigation, mitigation, and remediation of any Security Incident.

Upon reasonable request and subject to confidentiality obligations, we shall make available information necessary to demonstrate compliance with this DPA. You may conduct an audit to verify our compliance, subject to: • Reasonable advance notice (at least 30 days) • Audits during normal business hours • Scope limited to relevant facilities and records • Auditor agreement to confidentiality

This DPA is effective from the date you accept our Terms of Service and continues until the termination of the Services. Upon termination: • We shall, at your choice, delete or return all Personal Data • Existing copies will be deleted within 90 days (unless retention is required by law) • Upon request, we shall certify deletion in writing

Subject Matter: Processing of Personal Data as necessary to provide ShotVista. Duration: For the term of the Service Agreement plus any legally required retention period. Nature and Purpose: • Provision of the real estate photo editing service • User authentication and account management • Analytics and service improvement • Billing and payment processing Types of Personal Data: • Contact information (email, name) • Account credentials • Photos uploaded for processing • Usage data and logs • Payment information (processed by Stripe) Categories of Data Subjects: • Registered users of ShotVista • Individuals depicted in uploaded photos (with consent)