Passteam Corp.

This Data Processing Addendum (“DPA”) forms part of the Passteam Master Subscription Agreement (“Agreement”) between Passteam Corp. (“Passteam,” “Provider,” or “Processor”) and the entity or individual accepting the Agreement (“Customer,” “Controller,” “you,” or “your”).

This DPA applies solely to the extent Passteam processes Personal Data on behalf of Customer in connection with the Services.

Capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

1. DEFINITIONS

1.1 Personal Data
Any information relating to an identified or identifiable natural person processed by Passteam on behalf of Customer.

1.2 Processing
Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, storage, use, disclosure, or deletion.

1.3 Applicable Data Protection Laws
All applicable privacy and data protection laws and regulations, including U.S. federal and state laws (such as the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA)) and, where applicable, the EU General Data Protection Regulation (GDPR).

1.4 Subprocessor
Any third party authorized by Passteam to process Personal Data on behalf of Customer.

2. ROLES OF THE PARTIES

Customer acts as the Data Controller and determines the purposes and means of Processing Personal Data.

Passteam acts as the Data Processor and, where applicable under U.S. law, as a Service Provider or Contractor, and processes Personal Data solely:

• on Customer’s documented instructions; and
• for the purpose of providing, maintaining, and supporting the Services.

Nothing in this DPA shall be interpreted to create a joint controller, partnership, or agency relationship between the parties.

3. SCOPE OF PROCESSING

3.1 Categories of Personal Data
Personal Data processed may include:

• first and last name;
• email address;
• phone number;
• loyalty, customer, or wallet identifiers;
• vehicle ownership or service indicators;
• messaging, delivery, and engagement metadata (including timestamps and status indicators).

3.2 Categories of Data Subjects

• Customer’s end customers;
• prospective customers;
• Customer’s authorized users and representatives.

3.3 Purpose of Processing
Personal Data is processed solely to:

• enable digital wallet loyalty cards (including Apple Wallet and Google Wallet);
• enable push notifications and SMS messaging;
• manage customer engagement, analytics, and reporting;
• provide, operate, secure, and support the Services.

4. DATA RESTRICTIONS

The Services are not designed to process:

• payment card data;
• government-issued identifiers;
• health, medical, or biometric data;
• financial account or banking information.

Customer shall not submit such data to the Services. Passteam has no responsibility or liability for prohibited data submitted in violation of this DPA.

5. CUSTOMER OBLIGATIONS

Customer represents and warrants that it:

• has a valid legal basis for Processing Personal Data;
• has provided all required notices and obtained all required consents from data subjects;
• complies with all applicable privacy, marketing, messaging, and consumer protection laws;
• is solely responsible for message content, recipient selection, consent management, and opt-out handling.

6. PASSTEAM OBLIGATIONS

6.1 Confidentiality
Passteam ensures that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.

6.2 Security Measures
Passteam maintains commercially reasonable administrative, technical, and organizational safeguards designed to protect Personal Data, including:

• encryption in transit;
• logical access controls and least-privilege access policies;
• monitoring and logging;
• incident response and security management procedures.

7. SUBPROCESSORS

7.1 Authorization
Customer authorizes Passteam to engage Subprocessors to support the delivery of the Services.

Passteam does not sell Personal Data and does not share Personal Data for cross-context behavioral advertising or third-party advertising purposes.

7.2 Subprocessor Obligations
Passteam requires Subprocessors to be bound by written agreements imposing data protection obligations substantially similar to those set forth in this DPA. Passteam remains responsible for Subprocessor compliance with this DPA.

8. DATA SUBJECT REQUESTS

To the extent legally permitted, Passteam shall promptly notify Customer of any request received from a data subject relating to Personal Data and shall provide reasonable assistance to enable Customer to respond.

Passteam shall not respond directly to data subjects unless legally required to do so.

9. PERSONAL DATA BREACH

Passteam shall notify Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer Data and shall provide information reasonably necessary to assist Customer in meeting its legal obligations.

10. DATA RETENTION, RETURN, AND DELETION

10.1 Data Export
Upon termination or expiration of the applicable subscription, Customer may request export of Personal Data for a reasonable period.

10.2 Deletion
After such period, Passteam will delete or anonymize Personal Data from its active systems, except where:

• retention is required by applicable law; or
• data is stored in backups and deleted in accordance with standard backup retention and overwrite cycles.

11. AUDIT AND COMPLIANCE

Upon reasonable written request, Passteam shall make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and operational limitations.

Customer may not conduct on-site audits without Passteam’s prior written consent.

12. LIABILITY

This DPA does not modify, expand, or limit the liability provisions set forth in the Agreement.

13. GOVERNING LAW

This DPA is governed by the laws specified in the Agreement.

14. ORDER OF PRECEDENCE

In the event of conflict:

1. This DPA
2. The Agreement
3. Applicable Order Forms

‍

Passteam-DPA-12-03-2025