Posted: November 21, 2025
Prior Version: July 22, 2022

This DynaFile Data Protection Addendum (“Addendum”) supplements the DynaFile Master Subscription Agreement (together with any Order Forms or SOWs entered into pursuant thereto, the “Agreement”) between Blue Ribbon Technologies, LLC (“BRT”) and the customer entity that is a party to the Agreement (“Customer”).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. The obligations set forth in this Addendum shall only apply to the extent required by Data Protection Laws (as defined below) with regard to the relevant Customer Personal Data (as defined below), if applicable.

1. Definitions.
   1. “Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
   2. “Customer Personal Data” means Personal Data uploaded by Customer to the Service (as defined in the Agreement).
   3. “Data Protection Laws” means the data protection and privacy laws of the United States or Canada applicable to a party’s Processing of Customer Personal Data under the Agreement, including, to the extent applicable, the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”), the Canada Personal Information Protection and Electronic Documents Act (“PIPEDA”), and any other applicable law or regulation related to the protection of Customer Personal Data in the United States or Canada that is already in force or that will come into force during the term of this Addendum.
   4. “Data Subject” means the natural person who is the subject of Customer Personal Data.
   5. “Personal Data” means information that constitutes “personal data,” “personal information,” “personally identifiable information,” or similar term as defined in and governed by Data Protection Laws.
   6. “Personal Data Breach” means a breach of BRT’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in BRT’s possession, custody, or control.
   7. “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
   8. “Processor” means the individual or entity that Processes Personal Data on behalf of a Controller. For the avoidance of doubt, Processor shall also mean service provider (as such term is defined under the CCPA).
   9. “Services” means the products and/or services that BRT has agreed to provide to Customer under the Agreement.
   10. “Subprocessor” means any Processor appointed by BRT to Process Customer Personal Data on behalf of Customer under the Agreement.
2. Processing of Customer Personal Data.
   1. Roles of the Parties; Compliance. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Customer Personal Data under the Agreement Customer is a Controller and BRT is a Processor of Customer Personal Data. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Customer Personal Data.
   2. Details of Processing. The parties acknowledge and agree that details regarding the Processing of Customer Personal Data are as set forth in Exhibit 1 to this Addendum, including the nature and purpose of the Processing, the types of Customer Personal Data subject to the Processing, and the duration of the Processing.
   3. Customer Instructions. BRT shall not Process Customer Personal Data other than on Customer’s documented instructions unless Processing is required by Data Protection Laws to which BRT is subject, in which case BRT shall, to the extent permitted by Data Protection Laws, inform Customer of that legal requirement before Processing Customer Personal Data. For the avoidance of doubt, the Agreement, including any Processing reasonably necessary and proportionate to achieve the business purpose outlined in the Agreement, and any related statement of work or order form entered into by Customer pursuant to the Agreement shall constitute documented instructions for the purposes of this Addendum. Customer’s instructions shall comply with Data Protection Laws and be duly authorized, with all necessary rights, permissions, and consents secured.
   4. Processing Subject to the CCPA. As used in this Section 2.4, the terms “Sell,” “Share,” “Business Purpose,” and “Commercial Purpose” shall have the meanings given in the CCPA and “Personal Information” shall mean any personal information (as defined in the CCPA) contained in Customer Personal Data. BRT will not: (a) Sell or Share any Personal Information; (b) retain, use, or disclose any Personal Information (i) for any purpose other than for the Business Purposes specified in the Agreement, including for any Commercial Purpose other than the Business Purposes specified in the Agreement, or as otherwise permitted by the CCPA, or (ii) outside of the direct business relationship between Customer and BRT; or (c) combine Personal Information received from, or on behalf of, Customer with Personal Data received from or on behalf of any third party, or collected from BRT’s own interaction with Data Subjects, except to perform any Business Purpose permitted by the CCPA. BRT hereby certifies that it understands the foregoing restrictions under this Section 2.4 and will comply with them. The parties acknowledge that the Personal Information disclosed by Customer to BRT is provided to BRT only for the limited and specified purposes set forth in Exhibit 1. BRT will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Information as is required by the CCPA. Customer has the right to take reasonable and appropriate steps to help ensure that BRT uses the Personal Information transferred in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s audit rights pursuant to Section 9 of this Addendum. BRT will inform Customer if it makes a determination that BRT can no longer meet its obligations under the CCPA. Upon written notice to BRT, Customer will have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information by limiting the Personal Information shared with BRT, or taking such other steps mutually agreed between the parties in writing.
   5. Customer Obligations. As between the parties, Customer shall be solely responsible for: (a) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and BRT’s Processing of Customer Personal Data; (b) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to BRT to permit the Processing of such Customer Personal Data by BRT for the purposes of performing BRT’s obligations under the Agreement or as may be required by Data Protection Laws; and (c) ensuring that this Addendum, the Agreement, and Customer’s selected Subscription Edition are sufficient to meet Customer’s needs under Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data. Customer will ensure that BRT’s Processing of Customer Personal Data in accordance with Customer’s instructions will not cause BRT to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws.
3. Confidentiality. BRT shall take reasonable steps to ensure that BRT personnel that Process Customer Personal Data are subject to contractual obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security. BRT shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Personal Data from Personal Data Breaches and designed to preserve the security and confidentiality of Customer Personal Data in accordance with BRT’s security standards described in Exhibit 2 (“Security Measures“). Customer is responsible for reviewing the information made available by BRT relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that BRT may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to Customer.
5. Subprocessing. BRT may engage such Subprocessors as BRT considers reasonably appropriate for the Processing of Customer Personal Data in accordance with this Addendum, provided that BRT shall notify Customer of the addition or replacement of such Subprocessor and Customer may, on reasonable grounds, object to a Subprocessor by notifying BRT in writing within ten (10) days of receipt of BRT’s notification, giving reasons for Customer’s objection. Upon receiving such objection, BRT shall: (a) work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (b) where such change cannot be made within ten (10) days of BRT’s receipt of Customer’s notice, Customer may by written notice to BRT with immediate effect terminate the portion of the Agreement or relevant SOW to the extent that it relates to the Services which require the use of the proposed Subprocessor. This termination right is Customer’s sole and exclusive remedy to Customer’s objection of any Subprocessor appointed by BRT. BRT will require Subprocessors to enter into an agreement with equivalent effect to the Processing terms contained in this Addendum.
6. Data Subject Rights. BRT shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect to Customer Personal Data. In the event that any Data Subject exercises any of its rights under the Data Protection Laws in relation to Customer Personal Data, BRT will shall use reasonable commercial efforts to assist Customer in fulfilling its obligations as Controller following written request from Customer, provided that BRT may charge Customer on a time and materials basis in the event that BRT considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
7. Personal Data Breach. In the event of a Personal Data Breach that compromises Customer Personal Data, BRT will notify Customer without undue delay after becoming aware of the Personal Data Breach. Such notification may be delivered to an email address provided by Customer or by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the appropriate notification contact details are current and valid. BRT will take reasonable steps to provide Customer with information available to BRT that Customer may reasonably require to comply with its obligations as Controller to notify relevant individuals, regulators, and other third parties. BRT’s notification of or response to a Personal Data Breach under this Section will not be construed as an acknowledgement by BRT of any fault or liability with respect to the Personal Data Breach.
8. Deletion or Return of Customer Personal Data. During the Term, subject to the terms and conditions of the Agreement, BRT will return or delete Customer Personal Data when Customer uses the functionality of the Services to request such return or deletion. Unless otherwise required by applicable law, following termination or expiration of the Agreement BRT shall delete all Customer Personal Data and all copies of Customer Personal Data. Customer Personal Data, computer records, or files that have been created pursuant to BRT’s automatic archiving and back-up procedures shall be deleted as soon as reasonably practicable.
9. Relevant Records and Audits. Upon Customer’s written request, BRT will make available to Customer information in BRT’s possession reasonably necessary to demonstrate BRT’s compliance with applicable Data Protection Laws. Customer may audit BRT’s compliance with its obligations under this Addendum up to once per year by requesting a copy of BRT’s most recent Statement on Standards for Attestation Engagement No. 18 (SSAE 18) System and Organization Controls (SOC 2) Type II audit report. Such reports constitute BRT’s Confidential Information under the Agreement.
10. Privacy Impact Assessments. In the event that BRT’s Processing of Customer Personal Data requires Customer to perform a privacy impact or data protection assessment under Data Protection Laws, following written request from Customer, BRT shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, provided that BRT may charge Customer on a time and materials basis in the event that BRT considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
11. Data Transfer. Customer acknowledges and agrees that BRT is located in the United States and will Process Customer Personal Data in the United States subject to the applicable requirements of Data Protection Laws and this Addendum. BRT will remain responsible for compliance with this Addendum regardless of the location of Processing. Customer shall: (a) comply with accountability principles under Data Protection Laws and remain responsible for ensuring that Customer’s transfer of Customer Personal Data to BRT complies with Data Protection Laws, including by obtaining any necessary consents from Data Subjects, if applicable; and (b) shall notify BRT in the event that additional or supplementary measures are required under Data Protection Laws in respect of such transfer.
12. Modifications. Notwithstanding anything to the contrary in the Agreement, BRT may update or modify this Addendum from time to time to reflect changes in Data Protection Laws, best practices, or BRT’s business operations. BRT will provide Customer with notice of any material changes to this Addendum by posting the updated version at https://www.dynafile.com/dpa or by other reasonable means. Unless a shorter period is required by applicable law, material changes will become effective thirty (30) days after such notice. Continued use of the Services after the effective date of any such update constitutes Customer’s acceptance of the modified Addendum. If Customer objects to a material modification that adversely affects Customer’s rights under this Addendum, Customer shall notify BRT and the parties will work in good faith to resolve the objection.
13. General Terms. Except as expressly modified by the Addendum, the terms of the Agreement remain in full force and effect. The requirements of this Addendum are in addition to and not in lieu of the requirements of the Agreement. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, the remainder of the Agreement shall be construed in a manner as if the invalid or unenforceable part had never been contained therein. With regard to the subject matter of this Addendum, the provisions of this Addendum shall prevail over the other terms of the Agreement with regard to data protection obligations for Customer Personal Data under Data Protection Laws. Any claims brought under or arising out of this Addendum, if applicable, will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

EXHIBIT 1

Details of Processing

1. Subject matter and duration of the Processing of Customer Personal Data: The subject matter of the Processing are as described in the Agreement and the Addendum. The duration of the Processing is for the term of the Agreement, subject to any retention or other Processing set forth in the Agreement or the Addendum.
2. Nature and purposes of the Processing of Customer Personal Data: The nature of the Processing involves those activities reasonably required to facilitate or support the provision of the following purposes and the Services as described in the Agreement and the Addendum. The purposes of the Processing of Customer Personal Data include: helping to ensure security and integrity, to the extent the use of Customer Personal Data is reasonably necessary and proportionate for these purposes; debugging to identify and repair errors that impair existing intended functionality; performing the Services as described in the Agreement and carrying out the instructions set forth in Section 2.3; undertaking internal research for technological development and demonstration; and undertaking activities to verify or maintain the quality or safety of the Services, and to improve, upgrade, or enhance the Services.
3. The categories of Data Subjects to whom Customer Personal Data relates: The categories of Data Subjects are determined by Customer and Customer’s use of the Services, and may include, for example, active employees, terminated employees, and prospective employees of the Customer.
4. The categories of Customer Personal Data: The categories of Customer Personal Data are determined by Customer and Customer’s use of the Services, and may include, for example, name, username or login information, email address, phone number, contact details, account and financial information, Social Security number or National ID, passport information, IP address, and other categories or types that the Customer determines at its discretion.

EXHIBIT 2

Security Measures

BRT has implemented and will maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards intended to protect personal information that are appropriate to: (1) the size, scope, and type of BRT’s business, (2) the resources available to BRT, (3) the type of information stored by BRT, and (4) the need for security and confidentiality of such information.

More specifically, BRT has implemented the following measures:

• Advanced NextGen Firewall Devices with both Host-Based and Network-Based Intrusion Detection and Automatic Threat Prevention
• Continuous monitoring and alerting of all network traffic at all layers via multiple secured and locked down SEIM and logging appliances
• Segmented and secured networks that enforce encryption-in-transit of all data both internally and externally with per-client separated database and document repository data
• Multiply redundant, enterprise grade hardware and infrastructure components with full enforcement of encryption-at-rest of all client data
• Geographically diverse data center operations with less than 60 second data replication windows

A full overview of the security measures can be found by downloading BRT’s Security and Redundancy Whitepaper and a comprehensive detail of such measures can be obtained by requesting BRT’s most recent Statement on Standards for Attestation Engagement No. 18 (SSAE 18) System and Organization Controls (SOC 2) Type II audit report.