Data Processing Agreement

Last updated: May 14, 2026

This Data Processing Agreement ("DPA") supplements the Cloud Services Agreement (or other written or electronic services agreement) between Roark Innovations, Inc. ("Roark") and the customer entity executing such agreement ("Customer") (collectively, the "Agreement"). This DPA applies to the extent Roark Processes any Personal Information in connection with Roark's provision of services to Customer pursuant to the Agreement.

1. Definitions

1.1. "Covered Data"means any Personal Information, as applicable to the Covered Data at issue, that Roark Processes on behalf of Customer or otherwise Processes in connection with Roark's provision of services pursuant to the Agreement.

1.2. "Data Protection Law"means, as applicable to the Covered Data at issue, any data protection law, including the California Privacy Rights Act, Canadian Personal Information Protection and Electronic Documents Act, and any other Canadian, Australian, or United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Information, including the California Consumer Privacy Act of 2018 ("CCPA") and any guidance issued by the California Attorney General, in each case to the extent applicable to a party.

1.3. "Security Incident"means an actual or reasonably suspected (a) loss of Covered Data or other Confidential Information of Customer; (b) unauthorized use, disclosure, acquisition of, or access to, or other unauthorized Processing of Covered Data or other Confidential Information of Customer that reasonably compromises the privacy or confidentiality, integrity, or availability of such information; or (c) unauthorized access to or use of, inability to access, loss of, or malicious infection of Roark's systems or third party systems that reasonably may compromise the privacy or confidentiality, integrity, or availability of Covered Data or other Confidential Information of Customer.

1.4. "Sub-Processor" means any third party appointed by or on behalf of Roark to Process Covered Data.

In addition, "Business", "Business Purpose", "Consumer", "Controller", "Data Subject", "Personal Data", "Personal Information", "Process", "Processor", "Sale", "Share", and "Service Provider" will have the respective definitions ascribed to them in the applicable Data Protection Laws. Capitalized terms used but not defined in this DPA have the meanings ascribed to them in the Agreement.

2. General Terms

2.1. Processing Details.The parties acknowledge and agree that with respect to the Covered Data, Customer is the Controller or Business and Roark acts as a Processor or Service Provider on behalf of Customer, and Roark conducts its Processing operations in accordance with Customer's instructions. Customer hereby instructs Roark to provide services as documented in the Agreement (including this DPA), and as further documented in any other specific written instructions given by Customer in this DPA, the Agreement, or as otherwise notified by Customer to Roark from time to time.

2.2. Roark's Obligations.

2.2.1. Roark will only Process Covered Data as a Processor or Service Provider in compliance with the instructions in this DPA and the Agreement, and will comply with all obligations applicable to it under Data Protection Laws with respect to its Processing of Covered Data.

2.2.2. Roark will ensure that any person authorized to Process Covered Data under this DPA is bound by appropriate obligations of confidentiality.

2.2.3.Roark has developed and implemented, and will maintain, a comprehensive written information security program that contains administrative, technical, and physical safeguards that are appropriate to Roark's size and complexity, the nature and scope of Roark's activities, and the sensitivity of any Covered Data at issue, designed to protect the security and confidentiality of Covered Data, protect against any anticipated threats or hazards to the security or integrity of Covered Data, and protect against unauthorized access to or use of Covered Data.

2.2.4.Taking into account the nature of the Processing and the information available to Roark, Roark will provide Customer with reasonable cooperation and assistance to enable Customer to fulfill Customer's obligations under Data Protection Laws to: (a) respond to requests from Data Subjects or Consumers for the exercise of their rights; and (b) provide notification of any Security Incident as required by law.

2.2.5.Roark will notify Customer within twenty-four (24) hours of any Security Incident. Roark will use best efforts to identify the cause of such Security Incident and take such steps as Roark deems necessary and reasonable to remediate it. Roark will provide Customer with information and cooperation reasonably requested by Customer regarding such Security Incident. Unless required by law, Roark will not notify any Consumer or Data Subject or any third party of any Security Incident involving Covered Data without Customer's prior written consent.

2.2.6.Upon Customer's written request no more than once per year, Roark will provide a copy of Roark's then-current SOC 2 compliance report or another industry standard audit that may be deemed appropriate by Roark which relates to Roark's Processing of Covered Data and is conducted by an independent third-party auditor on at least an annual basis.

2.2.7. Roark will maintain records sufficient to demonstrate its compliance with its obligations under Data Protection Laws and this DPA, and retain such records for no less than a period of five (5) years after the termination of the Agreement.

3. Additional CCPA Requirements

In addition to the general obligations in Section 2 of this DPA, this Section 3 applies to the extent Customer is a Business and Roark acts as a Processor or Service Provider for, and on behalf of, Customer. Roark will: (a) not Sell or Share such Personal Information, nor retain, use, or disclose such Personal Information for any purpose other than the Business Purposes specified in the Agreement, unless otherwise permitted by the CCPA; (b) except to perform the specific Business Purposes, not combine such Personal Information with Personal Information received from or on behalf of another person or source; (c) otherwise comply with provisions of the CCPA applicable to Service Providers, including the same level of privacy protection required of Businesses by the CCPA; and (d) notify Customer if Roark can no longer meet these obligations.

4. Sub-Processors

4.1. Notification of Sub-Processors. Roark will provide written notice to Customer at least thirty (30) days before enabling any Sub-Processors to access or participate in the Processing of Covered Data. Customer may reasonably object to such an engagement on legitimate grounds by informing Roark in writing within thirty (30) days of being informed of such Sub-Processor(s). If Customer reasonably objects in accordance with this section, and Roark cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may terminate this DPA and the Agreement and Customer will be relieved of its obligation to pay any outstanding fees owed Roark under the Agreement.

4.2. Sub-Processor Agreements.Roark will enter into a written agreement with each authorized Sub-Processor imposing on the Sub-Processor data protection obligations equal to or more stringent than those imposed on Roark under this DPA with respect to the protection of Covered Data. Roark will remain liable to Customer for the performance of each authorized Sub-Processor's obligations under such agreement.

5. Indemnification & Insurance

5.1. Indemnity.Roark will indemnify, defend, and hold harmless Customer, its affiliates, and their respective officers, directors, employees, and agents (collectively, the "Indemnified Parties") from and against all costs, claims, losses, damages, or expenses incurred by the Indemnified Parties to the extent arising out of or relating to any breach of this DPA by Roark or its employees, subcontractors, or agents to comply with any of its obligations under this DPA.

5.2. Insurance.Roark will, at its own cost and expense, obtain and maintain insurance, in full force and effect, sufficient to cover Roark's potential indemnification obligations. Roark will give Customer at least thirty (30) days' advance written notice if the policy materially changes or is cancelled.

6. Conflicts

To the extent there is a conflict or inconsistency between this DPA and the Agreement, this DPA will control with respect to Covered Data.