Last Updated: October 5, 2025

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the agreement(s) between Smart Listing Suite (“SLS”), powered by BizPilot 360, and the Customer (each, a “Party” and together, the “Parties”) that govern Customer’s use of SLS services (the “Agreement”).

By using SLS in a business capacity, executing an Order, or otherwise accepting the Agreement, Customer agrees to this DPA.

1) Definitions

• “Applicable US Privacy Laws” means all US federal and state privacy laws applicable to the processing of Personal Data under the Agreement, including as applicable: the California Consumer Privacy Act as amended by the CPRA (collectively, “CCPA/CPRA”), the Colorado Privacy Act (CPA), the Virginia Consumer Data Protection Act (VCDPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA), each as amended and together with implementing regulations.

• “Customer” means the entity identified in the Agreement (e.g., the real estate agent or brokerage) that determines the purposes and means of processing Personal Data.

• “Personal Data” means information that identifies, relates to, describes, or can reasonably be linked, directly or indirectly, to an identified or identifiable natural person, that SLS processes on behalf of Customer.

• “Process/Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

• “Service Provider/Processor” means SLS under Applicable US Privacy Laws.

2) Roles and Scope

Relationship. With respect to Personal Data processed under the Agreement, Customer is the “Business” or “Controller,” and SLS is the “Service Provider” or “Processor.”

Purpose Limitation. SLS will process Personal Data solely to:

• provide, maintain, secure, and support the Services;

• prevent or address service, security, and technical issues;

• comply with law and enforce rights under the Agreement; and

• act on other documented instructions from Customer.

Customer Instructions. The Agreement and this DPA constitute Customer’s documented instructions. Additional instructions require mutual written agreement.

No Sale/Share. SLS will not sell or share Personal Data (as “sell” and “share” are defined under the CCPA/CPRA), nor use it for cross-context behavioral advertising or targeted advertising outside the Services for Customer.

3) Customer Responsibilities

Lawful Basis and Notices. Customer is responsible for complying with Applicable US Privacy Laws, including providing required notices and obtaining any necessary consents/permissions.

Data Quality and Legality. Customer is responsible for the accuracy, quality, and legality of Personal Data and how it was obtained.

Consumer Requests. SLS will provide reasonable tools and assistance for Customer to meet obligations to respond to consumer privacy requests. Customer remains responsible for responding to and fulfilling such requests.

4) SLS Processing Obligations

Confidentiality. SLS ensures personnel authorized to process Personal Data are bound by confidentiality obligations.

Security. SLS maintains appropriate administrative, technical, and physical safeguards designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

• access controls and authentication;

• encryption in transit and at rest where appropriate;

• network/application security controls and vulnerability management;

• logging/monitoring; and

• business continuity and disaster recovery practices.

Data Minimization and Retention. SLS will not retain Personal Data longer than necessary to provide the Services or as required by law. Upon termination or Customer’s written request, SLS will delete or return Personal Data, unless retention is required by law or reasonably necessary for the establishment, exercise, or defense of legal claims.

Assistance. Taking into account the nature of processing and information available to SLS, SLS will provide reasonable assistance to Customer for:

• responding to consumer requests (access, deletion, correction, opt-out where applicable);

• meeting security and breach notification obligations; and

• conducting and documenting privacy risk assessments where required by law.

Prohibited Uses. SLS will not combine Personal Data with personal information SLS receives from other sources, except as permitted by Applicable US Privacy Laws and only to provide and secure the Services for Customer.

5) US State Privacy Terms (CCPA/CPRA, CPA, VCDPA, CTDPA, UCPA)

Role and Restrictions. SLS acts as a Service Provider/Processor and will:

• not sell or share Personal Data;

• not retain, use, or disclose Personal Data for any purpose other than providing the Services and as permitted by law;

• not retain, use, or disclose Personal Data outside the direct business relationship with Customer; and

• not combine Personal Data from different customers or data sources except as permitted by law to detect security incidents or to maintain/improve the integrity of the Services for Customer.

Certification. SLS certifies that it understands and will comply with these restrictions.

Consumer Requests and Appeals. SLS will reasonably support Customer’s handling of consumer rights requests and any required appeals processes under Applicable US Privacy Laws.

6) Security Incident Notification

Notification. SLS will notify Customer without undue delay after becoming aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed on behalf of Customer (“Security Incident”). SLS will provide information reasonably available to assist Customer in meeting any applicable notification obligations.

Mitigation and Cooperation. SLS will take appropriate steps to contain, investigate, and remediate the Security Incident and will reasonably cooperate with Customer.

7) Audits and Information

Documentation. SLS will make available information reasonably necessary to demonstrate compliance with this DPA, which may include security summaries or third-party testing summaries where available.

8) Deletion and Return of Data

Upon termination of the Services, or upon Customer’s written request, SLS will delete or return Personal Data and delete existing copies within a reasonable period, unless Applicable US Privacy Laws require retention or SLS is permitted to retain limited copies for legal compliance or defense of claims.

9) Order of Precedence; Updates

Precedence. If there is any conflict between this DPA and the Agreement, this DPA controls for data protection matters.

Updates. SLS may update this DPA to reflect changes in laws, best practices, or the Services. Material changes will be communicated to Customer via reasonable means. Continued use of the Services after the effective date constitutes acceptance.

10) Liability; Governing Law

Liability. The Agreement’s limitation of liability applies to this DPA.

Governing Law. The governing law and venue set forth in the Agreement apply.

Annex A: Processing Details

Subject Matter: Processing Personal Data to provide AI-powered real estate marketing, lead capture, CRM, listing automation, communications, and related Services.

Duration: For the term of the Agreement and any period required by law.

Nature and Purpose: Hosting, storage, transmission, analysis, automation, communications (email/SMS), analytics, personalization, reporting, and customer support to deliver and secure the Services.

Types of Personal Data: Contact details (name, email, phone), property interests/preferences, lead source, communication logs, website interaction data (e.g., IP addresses, device identifiers, cookie IDs), MLS-related viewing history, account credentials (hashed), and content Customer uploads or collects via forms and tools.

Sensitive Data: Not intended. Customer will not submit sensitive Personal Data (e.g., government IDs, financial account numbers, health data) unless required by law and expressly agreed in writing.

Categories of Data Subjects: Customer’s prospects/leads, clients, website visitors, and Customer’s users/agents and staff.

Instructions: As described in the Agreement, this DPA, and Customer’s configuration and documented use of the Services.