Data Processing

Data Processing Addendum

Last Updated: May 2026

This Data Processing Addendum (“DPA”) is incorporated by reference into the Neto Software as a Service Agreement (the “Agreement”) between Techneto Corp. d/b/a Neto (“Provider”) and Customer. Capitalized terms not defined herein have the meanings given in the Agreement.

1. Scope and Purpose

This DPA applies to the extent that Provider processes Personal Data on behalf of Customer in connection with the Services. This DPA sets out the terms under which Provider will process Personal Data as a service provider or data processor, as applicable under applicable data protection law, including the California Privacy Rights Act (“CPRA”) and any other applicable state or federal privacy laws (collectively, “Applicable Privacy Law”).

2. Definitions

(a) “Personal Data” means any information that relates to an identified or identifiable natural person that is processed by Provider on behalf of Customer in connection with the Services, including but not limited to names, phone numbers, email addresses, and the content of communications between Customer’s Agent and end-users.

(b) “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

(c) “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, transmission, or deletion.

(d) “Sub-processor” means any third party engaged by Provider to process Personal Data on behalf of Customer, including those listed at https://neto.ci/third-party-products.

3. Roles of the Parties

As between the Parties, Customer is the data controller or business with respect to Personal Data processed through the Services, and Provider is the data processor or service provider. Provider shall process Personal Data only on Customer’s behalf and in accordance with Customer’s documented instructions, including as set out in the Agreement and this DPA. Provider shall not: (i) sell Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than providing the Services; (iii) retain, use, or disclose Personal Data outside the direct business relationship between Provider and Customer; or (iv) combine Personal Data with personal information obtained from other sources, except as permitted under Applicable Privacy Law.

4. Provider Obligations

Provider shall:

(a) process Personal Data only as instructed by Customer and in accordance with the Agreement and this DPA, unless required to do so by applicable law, in which case Provider shall inform Customer of such legal requirement before processing unless prohibited by law;

(b) implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure, as further described in Provider’s Privacy Policy at https://neto.ci/privacy;

(d) notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any actual or reasonably suspected breach of security involving Personal Data (“Data Breach”). Such notification shall include: (i) the nature of the Data Breach; (ii) the categories and approximate number of Data Subjects and Personal Data records affected; (iii) the likely consequences of the Data Breach; and (iv) measures taken or proposed to address the Data Breach;

(e) assist Customer, at Customer’s reasonable request and expense, in responding to Data Subject rights requests under Applicable Privacy Law, including requests for access, correction, deletion, or portability of Personal Data;

(f) not engage any new Sub-processor without first notifying Customer by updating the Third-Party Products page at https://neto.ci/third-party-products. Customer’s continued use of the Services following such notice constitutes acceptance of the new Sub-processor; and

(g) upon termination of the Agreement, delete or return all Personal Data in accordance with Section 12(e) of the Agreement, except to the extent retention is required by applicable law.

5. Insurance

Provider maintains cyber liability insurance and errors and omissions (E&O) insurance coverage appropriate to the nature and scope of the Services and the personal data processed hereunder.

6. Customer Obligations

Customer represents and warrants that: (a) it has obtained all necessary consents and provided all required notices to Data Subjects for the processing of Personal Data contemplated by the Agreement and this DPA; (b) it has a lawful basis for processing Personal Data and for instructing Provider to process Personal Data on its behalf; (c) all Personal Data provided to Provider complies with Applicable Privacy Law; and (d) Customer will not instruct Provider to process Personal Data in a manner that violates Applicable Privacy Law.

7. Sub-processors

Customer authorizes Provider to engage the Sub-processors listed at https://neto.ci/third-party-products to process Personal Data in connection with the Services. Provider shall ensure each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. Provider remains liable for the acts and omissions of its Sub-processors to the same extent Provider would be liable if performing the services directly.

8. Data Transfers

Customer acknowledges that Provider processes Personal Data in the United States. To the extent any transfer of Personal Data from a jurisdiction with data transfer restrictions (including the European Economic Area, United Kingdom, or Switzerland) is required, the Parties agree to execute such additional transfer mechanisms as may be required by Applicable Privacy Law, including Standard Contractual Clauses approved by the European Commission where applicable.

9. Audit Rights

Upon Customer’s reasonable written request and no more than once per calendar year (unless a Data Breach has occurred), Provider shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Customer may conduct an audit of Provider’s data processing practices, provided that: (i) Customer provides at least thirty (30) days’ prior written notice; (ii) any audit is conducted during normal business hours with minimal disruption to Provider’s operations; (iii) Customer bears all costs of such audit; and (iv) the auditor is bound by appropriate confidentiality obligations.

10. Conflict

In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA shall control. In all other respects, the terms and conditions of the Agreement shall remain in full force and effect.