Data Processing Addendum

This Data Processing Addendum (“DPA”) governs INVOICE FLY’s processing of Customer Data you provide to INVOICE FLY through INVOICE FLY services for businesses (“Services”) under the terms of the INVOICE FLY Terms of Service, Privacy Policy, or other agreement between you and INVOICE FLY governing your use of the Services (the “Agreement”) and is hereby incorporated into the Agreement. If and to the extent language in this DPA conflicts with the Agreement, the conflicting terms in this DPA shall control.

INVOICE FLY and Customer each agree to comply with their respective obligations under applicable data privacy and data protection laws (collectively, “Data Protection Laws”) in connection with the Services. Data Protection Laws may include, depending on the circumstances, European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018” ) under the Data (Use and Access) Act 2025 (“DUAA”), Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (the California Consumer Privacy Act) (“CCPA”), Colo. Rev. Stat. §§ 6-1-1301 et seq. (the Colorado Privacy Act) (“CPA”), Connecticut’s Data Privacy Act (“CTDPA”), Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act) (“UCPA”), VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act) (“VCDPA”) (collectively “U.S. Privacy Laws”), and , and applicable subordinate legislation and regulations implementing those laws.

In connection with the Agreement, Customer is the person that determines the purposes and means for which Customer Data (as defined below) is processed (a “Data Controller”), whereas INVOICE FLY processes Customer Data in accordance with the Data Controller’s instructions and on behalf of the Data Controller (as a “Data Processor”). “Data Controller” and “Data Processor” are intended to include equivalent concepts under other Data Protection Laws. For purposes of the Agreement and this DPA, “Customer Data” means personal data (or equivalent concepts, as defined by Data Protection Laws) that Customer provides to the Services that INVOICE FLY processes on behalf of Customer. INVOICE FLY will process Customer Data as your Data Processor to provide or maintain the Services and for the purposes set forth in this DPA, the Agreement and/or in any other applicable agreements between you and INVOICE FLY. INVOICE FLY acknowledges that you are disclosing personal data for the aforementioned limited and specific purposes.

1. PROCESSING REQUIREMENTSAs a Data Processor, INVOICE FLY agrees to:
   1. Process Customer Data (i) for the purpose of providing and supporting INVOICE FLY’s services (including to provide insights, reporting, analytics and platform abuse, trust and safety monitoring); (ii) to improve INVOICE FLY’s services, (iii) in compliance with the instructions received from Customer; and (iv) where the CCPA applies, in a manner that provides no less than the level of privacy protection required by the CCPA.
   2. Promptly inform you in writing if it cannot comply with the requirements of this DPA.
   3. Not provide you with remuneration in exchange for Customer Data from you. The parties acknowledge and agree that Customer has not “sold” (as such term is defined by the CCPA) Customer Data to INVOICE FLY.
   4. Not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA) personal data
   5. Inform you promptly if, in INVOICE FLY’s opinion, an instruction from you violates applicable Data Protection Laws.
   6. Take commercially reasonable steps to require (i) persons employed by it and (ii) other persons engaged to perform on INVOICE FLY’s behalf to be subject to a duty of confidentiality with respect to the Personal Data and to comply with the data protection obligations applicable to INVOICE FLY under the Agreement and this DPA.
   7. Engage the subprocessors available at invoicefly.com/subprocessors to process Customer Data (each a “Subprocessor,” and the list at the foregoing URL, the “Subprocessor List”) to help INVOICE FLY satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Subprocessors. Customer hereby consents to the use of such Subprocessors. In the event that INVOICE FLY seeks to use additional Subprocessors and update the Subprocessor List, INVOICE FLY will provide notice of such additional Subprocessors to you (which may be via email, a posting or notification on an online portal for our services or other reasonable means). In the event that you do not wish to consent to the use of such additional Subprocessor, you may notify INVOICE FLY that you do not consent within fifteen (15) days on reasonable grounds relating to the protection of Customer Data by following the instructions set forth in the Subprocessor List or contacting dpo@labhouse.io. In such case, INVOICE FLY shall have the right to cure the objection through one of the following options: (i) INVOICE FLY will cancel its plans to use the Subprocessor with regards to processing Customer Data or will offer an alternative to provide its Services or services without such Subprocessor; (ii) INVOICE FLY will take the corrective steps requested by you in your objection notice and proceed to use the Subprocessor; (iii) INVOICE FLY may cease to provide, or you may agree not to use whether temporarily or permanently, the particular aspect or feature of the INVOICE FLY Services or services that would involve the use of such Subprocessor; or (iv) you may cease providing Customer Data to INVOICE FLY for processing. If none of the above options are commercially feasible, in INVOICE FLY’s reasonable judgment, and the objection(s) have not been resolved to the satisfaction of the parties within thirty (30) days of INVOICE FLY’s receipt of your objection notice, then either party may terminate any subscriptions, order forms or usage regarding the Services or INVOICE FLY services for cause and in such case, you will be refunded any pre-paid fees for the applicable subscriptions, order forms or usage to the extent they cover periods or terms following the date of such termination. Such termination right is your sole and exclusive remedy if you object to any new Subprocessor. INVOICE FLY shall enter into contractual arrangements with each Subprocessor binding them to provide the same level of data protection and information security to that provided for herein.
   8. Upon request, provide you with INVOICE FLY’s privacy and security policies and other such information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable Data Protection Laws.
   9. Where required by law and upon reasonable notice and appropriate confidentiality agreements, cooperate with assessments, audits, or other steps performed by or on behalf of Customer that are necessary to confirm that INVOICE FLY is processing Personal Data in a manner consistent with this DPA. Where permitted by law, INVOICE FLY may instead make available to Customer a summary of the results of a third-party audit or certification reports relevant to INVOICE FLY’s compliance with this DPA.
   10. To the extent that INVOICE FLY received deidentified data derived from personal data subject to U.S. Privacy Laws from Customer, INVOICE FLY shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) publicly commit to maintain and use such deidentified data in a deidentified form and to not attempt to re-identify the deidentified data, except that the recipient may attempt to re- identify the data solely for the purpose of determining whether its deidentification processes are compliant with U.S. Privacy Laws; and (iii) before sharing deidentified data with any other party, including Subprocessors, contractually obligate any such recipients to comply with the requirements of this provision.
   11. Where the personal data is subject to the CCPA, not (i) retain, use, disclose, or otherwise process personal data except as necessary for the business purposes specified in the Agreement or this Addendum; (ii) retain, use, disclose, or otherwise process personal data in any manner outside of the direct business relationship between INVOICE FLY and Customer; or (iii) combine any personal data with personal data that INVOICE FLY receives from or on behalf of any other third party or collects from INVOICE FLY’s own interactions with individuals, provided that INVOICE FLY may so combine personal data for a purpose permitted under the CCPA if directed to do so by Customer or as otherwise permitted by the CCPA.
   12. Where required by law, grant the Data Controller the rights to (i) take reasonable and appropriate steps to ensure that INVOICE FLY uses Customer Data in a manner consistent with Data Protection Laws and (ii) stop and remediate unauthorized use of Customer Data.
2. NOTICE TO CUSTOMERINVOICE FLY will inform you if INVOICE FLY becomes aware of:
   1. Any legally binding request for disclosure of Customer Data by a law enforcement authority, unless INVOICE FLY is otherwise forbidden by law to inform you, for example to preserve the confidentiality of an investigation by law enforcement authorities.
   2. Any notice, inquiry or investigation by an independent public authority established by a member state pursuant to Article 51 of the GDPR (a “Supervisory Authority”) with respect to Customer Data.
   3. Any complaint or request (in particular, requests for access to, rectification or blocking of Customer Data) received directly from your data subjects. INVOICE FLY will not respond to any such request without your prior written authorization.
3. ASSISTANCE TO CUSTOMERINVOICE FLY will provide reasonable assistance to Customer regarding:
   1. Any requests from your data subjects in respect of access to or the rectification, erasure, restriction, portability, objection, blocking or deletion of Customer Data that INVOICE FLY processes for you. In the event that a data subject sends such a request directly to INVOICE FLY, INVOICE FLY will promptly send such request to you.
   2. The investigation of any breach of INVOICE FLY’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data processed by INVOICE FLY for you (a “Personal Data Breach”).
   3. Where appropriate, the preparation of data protection impact assessments with respect to the processing of Customer Data by INVOICE FLY and, where necessary, carrying out consultations with any supervisory authority with jurisdiction over such processing.
4. REQUIRED PROCESSING
   1. 1. If INVOICE FLY is required by Data Protection Laws to process any Customer Data for a reason other than in connection with the Agreement, INVOICE FLY will inform you of this requirement in advance of any processing, unless INVOICE FLY is legally prohibited from informing you of such processing.
5. SECURITYINVOICE FLY will:
   1. Maintain reasonable and appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data and to protect the rights of the subjects of that Customer Data.
   2. Take appropriate steps to confirm that INVOICE FLY personnel are protecting the security, privacy and confidentiality of Customer Data consistent with the requirements of this DPA.
   3. Notify you of any Personal Data Breach by INVOICE FLY, its Subprocessors, or any other third parties acting on INVOICE FLY’s behalf without undue delay after INVOICE FLY becomes aware of such Personal Data Breach.
6. OBLIGATIONS OF CUSTOMER
   1. Customer represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Customer Data to INVOICE FLY and to authorize INVOICE FLY to use, disclose, retain and otherwise process that Customer Data as contemplated by this DPA, the Agreement and/or other processing instructions provided to INVOICE FLY.
   2. Customer shall comply with all applicable Data Protection Laws.
   3. Customer shall reasonably cooperate with INVOICE FLY to assist INVOICE FLY in performing any of its obligations with regard to any requests from Customer’s data subjects, including, without limitation by maintaining a record of which “completion ID” or similar numbers that are related to which data subjects in order to facilitate individual rights requests.
   4. Customer acknowledges and agrees that it, rather than INVOICE FLY, is responsible for certain configurations and design decisions for the services and that Customer, and not INVOICE FLY, is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Laws. Without limitation to the foregoing, Customer represents, warrants and covenants that it shall only transfer Customer Data to INVOICE FLY using secure, reasonable and appropriate mechanisms.
   5. Customer shall not provide Customer Data to INVOICE FLY except through agreed mechanisms. For example, Customer shall not include Customer Data other than technical contact information, or in technical support tickets, transmit user Customer Data to INVOICE FLY by email.
   6. Customer shall not take any action that would (i) render the provision of Customer Data to INVOICE FLY a “sale” under U.S. Privacy Laws or a “share” under the CCPA; or (ii) render INVOICE FLY not a “service provider” under the CCPA.
7. STANDARD CONTRACTUAL CLAUSES
   1. INVOICE FLY will process Customer Data that originates in the European Economic Area in accordance with the standard contractual clauses adopted by the EU Commission on June 4, 2021 (“EU SCCs”) which are deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
      

      (i) Module Two (Controller to Processor) of the EU SCCs apply when Customer is a controller and INVOICE FLY is processing Customer Data as a processor.

      (ii) Module Three (Processor to Sub-Processor) of the EU SCCs apply when Customer is a processor and INVOICE FLY is processing Customer Data as a sub-processor.

   2. For each module of the EU SCCs, where applicable, the following applies:

      (i) The optional docking clause in Clause 7 does not apply.

      (ii) In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of sub-processor changes shall be as set forth in Section 1(g) of this DPA.

      (iii) In Clause 11, the optional language does not apply.

      (iv) All square brackets in Clause 13 are hereby removed.

      (v) In Clause 17 (Option 1), the EU SCCs will be governed by the EU member state where the data exporter is located

      (vi) In Clause 18(b), disputes will be resolved before the courts of the EU member state where the data exporter is located.

      (vii) **Exhibit A** to this DPA contains the information required in Annex I and Annex III of the EU SCCs.

      (viii) **Exhibit B** to this DPA contains the information required in Annex II of the EU SCCs.

   3. With respect to Customer Data originating from the United Kingdom, the parties will comply with the terms of Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses (the “UK Addendum”). The parties also agree (i) that the information included in Part 1 of the UK Addendum is as set out in Annex I of Appendix A to this DPA and (ii) that either party may end the UK Addendum as set out in Section 19 of the UK Addendum.
8. TERM. DATA RETURN AND DELETION
   1. This DPA shall remain in effect as long as INVOICE FLY carries out Customer Data processing operations on your behalf or until the termination of the Agreement (and all Customer Data has been returned or deleted in accordance with this DPA). On the termination of the data processing services, upon your reasonable request, and in any case at least once every thirty (30) days, INVOICE FLY shall, and shall direct each Subprocessor to, return to you or delete the Customer Data, unless Data Protection Laws prevent INVOICE FLY from returning or destroying all or part of the Customer Data. For clarity, INVOICE FLY may continue to process information derived from Customer Data that has been aggregated or stored in a manner that does not identify individuals or customers to improve INVOICE FLY’s systems and services.

EXHIBIT A

A. LIST OF PARTIES

• Data exporter(s): the Customer identified on the applicable Services registration documents
• Data importer(s):
  
  Name: LABHOUSE MOBILE, SL.

  
  Address: Plaça Pau Vila, 1, Ciutat Vella, 08003 Barcelona, Spain
  
  Contact Person’s, position and contact details:
  – Data Protection Officer
  – dpo@labhouse.io
  
  Activities relevant to the data transferred under these Clauses: The performance of the services described in the agreement to which this is attached.

  Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

C. COMPETENT SUPERVISORY AUTHORITY

EXHIBIT B

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

1. Information Security Program (ISP)INVOICE FLY will maintain an ISP designed to (a) help the Customer secure Personal Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the INVOICE FLY Network (defined below), and (c) minimize security risks, including through risk assessment and regular testing. INVOICE FLY will appoint an employee to be accountable for the ISP.

   The ISP will include the following measures:

   1. Network SecurityThe INVOICE FLY Network will be accessible to employees, contractors and any other person as required to provide the data processing services. INVOICE FLY will maintain access controls and policies to manage access to the INVOICE FLY Network from each network connection and user, including the use of authentication controls, firewalls or Intrusion Detection systems. INVOICE FLY will maintain security incident response plans to handle potential security incidents.
   2. Physical SecurityPhysical components of the INVOICE FLY Network are housed in facilities (“Facilities”) which meet or exceed all of the following physical security requirements:

      (i) Physical Access Controls. Physical barrier controls are used to prevent unauthorized entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (e.g., card access systems, etc.) or validation by human security personnel (e.g., contract or in-house security guard service, receptionist, etc.). Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities.

      (ii) Limited Employee and Contractor Access. INVOICE FLY provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of INVOICE FLY or its affiliates.

      (iii) Physical Security Protections. All access points (except for main entry doors) are maintained in a locked state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. INVOICE FLY also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability (e.g., primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.

   3. Personal Data Security. Controls for the Protection of Personal Data.

      INVOICE FLY will maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data appropriate to the risk, including inter alia as appropriate: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. INVOICE FLY regularly monitors compliance with these measures. INVOICE FLY will not materially decrease the overall security of the data processing services during a subscription term

   4. Business Continuity and Disaster Recovery
      INVOICE FLY will maintain a Business Continuity and Disaster Recovery plan based on risk.
   5. Employee security
      INVOICE FLY will have signed confidentiality agreements with the employees and contractors.