Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the DeliverOps Terms of Service between IT Custom Solution LLC ("Processor") and the Customer ("Controller") whose use of DeliverOps involves the processing of personal data.

This DPA applies to the extent IT Custom Solution LLC processes personal data on behalf of the Controller in connection with the services described at trydeliverops.com.

"Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Supervisory Authority" have the meanings given to them in the GDPR (Regulation (EU) 2016/679).

"Standard Contractual Clauses" means the clauses adopted by the European Commission for the transfer of personal data to third countries.

"Sub-processor" means any third party engaged by the Processor to process personal data in connection with the services.

The Processor will:

- Process personal data only on documented instructions from the Controller - Ensure personnel authorized to process personal data are under appropriate confidentiality obligations - Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk - Assist the Controller in responding to data subject requests - Delete or return personal data at the end of the services, at the Controller's choice - Make available all information necessary to demonstrate compliance with this DPA

The Controller grants the Processor general authorization to engage sub-processors. A current list of sub-processors is available at https://trydeliverops.com/subprocessors.

The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller an opportunity to object. The Processor remains fully responsible for the performance of any sub-processor.

All customer personal data is stored in the United States. The Processor does not transfer personal data outside the United States without the Controller's explicit consent.

If transfers outside the EEA become necessary, such transfers will be governed by Standard Contractual Clauses or other legally approved mechanisms.

The Processor implements and maintains the following security measures:

- Encryption of personal data in transit (TLS 1.3) and at rest (AES-256) - Access controls based on the principle of least privilege - Multi-factor authentication for all administrative access - Regular vulnerability scanning and penetration testing - Incident response procedures with 24-hour notification SLA - Annual security training for all personnel with access to personal data

Additional detail is available at https://trydeliverops.com/security.

The Processor will assist the Controller, at the Controller's expense, in responding to requests from data subjects to exercise their rights under applicable law, including rights of access, rectification, erasure, restriction, portability, and objection.

Data subject requests received directly by the Processor will be forwarded to the Controller without undue delay.

The Processor will notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach affecting the Controller's personal data.

The notification will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

Upon reasonable written notice and not more than once per calendar year, the Controller may audit the Processor's compliance with this DPA. Audits will be conducted during regular business hours and will not unreasonably interfere with the Processor's business operations.

The Processor may satisfy audit requests by providing recent third-party audit reports (e.g., SOC 2 Type II) covering the relevant period.

For questions about this DPA or to execute a signed copy, contact:

IT Custom Solution LLC 3 E Evergreen Road Suite 101, PMB 1058 New City, NY 10956 Email: [email protected] Phone: (646) 671-3399