This Data Processing Addendum (“DPA”) supplements the master subscription agreement, order form, online terms of service, or other agreement between PartnerOS, Inc., a Delaware corporation with a principal place of business in Austin, Texas (“PartnerOS” or “Company”), and the organization agreeing to these terms (“Customer”), that governs Customer’s use of the Services (the “Agreement”). PartnerOS and Customer may each be referred to as a “Party” and collectively as the “Parties”. By executing this DPA or by accepting it by reference through the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Affiliates. This DPA is incorporated by reference into the Agreement. All capitalized terms used but not defined in this DPA will have the meaning set forth in the Agreement.

This DPA sets out the terms that apply when Customer Personal Data is Processed by PartnerOS under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with Data Protection Laws and respects the rights of individuals whose Personal Data is Processed under the Agreement.

1. Definitions

1.1 “Affiliate” means (i) an entity of which a Party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a Party, or (iii) an entity which is under common control with a Party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a Party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.

1.2 “Authorized Sub-Processor” means a third party (including a PartnerOS Affiliate) who has a need to know or otherwise access Customer Personal Data to enable PartnerOS to perform its obligations under this DPA or the Agreement, and who is either (i) listed at https://partneros.ai/subprocessors as of the Effective Date or (ii) subsequently authorized in accordance with Section 5 of this DPA.

1.3 “Company Account Data” means Personal Data that relates to PartnerOS’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Company Account Data also includes any data PartnerOS may need to collect for the purpose of managing its relationship with Customer, identity verification, sales and marketing, or as otherwise required by applicable laws and regulations.

1.4 “Company Usage Data” means Service usage data collected and processed by PartnerOS in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, telemetry, and data used to optimize, secure, and maintain performance of the Services, and to investigate and prevent system abuse. Company Usage Data does not include the substantive content of Customer Data submitted to the Services by Customer.

1.5 “Customer Personal Data” means Customer Data, as defined in the Agreement, consisting of Personal Data, except for Company Account Data and Company Usage Data.

1.6 “Data Protection Laws” means all applicable laws and regulations in any relevant jurisdiction relating to privacy, data protection, security, or the Processing of Personal Data, including without limitation: (i) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”), and its implementing regulations; (ii) the Texas Data Privacy and Security Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and other U.S. state privacy laws as applicable; (iii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (iv) the Swiss Federal Act on Data Protection (“FADP”); (v) the UK Data Protection Act 2018; and (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended, or replaced from time to time. The terms “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “processor,” “controller,” and “supervisory authority” have the meanings set forth in the GDPR (or the equivalent terms under the applicable Data Protection Laws), and the terms “personal information,” “service provider,” “sale,” “sell,” “sharing,” and “business” have the meanings set forth in the CCPA.

1.7 “Data Exporter” means Customer.

1.8 “Data Importer” means PartnerOS.

1.9 “EEA” means for purposes of this DPA, the European Economic Area, comprising the member states of the European Union, Norway, Iceland, and Liechtenstein.

1.10 “EU SCCs” means the standard contractual clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be updated or replaced from time to time, completed as described in Section 7 of this DPA.

1.11 “ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the EEA, where such transfer is not governed by an adequacy decision made by the European Commission.

1.12 “ex-UK Transfer” means the transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom, where such transfer is not governed by an adequacy decision made by the Secretary of State.

1.13 “Services” means the products and services provided by PartnerOS to Customer as specified in the Agreement, including the PartnerOS partner relationship management (PRM) platform and any related AI-enabled features, agents, modules, and integrations.

1.14 “Standard Contractual Clauses” means the EU SCCs and the UK SCCs, as applicable.

1.15 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom Information Commissioner’s Office, laid before Parliament on 2 February 2022, as may be revised from time to time.

1.16 “UK SCCs” means the EU SCCs, as amended and incorporated by the UK Addendum.

2. Relationship of the Parties; Processing of Data

2.1 The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this DPA or the Agreement, PartnerOS is a processor. Customer shall, in its use of the Services, at all times Process Customer Personal Data, and provide instructions for the Processing of Customer Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the Processing of Customer Personal Data in accordance with Customer’s instructions will not cause PartnerOS to be in breach of the Data Protection Laws.

2.2 Customer is solely responsible for the accuracy, quality, and legality of (i) the Customer Personal Data provided to PartnerOS by or on behalf of Customer, (ii) the means by which Customer acquired any such Customer Personal Data, and (iii) the instructions it provides to PartnerOS regarding the Processing of such Customer Personal Data. Customer shall not provide or make available to PartnerOS any Customer Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify PartnerOS from all claims and losses in connection therewith.

2.3 PartnerOS shall not Process Customer Personal Data (i) for purposes other than those set forth in the Agreement and in Exhibit A; (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do so by Data Protection Laws to which PartnerOS is subject (in which case PartnerOS shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest); or (iii) in violation of Data Protection Laws. Customer hereby instructs PartnerOS to Process Customer Personal Data in accordance with the foregoing and as part of any Processing initiated by Customer in its use of the Services.

2.4 The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A.

2.5 CCPA. Except with respect to Company Account Data and Company Usage Data, the Parties acknowledge and agree that PartnerOS is a service provider for purposes of the CCPA (to the extent it applies) and is receiving personal information from Customer in order to provide the Services pursuant to the Agreement, which constitutes a business purpose. PartnerOS shall not sell or share (as defined by CCPA) any such personal information. PartnerOS shall not retain, use, or disclose any personal information provided by Customer pursuant to the Agreement except as necessary for the specific purpose of performing the Services for Customer, or otherwise as set forth in the Agreement or as permitted by the CCPA. PartnerOS shall not combine personal information received from Customer with personal information received from any other source, except as permitted under the CCPA. PartnerOS certifies that it understands the restrictions of this Section 2.5.

2.6 AI Features. Customer acknowledges that the Services may include AI-enabled features (including named agents and automated workflows). PartnerOS will not use Customer Personal Data to train, fine-tune, or otherwise improve any generally available foundation model or any AI model offered to third parties. Any AI Processing of Customer Personal Data is performed solely to provide the Services to Customer in accordance with Customer’s instructions and the Agreement. PartnerOS contractually requires any AI sub-processor to refrain from using Customer Personal Data to train its models.

2.7 Return or Deletion. Following completion of the Services, at Customer’s choice, PartnerOS shall return or delete Customer Personal Data, unless further storage of such Customer Personal Data is required or authorized by applicable law. If return or destruction is impracticable or prohibited by law, rule, or regulation, PartnerOS shall take measures to block such Customer Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by law) and shall continue to appropriately protect the Customer Personal Data remaining in its possession, custody, or control. Where Standard Contractual Clauses apply, the certification of deletion described in Clause 8.1(d) and Clause 8.5 of the EU SCCs shall be provided by PartnerOS to Customer only upon Customer’s written request.

3. PartnerOS’s Role as an Independent Controller

3.1 The Parties acknowledge and agree that with respect to Company Account Data

and Company Usage Data, PartnerOS is an independent controller, not a joint controller with Customer. PartnerOS will Process Company Account Data and Company Usage Data as a controller to: (i) manage the relationship with Customer; (ii) carry out PartnerOS’s core business operations, such as accounting, audits, tax preparation and filing, and compliance purposes; (iii) monitor, investigate, prevent, and detect fraud, security incidents, and other misuse of the Services, and to prevent harm to Customer; (iv) verify identity; (v) comply with legal or regulatory obligations applicable to the Processing and retention of Personal Data to which PartnerOS is subject; (vi) provide, optimize, secure, and maintain the Services, including by analyzing aggregated and de-identified usage patterns; and (vii) as otherwise permitted under Data Protection Laws and in accordance with this DPA and the Agreement.

3.2 Either Party may Process Company Account Data and Company Usage Data as necessary for the purposes set forth in Section 3.1 and for administrative, business, sales, and marketing purposes consistent with its respective role as an independent controller. Any Processing by PartnerOS as a controller shall be in accordance with PartnerOS’s privacy policy published at https://partneros.ai/privacy.

4. Confidentiality

PartnerOS shall ensure that any person it authorizes to Process Customer Personal Data has agreed to protect Customer Personal Data in accordance with PartnerOS’s confidentiality obligations in the Agreement or is under an appropriate statutory obligation of confidentiality. Customer agrees that PartnerOS may disclose Customer Personal Data to its advisers, auditors, or other third parties as reasonably required in connection with the performance of its obligations under this DPA, the Agreement, or the provision of Services to Customer.

5. Authorized Sub-Processors

5.1 Customer acknowledges and agrees that PartnerOS may (i) engage its Affiliates as well as the Authorized Sub-Processors listed at https://partneros.ai/subprocessors (the “List”) to access and Process Customer Personal Data in connection with the Services, and (ii) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Customer Personal Data. By way of this DPA, Customer provides general written authorization to PartnerOS to engage sub-processors as necessary to perform the Services.

5.2 The List may be updated by PartnerOS from time to time. PartnerOS will provide a mechanism to subscribe to notifications of new Authorized Sub-Processors at https://partneros.ai/subprocessors, and Customer, if it wishes, will subscribe to such notifications. If Customer does not subscribe, Customer waives any right it may have to receive prior notice of changes to Authorized Sub-Processors. At least fifteen (15) days before enabling any third party other than existing Authorized Sub-Processors to access or participate in the Processing of Customer Personal Data, PartnerOS will add such third party to the List and notify subscribers. Customer may object to such an engagement by informing PartnerOS in writing at privacy@partneros.ai within fifteen (15) days of receipt of notice, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent PartnerOS from offering the Services to Customer.

5.3 If Customer reasonably objects to an engagement in accordance with Section 5.2, and PartnerOS cannot provide a commercially reasonable alternative within a reasonable period of time (not to exceed thirty (30) days), Customer may discontinue the use of the affected Service by providing written notice to PartnerOS. Discontinuation shall not relieve Customer of any fees owed to PartnerOS under the Agreement prior to the discontinuation date.

5.4 If Customer does not object to the engagement of a third party in accordance with Section 5.2 within fifteen (15) days of notice by PartnerOS, that third party will be deemed an Authorized Sub-Processor for the purposes of this DPA.

5.5 PartnerOS will enter into a written agreement with each Authorized Sub-Processor imposing data protection obligations substantially similar to those imposed on PartnerOS under this DPA with respect to the protection of Customer Personal Data. If an Authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement, PartnerOS will remain liable to Customer for the performance of the Authorized Sub-Processor’s obligations.

5.6 Where the Parties have entered into Standard Contractual Clauses as described in Section 7 (Transfers of Personal Data): (i) the authorizations in this Section 5 will constitute Customer’s prior written consent to the subcontracting by PartnerOS of the Processing of Personal Data; and (ii) the copies of the agreements with Authorized Sub-Processors that must be provided by PartnerOS to Customer pursuant to Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses, redacted by PartnerOS beforehand, and such copies will be provided only upon Customer’s written request.

6. Security of Personal Data

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, PartnerOS shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Customer Personal Data. Exhibit C sets forth additional information about PartnerOS’s technical and organizational security measures, and a current and complete description is published at https://partneros.ai/security. PartnerOS may update such measures from time to time, provided that any updates will not materially lower the level of protection of Customer Personal Data. PartnerOS will ensure that the persons it authorizes to Process Customer Personal Data are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.

7. Transfers of Personal Data

7.1 The Parties agree that PartnerOS may transfer Personal Data Processed under this DPA outside the EEA, the United Kingdom, or Switzerland as necessary to provide the Services. Customer acknowledges that PartnerOS’s primary Processing operations take place in the United States, and that the transfer of Personal Data to the United States is necessary for the provision of the Services to Customer. If PartnerOS transfers Personal Data protected under this DPA to a jurisdiction for which the European Commission, the United Kingdom, or Switzerland (as applicable) has not issued an adequacy decision, PartnerOS will ensure that appropriate safeguards have been implemented for the transfer of Personal Data in accordance with Data Protection Laws.

7.2 ex-EEA Transfers. The Parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into and incorporated into this DPA by reference, and completed as follows:

Module One (Controller to Controller) of the EU SCCs applies when PartnerOS Processes Personal Data as an independent controller pursuant to Section 3 of this DPA.

Module Two (Controller to Processor) of the EU SCCs applies when Customer is a controller and PartnerOS is Processing Customer Personal Data for Customer as a processor pursuant to Section 2 of this DPA.

Module Three (Processor to Sub-Processor) of the EU SCCs applies when Customer is a processor and PartnerOS is Processing Personal Data on behalf of Customer as a sub-processor.

For each Module, where applicable: the optional docking clause in Clause 7 does not apply; in Clause 9, Option 2 (general written authorization) applies, with the minimum notice period set forth in Section 5 of this DPA; in Clause 11, the optional language does not apply; all square brackets in Clause 13 are removed; in Clause 17 (Option 1), the EU SCCs will be governed by the law of Ireland; in Clause 18(b), disputes will be resolved before the courts of Ireland.

Exhibit B to this DPA contains the information required by Annex I and Annex III of the EU SCCs.

Exhibit C to this DPA contains the information required by Annex II of the EU SCCs.

By entering into this DPA, the Parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.

7.3 ex-UK Transfers. The Parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this DPA by reference, as amended and completed in accordance with the UK Addendum, which is incorporated herein as Exhibit D.

7.4 Transfers from Switzerland. Transfers from Switzerland are made pursuant to the EU SCCs with the following modifications: (i) references to the GDPR are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP; (ii) the terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of revisions to the FADP that eliminate this broader scope; (iii) Clause 13 of the EU SCCs is modified to provide that the Swiss Federal Data Protection and Information Commissioner has authority over data transfers governed by the FADP and the appropriate EU supervisory authority has authority over data transfers governed by the GDPR; and (iv) the term “EU Member State” shall not be interpreted so as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.

7.5 Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:

As of the Effective Date of this DPA, the Data Importer has not received any formal legal requests from any government intelligence or security service or agency in the country to which the Personal Data is being exported, for access to (or for copies of) Customer’s Personal Data (“Government Agency Requests”).

If, after the Effective Date, the Data Importer receives any Government Agency Requests, PartnerOS shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. As part of this effort, PartnerOS may provide Customer’s basic contact information to the government agency. If compelled to disclose Customer’s Personal Data to a law enforcement or government agency, PartnerOS shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy unless PartnerOS is legally prohibited from doing so. PartnerOS shall not voluntarily disclose Personal Data to any law enforcement or government agency. The Parties shall, as soon as reasonably practicable, discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in light of such Government Agency Requests.

The Parties will meet as needed to consider whether: (i) the protection afforded by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK; (ii) additional measures are reasonably necessary to enable the transfer to be compliant with Data Protection Laws; and (iii) it is still appropriate for Personal Data to be transferred to the relevant Data Importer, taking into account all relevant information available to the Parties, together with guidance provided by the supervisory authorities.

7.6 If Data Protection Laws require the Data Exporter to execute the Standard

Contractual Clauses applicable to a particular transfer of Personal Data to the Data Importer as a separate agreement, the Data Importer shall, on request of the Data Exporter, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required to reflect the applicable appendices and annexes, the details of the transfer, and the requirements of the relevant Data Protection Laws.

7.7 If either (i) any of the means of legitimizing transfers of Personal Data outside of the EEA, the UK, or Switzerland set forth in this DPA cease to be valid, or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, then the Data Importer may by notice to the Data Exporter, with effect from the date set out in such notice, amend or put in place alternative arrangements in respect of such transfers, as required by Data Protection Laws.

7.8 EU Representative. PartnerOS has appointed DataRep as its representative in the European Union pursuant to Article 27 of the GDPR. Data subjects may contact DataRep at the address published at https://www.datarep.com/data-request, listing PartnerOS, Inc. as the data controller or processor (as applicable).

8. Rights of Data Subjects

8.1 PartnerOS shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection to being subject to Processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If PartnerOS receives a Data Subject Request in relation to Customer Personal Data, PartnerOS will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction, or cessation of Processing, or withdrawal of consent to Processing of any Customer Personal Data are communicated to PartnerOS, and, if applicable, for ensuring that a record of consent to Processing is maintained with respect to each Data Subject.

8.2 PartnerOS shall, at the request of Customer, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without PartnerOS’s assistance and (ii) PartnerOS is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible, to the extent legally permitted, for any costs and expenses arising from any such assistance by PartnerOS.

9. Actions and Access Requests; Audits; Personal Data Breach

9.1 PartnerOS shall, taking into account the nature of the Processing and the information available to PartnerOS, provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information. Customer shall be responsible, to the extent legally permitted, for any costs and expenses arising from any such assistance by PartnerOS.

9.2 PartnerOS shall, taking into account the nature of the Processing and the information available to PartnerOS, provide Customer with reasonable cooperation and assistance with respect to Customer’s cooperation and/or prior consultation with any supervisory authority, where necessary and where required by the GDPR. Customer shall be responsible, to the extent legally permitted, for any costs and expenses arising from any such assistance by PartnerOS.

9.3 PartnerOS shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA, and retain such records for a period of three (3)

years after the termination of the Agreement.

9.4 Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, PartnerOS shall either (i) make available for Customer’s review copies of certifications or reports demonstrating PartnerOS’s compliance with prevailing data security standards applicable to the Processing of Customer Personal Data (such as PartnerOS’s most recent SOC 2 Type I or Type II report, once available), or (ii) if the provision of reports or certifications pursuant to (i) is not reasonably sufficient under Data Protection Laws, allow Customer’s independent third-party representative to conduct an audit or inspection of PartnerOS’s data security infrastructure and procedures that is sufficient to demonstrate PartnerOS’s compliance with its obligations under Data Protection Laws, provided that: (a) Customer provides at least sixty (60) business days’ prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to PartnerOS’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; (c) such audit shall be restricted to data relevant to Customer; (d) Customer’s third-party representative shall not be a competitor of PartnerOS and shall be bound by confidentiality obligations no less protective than those in the Agreement; and (e) such audit shall be completed within two (2) business days. Customer shall be responsible for the costs of any such audits or inspections, including without limitation reimbursement to PartnerOS for any time expended for on-site audits at PartnerOS’s then-current professional services rates. Prior to PartnerOS’s issuance of its first SOC 2 Type II report, PartnerOS may satisfy its obligations under this Section 9.4 by providing its then-current SOC 2 Type I report, security questionnaire responses, and policy summaries. Where Standard Contractual Clauses apply, the audits described in Clause 8.9 of the EU SCCs shall be carried out in accordance with this Section 9.4.

9.5 PartnerOS shall promptly notify Customer if an instruction, in PartnerOS’s opinion, infringes the Data Protection Laws or supervisory authority guidance.

9.6 In the event of a Personal Data Breach, PartnerOS shall, without undue delay and in any event no later than seventy-two (72) hours following confirmation of the Personal Data Breach, inform Customer of the Personal Data Breach and take such steps as PartnerOS in its reasonable discretion deems necessary to remediate the breach (to the extent that remediation is within PartnerOS’s reasonable control). The notification will include PartnerOS’s then-current assessment of: (i) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned; (ii) the likely consequences of the Personal Data Breach; and (iii) measures taken or proposed to be taken by PartnerOS to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.

9.7 In the event of a Personal Data Breach, PartnerOS shall, taking into account the nature of the Processing and the information available to PartnerOS, provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under the GDPR with respect to notifying (i) the relevant supervisory authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.

9.8 The obligations described in Sections 9.6 and 9.7 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. PartnerOS’s obligation to report or respond to a Personal Data Breach under Sections 9.6 and 9.7 will not be construed as an acknowledgement by PartnerOS of any fault or liability with respect to the Personal Data Breach. Customer is solely responsible for complying with legal requirements for incident notification applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach.

10. Order of Precedence

In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (i) the applicable terms in the Standard Contractual Clauses; (ii) the terms of this DPA; (iii) the Agreement; and (iv) PartnerOS’s privacy policy. Any claims brought in connection with this DPA will be subject to the terms and conditions, including the exclusions and limitations of liability, set forth in the Agreement.

11. Execution of this DPA

This DPA may be entered into in either of the following ways: (i) by incorporation by reference into the Agreement, in which case execution of the Agreement (whether by signature, online acceptance, or other means accepted under the Agreement) shall constitute execution of this DPA without any further action required by either Party; or (ii) by the Parties signing a stand-alone copy of this DPA. To execute a stand-alone copy, Customer must complete the information requested in the signature block below and on Exhibit B, and send the completed and signed DPA to PartnerOS at privacy@partneros.ai. Upon receipt by PartnerOS, this DPA will become legally binding. PartnerOS has pre-signed this DPA in the signature block below and on Exhibit B in its capacity as Data Importer.

Customer

Customer Legal Name: __________________________________

Signature: ______________________________

Print Name: __________________________________

Title: ___________________________________

Date: ___________________________________

Notice email for sub-processor notifications and Personal Data Breach notifications: __________________________________

PartnerOS, Inc.

Signature: ______________________________

Print Name: __________________________________

Title: ___________________________________

Date: ___________________________________

Notice email: privacy@partneros.ai

EXHIBIT A

Details of Processing

Nature and Purpose of Processing

PartnerOS will Process Customer Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA. The nature of Processing includes, without limitation:

Receiving data, including collection, accessing, retrieval, recording, and data entry;

Protecting data, including restricting, encrypting, and security testing;

Holding data, including storage, organization, and structuring;

Erasing data, including destruction and deletion;

Analyzing data, including product usage assessment, partner program performance analytics, and AI-enabled feature execution; and

Sharing data, including disclosure to Authorized Sub-Processors as permitted in this DPA.

Duration of Processing

PartnerOS will Process Customer Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for PartnerOS’s legitimate business needs in accordance with this DPA; or (iii) by applicable law or regulation. Company Account Data and Company Usage Data will be Processed and stored as set forth in PartnerOS’s privacy policy at https://partneros.ai/privacy.

Categories of Data Subjects

Categories of Data Subjects include, without limitation: Customer’s employees, consultants, contractors, agents, and Permitted Users; Customer’s channel, solution, sales, services, and technology partners and their personnel; and end customers, prospects, and leads associated with Customer’s partner programs.

Categories of Personal Data

PartnerOS Processes Personal Data contained in Company Account Data, Company Usage Data, and any Customer Personal Data provided by Customer (including any Personal Data Customer collects from its end users, partners, or other Data Subjects and Processes through its use of the Services) or collected by PartnerOS in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data include, without limitation: name, business contact information (email, phone, title, employer, work address), professional profile information, partner program enrollment and tier data, deal registration data, opportunity and pipeline data, joint plan and enablement data, certification and training records, communications and content shared in the Services, IP address, device identifiers, authentication and access logs, and

Service usage and telemetry data.

Sensitive Data or Special Categories of Data

Customer is prohibited from providing sensitive Personal Data or special categories of data to PartnerOS, including without limitation any data which discloses racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning health, data concerning a natural person’s sex life or sexual orientation, criminal history, or government-issued identification numbers. The Services are not designed or intended for the Processing of such data.

Frequency of Transfer

Continuous, for the duration of the Agreement.

EXHIBIT B

Annexes I and III of the EU SCCs / Tables of the UK Addendum

The following includes the information required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum.

The Parties

Data Exporter

Name: The exporter is the Customer specified in the Agreement.

Trading Name (if different): As specified in the Agreement.

Address: As specified in the Agreement.

Official Registration Number (if any): As specified in the Agreement.

Contact person (name, position, contact details): As specified in the Agreement.

Activities relevant to the data transferred: Obtaining the Services from the Data Importer, as described in Section 2 of the DPA.

Signature and date: Execution of the Agreement (whether by signature, online acceptance, or other means accepted under the Agreement) constitutes execution of this DPA, including this Exhibit B, as set forth in Section 11 of the DPA.

Role: Controller (Modules 1 and 2) or Processor (Module 3), as applicable.

Data Importer

Name: PartnerOS, Inc.

Trading Name (if different): N/A.

Address and contact information: Austin, Texas, United States; privacy@partneros.ai. Current mailing address published at https://partneros.ai/contact.

Official Registration Number: Delaware Secretary of State entity (incorporated February 2026).

Contact person: Privacy Team, privacy@partneros.ai.

Activities relevant to the data transferred: Providing the Services to the Data Exporter, as described in Section 2 of the DPA.

Signature and date: Pre-signed by PartnerOS as Data Importer.

Role: As described in Sections 2 and 3 of the DPA: independent controller (Module 1), processor (Module 2), or sub-processor (Module 3).

Description of the Transfer

Data Subjects: As described in Exhibit A of the DPA.

Categories of Personal Data: As described in Exhibit A of the DPA.

Special Category Personal Data: As described in Exhibit A of the DPA. None anticipated; Customer is prohibited from submitting such data.

Nature of the Processing: As described in Exhibit A of the DPA.

Purposes of Processing: As described in Exhibit A of the DPA.

Duration of Processing and Retention: As described in Exhibit A of the DPA.

Frequency of the transfer: As necessary to perform all obligations and rights with respect to Personal Data as provided in the Agreement or DPA.

Recipients of Personal Data Transferred to the Data Importer: PartnerOS maintains a list of Authorized Sub-Processors at: https://partneros.ai/subprocessors.

Competent Supervisory Authority

The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs. To the extent legally permissible, the Parties select the Irish Data Protection Commission. The supervisory authority for purposes of the UK Addendum shall be the UK Information Commissioner’s Office. The supervisory authority for purposes of transfers governed by the FADP shall be the Swiss Federal Data Protection and Information Commissioner.

EXHIBIT C

Technical and Organizational Security Measures

The following includes the information required by Annex II of the EU SCCs and Annex II of the UK Addendum. A current and complete description of PartnerOS’s technical and organizational measures is published at https://partneros.ai/security. The published version controls in the event of any conflict with the summary below.

Measures of pseudonymization and encryption of Personal Data

PartnerOS uses industry-standard secure methods and protocols for transmission of confidential or sensitive information over public networks (TLS 1.2 or higher). Databases housing Personal Data are encrypted at rest using AES-256 or equivalent algorithms. Secrets and credentials are stored in a dedicated secrets management system with access logged and audited.

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services

PartnerOS’s customer agreements contain confidentiality obligations. PartnerOS requires every downstream sub-processor to enter into confidentiality provisions substantially similar to those in PartnerOS’s customer agreements. PartnerOS is pursuing a SOC 2 Type I observation window in 2026 with progression to SOC 2 Type II, and maintains a continuous compliance monitoring program through Vanta. Role-based access controls with least-privilege provisioning, mandatory multi-factor authentication for production access, and production environments segregated from development and test environments.

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner

Automated backups of production datastores are taken on a regular basis and tested in accordance with PartnerOS’s information security and data management policies. Documented disaster recovery and business continuity plans are tested at least annually. A documented incident response plan is in place, with tabletop exercises performed at least annually.

Processes for regularly testing, assessing, and evaluating the effectiveness of measures

Annual independent third-party security assessment (SOC 2 Type I in 2026, progressing to SOC 2 Type II). Periodic third-party penetration testing. Internal policy review at least annually. Continuous compliance monitoring via Vanta or equivalent.

Measures for user identification and authorization

Unique user accounts with no shared credentials for production access. Mandatory multi-factor authentication for all PartnerOS personnel with access to production systems. Single sign-on (SSO) and SAML available for Customer end-user authentication. Network infrastructure is configured to block unnecessary ports, services, and unauthorized traffic.

Measures for the protection of data during transmission

TLS 1.2 or higher for all data in transit between users, services, and sub-processors. Recommended secure cipher suites only.

Measures for the protection of data during storage

Encryption at rest for production databases and object storage using industry-standard AES-256 or equivalent. Logical separation of Customer tenants.

Measures for ensuring physical security of locations at which Personal Data are processed

PartnerOS does not operate its own data centers. Production infrastructure is hosted by PartnerOS’s cloud infrastructure sub-processors, which maintain SOC 2, ISO 27001, and/or equivalent certifications and implement industry-standard physical security controls.

Measures for ensuring events logging

Authentication, authorization, and administrative actions are logged. Logs are retained in accordance with PartnerOS’s log retention policy and protected against unauthorized modification. Logs are reviewed by the security and engineering teams; activities are investigated and escalated as appropriate.

Measures for ensuring system configuration, including default configuration

Hardened baseline configurations for production systems. Infrastructure-as-code with peer review for changes to production configuration. Documented change management process; production changes are automated through CI/CD tools to ensure consistent configurations.

Measures for internal IT and IT security governance and management

Documented information security policies reviewed at least annually. Designated security ownership within PartnerOS leadership. Mandatory security awareness training for all personnel at hire and annually thereafter. Risk-based information security governance program covering administrative, organizational, technical, and physical safeguards.

Measures for certification and assurance of processes and products

SOC 2 Type I observation window scheduled for 2026, progressing to SOC 2 Type II. Continuous compliance monitoring via Vanta or equivalent.

Measures for ensuring data minimization

Customer unilaterally determines what data it routes through the Services. PartnerOS operates on a shared responsibility model. Self-service functionality enables Customers to delete and suppress data at their discretion. Configurable data retention controls available to Customer administrators.

Measures for ensuring data quality

Multi-tiered approach including unit testing of data-processing logic, database schema validation rules executed before data is persisted, and strict API contract enforcement. Customer-controlled data entry and validation within the Services. Customer administrators may correct, update, or delete Customer Personal Data through the Services.

Measures for ensuring limited data retention

Customer unilaterally determines what data it routes through the Services. Retention periods aligned to the purpose of Processing and Customer instructions. Deletion or anonymization of Customer Personal Data upon termination as set forth in Section 2.7 of this DPA.

Measures for ensuring accountability

Documented data protection and information security policies across the business. Documented data processing records. Reporting of Personal Data Breaches in accordance with this DPA. Formally assigned roles and responsibilities for information security and data privacy. Designated privacy contact: privacy@partneros.ai. EU representative: DataRep (see Section 7.8).

Measures for allowing data portability and ensuring erasure

Customer administrators may export Customer Data through the Services or via documented APIs. Customer may request deletion or anonymization of Customer Personal Data as set forth in Section 2.7 of this DPA.

Technical and organizational measures of sub-processors

PartnerOS enters into Data Processing Agreements with its Authorized Sub-Processors with data protection obligations substantially similar to those contained in this DPA. The current list of sub-processors and the nature of the Processing each performs is published at https://partneros.ai/subprocessors.

EXHIBIT D

UK Addendum to the EU SCCs

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the United Kingdom Information Commissioner’s Office (the “ICO”) and laid before Parliament on 2 February 2022 in accordance with s119A of the Data Protection Act 2018 (the “Approved UK Addendum”), as may be revised by the ICO from time to time.

Part 1: Tables

Table 1: Parties

Start Date: This UK Addendum shall have the same effective date as the DPA.

The Parties: Exporter is Customer. Importer is PartnerOS, Inc.

Parties’ Details: As set forth in Exhibit B of this DPA.

Key Contact: As set forth in Exhibit B of this DPA.

Table 2: Selected SCCs, Modules and Selected Clauses

The version of the Approved EU SCCs which this UK Addendum is appended to is as defined in the DPA and completed by Section 7 of the DPA.

Table 3: Appendix Information

Annex 1A (List of Parties): As set forth in Table 1 above and Exhibit B of the DPA.

Annex 1B (Description of Transfer): As set forth in Exhibit B of the DPA.

Annex II (Technical and organizational measures): As set forth in Exhibit C of the DPA.

Annex III (List of Sub-processors, Modules 2 and 3): As set forth in Exhibit B of the DPA and at https://partneros.ai/subprocessors.

Table 4: Ending this UK Addendum when the Approved UK Addendum Changes

The following Party (or Parties) may end this UK Addendum if the ICO issues a revised Approved UK Addendum that directly results in a substantial, disproportionate, and demonstrable increase in (a) its direct costs of performing its obligations under the UK Addendum or (b) its risk under the UK Addendum: Importer and Exporter (both Parties).

Part 2: Mandatory Clauses

The mandatory clauses of the Approved UK Addendum, as may be revised by the ICO from time to time, are incorporated by reference into this Exhibit D and apply to this UK Addendum. By entering into this DPA, the Parties are deemed to be signing the UK Addendum and its applicable Tables and Appendix Information. The amendments to the EU SCCs set forth in the Approved UK Addendum apply for purposes of ex-UK Transfers, including: references to the GDPR are replaced with references to UK Data Protection Laws; references to the European Union or EU Member States are replaced with references to the United Kingdom; the supervisory authority is the Information Commissioner; the UK Addendum is governed by the laws of England and Wales; and any dispute arising from the UK Addendum shall be resolved by the courts of England and Wales.