Data Processing Addendum

Data Processing Addendum Effective Date: April 1, 2025 Version: 1.1

This Data Processing Addendum ("DPA") forms part of and is incorporated by reference into the Roomvu Terms of Service available at https://www.roomvu.com/terms-of-service, together with any order form, subscription agreement, or other written agreement between Roomview Technologies Inc., operating as "Roomvu," a British Columbia corporation ("Roomvu"), and the customer identified in the applicable agreement ("Customer") (collectively, the "Agreement"). This DPA applies whenever Roomvu processes Personal Data on behalf of Customer in connection with Customer's use of the Services. This DPA takes precedence over any conflicting provision of the Agreement solely with respect to the processing of Personal Data. In the event of a conflict between this DPA and any Standard Contractual Clauses or equivalent cross-border transfer mechanism incorporated by reference (together, the "SCCs"), the SCCs will prevail. By accepting the Agreement, or by continuing to use the Services on or after the Effective Date of this DPA, Customer is deemed to have accepted this DPA.

1. Definitions For purposes of this DPA: 1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, as applicable: (a) the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA") and any substantially similar provincial law, including British Columbia's Personal Information Protection Act; (b) Regulation (EU) 2016/679 (the "EU GDPR") and, where applicable, the UK General Data Protection Regulation and the UK Data Protection Act 2018 (collectively, "UK GDPR"); (c) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"); (d) the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and any other US state privacy law applicable to Customer's processing; and (e) any other data protection, privacy, or consumer protection law applicable to Customer or to Roomvu's processing under the Agreement. 1.2 "Controller," "Processor," "Data Subject," "Personal Data," "Processing" (and cognate forms), and "Supervisory Authority" have the meanings given in the EU GDPR. The terms "business," "service provider," "sale," "share," and "consumer" have the meanings given in the CCPA/CPRA. The terms "organization," "personal information," and "commercial activity" have the meanings given in PIPEDA. Where the Agreement or this DPA uses these terms, the equivalent concept under each Applicable Data Protection Law applies as appropriate. 1.3 "Customer Personal Data" means Personal Data that Customer, or any end user, lead, client, or other individual acting through or in relation to Customer, submits to, uploads to, or otherwise makes available through the Services, and that Roomvu Processes on Customer's behalf. 1.4 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed by Roomvu or a Subprocessor. 1.5 "Services" means the Roomvu software-as-a-service platform, applications, APIs, and related services provided to Customer under the Agreement, including all AI, automation, publishing, and content-generation features. 1.6 "Subprocessor" means any third party engaged by Roomvu that Processes Customer Personal Data in connection with the Services, including Roomvu's AI Providers, infrastructure providers, analytics providers, and support tools. 1.7 "SCCs" means (a) for transfers of Customer Personal Data from the European Economic Area, the standard contractual clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and (b) for transfers from the United Kingdom, the UK International Data Transfer Addendum issued under section 119A of the UK Data Protection Act 2018, each as amended from time to time.

2. Roles of the Parties and Scope of Processing 2.1 Roles. With respect to Customer Personal Data, Customer is the Controller (or business) and Roomvu is the Processor (or service provider). Where Customer itself acts as a Processor on behalf of a further Controller, Roomvu acts as the Subprocessor of that further Controller, and Customer represents and warrants that it has all authority necessary to engage Roomvu on that further Controller's behalf. 2.2 Subject Matter and Duration. The subject matter of the Processing is Customer's use of the Services under the Agreement. The duration of the Processing is the term of the Agreement, plus any period following termination during which Roomvu retains Customer Personal Data under Section 10 (Deletion and Return) or as required by applicable law. 2.3 Nature and Purpose. Roomvu will Process Customer Personal Data to provide, operate, maintain, secure, and improve the Services in accordance with Customer's documented instructions (including the Agreement and this DPA), and as otherwise required or permitted by Applicable Data Protection Law. 2.4 Categories of Data Subjects. Customer Personal Data relates to the following categories of Data Subjects: (a) Customer's employees, contractors, representatives, and administrators; (b) Customer's leads, prospects, clients, and customers (including real estate buyers, sellers, renters, and prospects); (c) Recipients of Customer's communications and marketing content; and (d) Any other Data Subjects whose Personal Data Customer submits to the Services. 2.5 Categories of Personal Data. Customer Personal Data may include the following categories: (a) Identification and contact information (name, email, phone number, postal address); (b) Professional information (title, brokerage, license number, team affiliation); (c) Lead and transaction data (property interests, listing preferences, inquiry history, open house sign-ins, CRM exports); (d) Account credentials and authentication data; (e) User-generated content (photographs, video, audio recordings, written content); (f) Biometric-adjacent data used to generate AI avatars and voice clones, where Customer is the individual depicted (processed under the ToS with Customer's consent as the Data Subject); (g) Device and usage data (IP address, browser type, session logs, analytics events); and (h) Any other Personal Data Customer elects to submit through the Services. 2.6 Prohibited Data. Customer will not submit to the Services any Personal Data that constitutes: (a) government-issued identification numbers except where expressly supported by a Service feature (e.g., realtor license numbers); (b) financial account numbers or payment card data (other than payment information submitted directly to Roomvu's payment processors for Customer's own subscription); (c) health or medical information; (d) data concerning minors under the age of 18; (e) data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for unique identification of a person other than the Customer, or data concerning sex life or sexual orientation; or (f) data relating to criminal convictions or offenses. If Customer submits such data, Customer does so at its own risk and Roomvu has no liability for such Processing.

3. Customer Obligations and Warranties 3.1 Lawful Basis and Notice. Customer represents and warrants that: (a) it has established and will maintain a valid lawful basis under Applicable Data Protection Law for all Processing it instructs Roomvu to perform, including for any Processing that results in communications or Synthetic Outputs directed at Data Subjects; (b) it has provided all required notices and obtained all required consents from Data Subjects (including consent to receive marketing communications, SMS messages, automated outreach, and AI-generated content where required); (c) it has the right to disclose Customer Personal Data to Roomvu for Processing under this DPA; and (d) its instructions to Roomvu comply with Applicable Data Protection Law. 3.2 AI Avatar and Voice Clone Consent. Without limiting Section 3.1, Customer warrants that it has obtained all consents required under Applicable Data Protection Law and any applicable right of publicity, image-rights, or biometric-data law (including the Illinois Biometric Information Privacy Act, the Tennessee ELVIS Act, California Civil Code § 3344, and the EU AI Act) before creating any AI avatar, voice clone, or Synthetic Output, and that the individual depicted or voiced in any such Output has consented in accordance with the Roomvu Terms of Service. 3.3 No Sensitive Data Outside Scope. Customer will not instruct Roomvu to Process Personal Data in a manner that would cause Roomvu to become subject to legal requirements (including sectoral requirements such as HIPAA, GLBA, or PCI-DSS) that Roomvu has not expressly agreed to undertake under the Agreement. 3.4 Responsibility for Authorized Users. Customer is responsible for the acts and omissions of all persons who access the Services using Customer's credentials or on Customer's behalf, including employees, contractors, assistants, brokerage staff, and any other Authorized Users as defined in the Terms of Service.

4. Roomvu's Processing Obligations 4.1 Processing on Documented Instructions. Roomvu will Process Customer Personal Data only in accordance with Customer's documented instructions as set out in the Agreement and this DPA, and as reasonably necessary to provide the Services, unless required otherwise by applicable law. Where applicable law requires Processing other than on Customer's instructions, Roomvu will inform Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest. 4.2 Compliance with Law. Roomvu will comply with Applicable Data Protection Law in its capacity as Processor. Roomvu will promptly notify Customer if, in Roomvu's opinion, an instruction from Customer infringes Applicable Data Protection Law. 4.3 Confidentiality. Roomvu will ensure that all personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations or statutory obligations of confidentiality and have received appropriate data protection training. 4.4 No Sale, No Share, No Independent Use. Roomvu will not: (a) sell or share (as those terms are defined in CCPA/CPRA) Customer Personal Data; (b) retain, use, or disclose Customer Personal Data outside the direct business relationship between Roomvu and Customer, except as permitted under CCPA/CPRA § 1798.140(j) or Applicable Data Protection Law; (c) retain, use, or disclose Customer Personal Data for any purpose other than the specific purposes set forth in the Agreement and this DPA; or (d) combine Customer Personal Data with Personal Data from other sources for purposes other than providing the Services, except as permitted under Applicable Data Protection Law. Roomvu certifies that it understands and will comply with these restrictions. 4.5 No AI Training on Customer Personal Data. Roomvu will not use Customer Personal Data, or any outputs derived from Customer Personal Data, to train, fine-tune, or improve any artificial intelligence or machine learning model, except with Customer's separate express written opt-in. This restriction flows down to all Subprocessors, and Roomvu will select and configure AI Provider Subprocessors to ensure that inputs submitted through Roomvu's integration are excluded from such training, where commercially available.

5. Security of Processing 5.1 Technical and Organizational Measures. Roomvu will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the Processing, including as set forth in Schedule 2 (Security Measures). These measures take into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of Processing, and the risk to Data Subjects. 5.2 Updates. Roomvu may update its security measures from time to time, provided that any such update does not materially diminish the overall level of security. 5.3 Access Controls. Roomvu will limit access to Customer Personal Data to personnel who require access to perform their duties, and will enforce access controls, multi-factor authentication for administrative access, and logging of access to production systems.

6. Subprocessors 6.1 General Authorization. Customer grants Roomvu general authorization to engage Subprocessors to Process Customer Personal Data in connection with the Services. A current list of Subprocessors is maintained at https://www.roomvu.com/subprocessors (the "Subprocessor List") and is incorporated into this DPA by reference. 6.2 Subprocessor Flowdown. Roomvu will impose on each Subprocessor, by written contract, data protection obligations substantially equivalent to those set out in this DPA. Roomvu will remain liable to Customer for the performance of each Subprocessor's obligations to the same extent Roomvu would be liable if performing the Processing directly, subject to any limitation of liability set out in the Agreement. 6.3 Notification of New Subprocessors. Roomvu will provide Customer with at least thirty (30) days' advance notice of any new Subprocessor by updating the Subprocessor List and, where Customer has subscribed to a notification mechanism published on the Subprocessor List page, sending email notice to the address Customer has provided. Customer may subscribe to such notifications at any time. 6.4 Right to Object. Customer may object in writing to a new Subprocessor on reasonable data protection grounds within fifteen (15) days of notice, delivered to privacy@roomvu.com. If Customer so objects, Roomvu will use reasonable efforts to make available a commercially reasonable alternative. If no such alternative can be made available, Customer may, as its sole and exclusive remedy, terminate the affected Service(s) by providing written notice, and Roomvu will refund any prepaid fees for the unused portion of the current term of the affected Service(s).

7. International and Cross-Border Transfers 7.1 Transfer Locations. Customer acknowledges that Roomvu is headquartered in Canada and may Process Customer Personal Data in Canada, the United States, the European Economic Area, the United Kingdom, and other jurisdictions where Roomvu or its Subprocessors maintain facilities. 7.2 Adequacy and Transfer Mechanisms. Where required by Applicable Data Protection Law, Roomvu will ensure that transfers of Customer Personal Data outside the jurisdiction of origin are subject to an appropriate transfer mechanism, including: (a) Canada's status as recognized by the European Commission as providing adequate protection for Personal Data transferred from the EEA under Commission Decision 2002/2/EC; (b) the Standard Contractual Clauses referenced in Section 7.3 where adequacy does not otherwise apply; or (c) any other mechanism recognized under Applicable Data Protection Law. 7.3 Standard Contractual Clauses. To the extent Customer Personal Data is transferred from the EEA, United Kingdom, or Switzerland to a country not recognized as providing adequate protection, the parties are deemed to have entered into the applicable SCCs, which are incorporated into this DPA by reference.

8. Data Subject Rights 8.1 Assistance. Taking into account the nature of the Processing, Roomvu will provide reasonable assistance to Customer, by appropriate technical and organizational measures and insofar as possible, to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law. 8.2 Direct Requests to Roomvu. If Roomvu receives a request from a Data Subject relating to Customer Personal Data, Roomvu will not respond directly (except to confirm that the request has been received and will be forwarded), will promptly inform Customer of the request, and will forward the request to Customer for handling, unless Roomvu is required by applicable law to respond directly. 8.3 Self-Service Tools. Roomvu may make available self-service tools within the Services to enable Customer to respond to Data Subject requests directly.

9. Personal Data Breach Notification 9.1 Notification to Customer. Roomvu will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. 9.2 Rolling Updates. Where information is not available at the time of initial notification, Roomvu will provide such information in subsequent updates as it becomes available. 9.3 Cooperation. Roomvu will cooperate with Customer and provide reasonable assistance in Customer's investigation, remediation, and notification obligations under Applicable Data Protection Law. 9.4 No Admission. Roomvu's notification of, or response to, a Personal Data Breach will not be construed as an acknowledgment by Roomvu of any fault or liability.

10. Deletion and Return of Customer Personal Data 10.1 On Termination. Upon termination or expiration of the Agreement, Roomvu will, at Customer's election (communicated in writing within thirty (30) days of termination), delete or return all Customer Personal Data in Roomvu's possession or control. 10.2 Permitted Retention. Roomvu may retain Customer Personal Data to the extent required by applicable law, for the establishment, exercise, or defense of legal claims, or in backup systems pending their scheduled deletion cycle. 10.3 Deletion Timelines for AI Likeness Data. For data used to generate AI avatars and voice clones, deletion timelines under the Terms of Service apply in addition to this Section.

11. Audits and Compliance Demonstration 11.1 Information. Roomvu will make available to Customer, upon reasonable request, information reasonably necessary to demonstrate compliance with this DPA. 11.2 Audits. Where Customer's reasonable information needs cannot be satisfied by the materials provided, Customer (or an independent auditor mandated by Customer and subject to appropriate confidentiality obligations) may audit Roomvu's compliance with this DPA. 11.3 Regulator Audits. Nothing in this DPA limits Customer's right, or any Supervisory Authority's right, to conduct audits required by Applicable Data Protection Law.

12. Liability 12.1 Incorporation of Agreement Limits. Each party's liability arising out of or relating to this DPA is subject to the exclusions and limitations of liability set out in the Agreement. 12.2 Non-Waiver. Nothing in this DPA limits either party's liability to Data Subjects under Applicable Data Protection Law, or to a Supervisory Authority in respect of fines imposed directly on that party.

13. General 13.1 Order of Precedence. In the event of any conflict between the Agreement and this DPA, this DPA controls solely with respect to the Processing of Personal Data. 13.2 Updates. Roomvu may update this DPA from time to time to reflect changes in Applicable Data Protection Law, Subprocessor arrangements, or Service features. 13.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will continue in full force and effect. 13.4 Governing Law. Except as otherwise set out in the SCCs, this DPA is governed by the governing law and dispute resolution provisions of the Agreement. 13.5 Notices to Roomvu. Notices under this DPA to Roomvu must be sent to privacy@roomvu.com, with a copy to: Roomview Technologies Inc. 226-970 Burrard Street Vancouver, BC V6Z 0C5, Canada Attention: Privacy Officer

Schedule 1: Details of Processing (SCC Annex I) A. List of Parties Data Exporter: The Customer identified in the Agreement, acting as Controller (or, where applicable, Processor) of Customer Personal Data. Data Importer: Roomview Technologies Inc., operating as "Roomvu," a British Columbia corporation, acting as Processor (or, where applicable, Subprocessor). Contact: privacy@roomvu.com Address: 226-970 Burrard Street, Vancouver, BC V6Z 0C5, Canada.

B. Description of Transfer Categories of Data Subjects: As set out in Section 2.4 of the DPA. Categories of Personal Data: As set out in Section 2.5 of the DPA. Sensitive Data: None, except where Customer submits such data in breach of Section 2.6. Frequency of Transfer: Continuous, for the duration of Customer's use of the Services. Nature of Processing: Hosting, storage, transmission, analysis, generation of AI outputs, automated publication to Connected Channels, security monitoring, and related operations necessary to provide the Services. Purpose of Transfer and Processing: Provision of the Services as described in the Agreement. Retention Period: Duration of the Agreement, plus any period permitted or required under Section 10 of the DPA. Subprocessors: As set out in the Subprocessor List at https://www.roomvu.com/subprocessors.

C. Competent Supervisory Authority For EU transfers: the supervisory authority of the EU Member State in which the Customer's representative is established, or where the majority of Data Subjects are located, in accordance with Clause 13 of the EU SCCs. For UK transfers: the UK Information Commissioner's Office. For Canada: the Office of the Privacy Commissioner of Canada and any applicable provincial privacy commissioner.

Schedule 2: Technical and Organizational Security Measures (SCC Annex II) Roomvu implements and maintains the following technical and organizational measures to protect Customer Personal Data. Roomvu may update these measures from time to time, provided that the overall level of security is not materially diminished. 1. Organizational Measures * Designated Privacy Officer responsible for data protection compliance. * Written information security policies, reviewed at least annually. * Mandatory security and privacy training for all personnel upon hire and at least annually thereafter. * Written confidentiality obligations binding on all personnel and contractors with access to Customer Personal Data. * Background checks on personnel with access to production systems, as permitted by applicable law. * Vendor risk assessment process for onboarding Subprocessors, including review of security practices and execution of written data protection terms. 2. Access Controls * Role-based access control (RBAC) for administrative access to production systems and Customer data. * Multi-factor authentication required for administrative access. * Unique user credentials; no shared accounts for privileged access. * Access reviewed on a periodic basis and revoked promptly upon personnel departure or role change. * Session logging and audit trails for administrative actions on production systems. 3. Encryption and Transmission * Encryption in transit using TLS 1.2 or higher for all network communications between Customer, Roomvu services, and Subprocessors. * Encryption at rest for Customer Personal Data stored in Roomvu's production databases and object storage. * Cryptographic keys managed through the cloud provider's key management service with restricted access. 4. Infrastructure and Network Security * Production systems hosted in SOC 2 Type II and ISO 27001 certified cloud environments. * Network segmentation between production, staging, and corporate environments. * Firewall rules restricting inbound and outbound traffic to the minimum necessary. * DDoS protection at the network edge. * Vulnerability scanning on a recurring schedule and prior to material releases. 5. Application Security * Secure software development lifecycle, including code review and automated security testing. * Dependency scanning for known vulnerabilities. * Penetration testing conducted at least annually. * Separation of production and non-production data; Customer Personal Data is not used in non-production environments without Customer consent. 6. Incident Response * Documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. * 24/7 monitoring of production systems for security events. * Defined breach notification procedures consistent with Section 9 of the DPA. * Periodic tabletop exercises to test incident response readiness. 7. Business Continuity * Automated backups of production databases with defined recovery point and recovery time objectives. * Backups encrypted at rest and stored in geographically separate facilities. * Disaster recovery procedures documented and tested on a periodic basis. 8. Physical Security * Production infrastructure hosted in cloud data centers with physical access controls managed by the cloud provider (including biometric access, surveillance, and 24/7 guarding). * Corporate facilities protected by badge access and visitor registration. 9. Data Minimization and Integrity * Collection and retention limited to what is necessary to provide the Services. * Data integrity checks in storage and transmission. * Defined deletion processes consistent with Section 10 of the DPA.

Schedule 3: Initial Subprocessor List The current, authoritative Subprocessor List is maintained at https://www.roomvu.com/subprocessors. The following is the initial list as of the Effective Date of this DPA.

Subprocessor Service Provided Location of Processing [Cloud hosting provider - e.g., AWS / Google Cloud / Azure] Cloud infrastructure, compute, storage, networking [Region - e.g., US / Canada] ElevenLabs, Inc. Voice isolation and audio processing United States OpenAI, L.L.C. Large language model inference for content generation United States Anthropic, PBC Large language model inference for content generation United States Google LLC Large language model inference and related AI services United States [AI voice/avatar cloning providers currently in rotation] Voice cloning and avatar generation [To confirm] [Email/SMS provider - e.g., SendGrid, Twilio] Transactional and marketing email and SMS United States [Payment processor - e.g., Stripe] Subscription billing and payment processing United States [Analytics provider - e.g., Google Analytics, Mixpanel] Product analytics and usage measurement United States [CRM/Support tool - e.g., Zoho Desk] Customer support ticketing and communication [Region - e.g., Canada]

Bracketed entries [ ] must be populated by Roomvu before publication. The list above reflects Subprocessors identified as of drafting and must be reconciled with Roomvu's actual production environment prior to publication. Customer should consult the live Subprocessor List URL for the authoritative current list.

--- End of Data Processing Addendum ---