Data Processing Addendum

1. Background and Purpose

This Data Processing Addendum ("DPA") forms part of the BlackHyve Software Agreement ("Agreement") between BlackHyve Inc. ("BlackHyve") and the Customer identified in the applicable Sales Order Form. This DPA applies where BlackHyve processes Personal Data on behalf of Customer in connection with providing the Services.

The parties agree that this DPA reflects their agreement with respect to the processing of Personal Data and is incorporated into the Agreement by reference. In the event of a conflict between this DPA and the Agreement with respect to data processing matters, this DPA shall control.

2. Definitions

As used in this DPA:

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) where applicable, and any other applicable state, federal, or international data protection laws.

"Controller" means the entity that determines the purposes and means of processing Personal Data. Customer is the Controller of Customer Personal Data processed under this DPA.

"Customer Personal Data" means any Personal Data that BlackHyve processes on behalf of Customer as a Processor in the course of providing the Services.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, location data, and any other data that Customer submits to the Services.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, adaptation, retrieval, use, disclosure, or deletion.

"Processor" means the entity that processes Personal Data on behalf of the Controller. BlackHyve acts as a Processor with respect to Customer Personal Data.

"Security Incident" means any confirmed unauthorized access to, disclosure of, or loss of Customer Personal Data.

"Sub-processor" means any third party engaged by BlackHyve to assist in processing Customer Personal Data.

3. Roles and Responsibilities

3.1 Customer is the Controller and BlackHyve is the Processor of Customer Personal Data. BlackHyve will process Customer Personal Data only on documented instructions from Customer, including as set forth in this DPA and the Agreement.

3.2 Customer represents and warrants that it has all necessary rights, consents, and authority to provide Customer Personal Data to BlackHyve for processing under this DPA and the Agreement.

3.3 BlackHyve will not process Customer Personal Data for any purpose other than providing the Services as described in the Agreement, except as required by applicable law, or as permitted under Section 3.5 below.

3.4 BlackHyve will not sell Customer Personal Data to third parties or use it for advertising or marketing purposes.

3.5 Notwithstanding Section 3.3, BlackHyve may use Customer data in de-identified or aggregated form that does not identify Customer or any individual Data Subject for purposes including product improvement, industry benchmarking, and analytics. BlackHyve will not attempt to re-identify any individual from such aggregated or de-identified data.

4. Details of Processing

4.1 Subject Matter

BlackHyve processes Customer Personal Data as necessary to provide the construction operations and field accountability software services described in the Agreement.

4.2 Duration

BlackHyve will process Customer Personal Data for the duration of the Agreement and as required to fulfill any post-termination obligations, after which it will be deleted or returned per Section 9.

4.3 Nature and Purpose of Processing

Processing activities may include:

• Storing and organizing project data, workforce information, and field documentation submitted by Customer
• Providing access controls and user authentication
• Generating reports, analytics, and operational insights for Customer
• Supporting Customer's change order and cost recovery workflows
• Delivering customer support and technical assistance
• Maintaining system security, performance, and integrity

4.4 Categories of Personal Data

Depending on Customer's use of the Services, Customer Personal Data may include:

• Employee and subcontractor names, contact information, and job titles
• Work assignments, timekeeping records, and field activity logs
• Location data associated with field personnel or project sites
• User account credentials and access logs
• Any other Personal Data Customer chooses to input into the Services

4.5 Categories of Data Subjects

Data subjects may include Customer's employees, contractors, field personnel, project managers, and other individuals whose information Customer submits to the Services.

5. Security Measures

5.1 BlackHyve will implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, at minimum:

• Encryption of data in transit using TLS and at rest using industry-standard encryption
• Access controls limiting data access to personnel with a business need
• Use of company-managed SaaS platforms (Google Workspace, and other approved systems) that maintain their own security programs
• Device encryption requirements for personnel with access to Customer Personal Data
• Incident detection and response procedures
• Security awareness training for employees during onboarding

5.2 BlackHyve will ensure that personnel authorized to process Customer Personal Data are subject to appropriate obligations of confidentiality.

5.3 BlackHyve will evaluate and update its security measures on an ongoing basis as part of its security program, including in connection with any applicable SOC 2 certification efforts.

6. Sub-processors

6.1 Customer provides general authorization for BlackHyve to engage Sub-processors to assist in providing the Services. For purposes of this Section, a Sub-processor is any third-party service that stores or processes Customer Personal Data — internal tooling, bug tracking, code repositories, and similar development tools that do not handle Customer Personal Data are not subject to this Section.

6.2 BlackHyve will ensure that Sub-processors that process Customer Personal Data are subject to data protection obligations consistent with applicable law. This obligation may be satisfied by a Sub-processor's standard data processing terms (such as AWS's Data Processing Addendum or Google's Data Processing Amendment), and does not require a separately negotiated agreement.

6.3 BlackHyve maintains a current, publicly accessible list of Sub-processors that process Customer Personal Data at its Trust Center, located at https://trust.blackhyve.com (the "Sub-processor List"). BlackHyve will keep the Sub-processor List updated as Sub-processors are added or removed. Customers are encouraged to check the Sub-processor List periodically. Customer may raise a reasonable data protection objection to a new Sub-processor by contacting BlackHyve in writing; the parties will work in good faith to resolve any such objection. BlackHyve is not required to delay use of a new Sub-processor pending resolution of an objection.

6.4 BlackHyve remains responsible for the acts and omissions of its Sub-processors with respect to Customer Personal Data to the same extent as if BlackHyve performed the processing directly.

7. Data Subject Rights

7.1 BlackHyve will provide Customer with reasonable assistance to enable Customer to fulfill its obligations to respond to Data Subject requests for access, correction, deletion, portability, or restriction of processing, to the extent BlackHyve has the technical capability to do so.

7.2 Where a Data Subject submits a request directly to BlackHyve, BlackHyve will promptly forward such request to Customer and will not respond to the Data Subject directly except as instructed by Customer or required by applicable law.

7.3 BlackHyve may charge a reasonable fee for technical assistance provided under this Section if such assistance requires significant effort.

8. Security Incident Notification

8.1 BlackHyve will notify Customer without undue delay, and in any event within seventy-two (72) hours of confirmation, after becoming aware of a Security Incident involving Customer Personal Data.

8.2 Such notification will include, to the extent available at the time of notification:

• A description of the nature of the Security Incident
• The categories and approximate number of Data Subjects and records involved
• The likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident

8.3 BlackHyve will cooperate with Customer and take reasonable steps to mitigate the effects and reduce the risk of harm from any Security Incident.

8.4 Notification of a Security Incident by BlackHyve does not constitute an acknowledgment by BlackHyve of fault or liability.

9. Data Retention and Deletion

9.1 BlackHyve will retain Customer Personal Data only for as long as necessary to provide the Services or as required by applicable law.

9.2 Upon expiration or termination of the Agreement, BlackHyve will, at Customer's election and within thirty (30) days of Customer's written request, either:

• Return Customer Personal Data to Customer in a mutually agreed-upon format, consistent with Section 11(e) of the Agreement; or
• Delete Customer Personal Data from BlackHyve's systems and provide written confirmation of such deletion.

9.3 Notwithstanding the foregoing, BlackHyve may retain Customer Personal Data to the extent required by applicable law, provided that BlackHyve continues to protect such data in accordance with this DPA.

10. Audit Rights

10.1 BlackHyve will make available to Customer, upon reasonable request, information reasonably necessary to demonstrate compliance with this DPA, including relevant security documentation, certifications (such as SOC 2 reports, when available), and responses to Customer security questionnaires.

10.2 Customer may request an audit of BlackHyve's data processing practices no more than once per calendar year, with reasonable advance notice of at least thirty (30) days. Any audit will be conducted in a manner that minimizes disruption to BlackHyve's operations and will be subject to reasonable confidentiality obligations. Customer will bear the cost of any third-party auditor engaged for this purpose.

11. International Data Transfers

11.1 BlackHyve processes Customer Personal Data in the United States. To the extent Customer Personal Data originates from the European Economic Area (EEA), United Kingdom, or Switzerland, any transfer to BlackHyve shall be subject to appropriate transfer mechanisms as required by applicable law.

11.2 The parties agree to cooperate in good faith to execute any additional agreements or mechanisms required to ensure lawful transfer of Personal Data across borders, including Standard Contractual Clauses where required.

12. California Consumer Privacy Act (CCPA)

12.1 To the extent the CCPA applies, BlackHyve acts as a "Service Provider" as defined under the CCPA and processes Customer Personal Data only for the business purposes described in this DPA and the Agreement.

12.2 BlackHyve will not sell or share Customer Personal Data (as those terms are defined under CCPA) or use it outside of the direct business relationship with Customer.

12.3 BlackHyve will comply with applicable provisions of the CCPA and will assist Customer in fulfilling its obligations to California residents.

13. Liability

13.1 Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA is intended to limit either party's liability to Data Subjects or applicable supervisory authorities under Applicable Data Protection Law.

14. Miscellaneous

14.1 This DPA is incorporated into and governed by the Agreement. Capitalized terms not defined herein have the meanings set forth in the Agreement.

14.2 In the event of any conflict between this DPA and the Agreement with respect to the subject matter of data processing, this DPA shall control.

14.3 If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

14.4 This DPA may be updated by BlackHyve from time to time to reflect changes in applicable law or BlackHyve's processing activities. BlackHyve will provide Customer at least thirty (30) days' notice of material changes.