This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Terms and Conditions, Merchant Services Agreement, CRM Services Agreement, and any other applicable agreements (collectively, the “Agreement”) between United Software Developers Inc., DBA USD GoPay (“Company,” “Processor,” “we,” “us”) and the customer or merchant (“Customer,” “Controller”).

This DPA governs the processing of Personal Data by the Company on behalf of Customer in connection with the Services. It is intended to meet the requirements of applicable data protection laws, including (where applicable) the General Data Protection Regulation (“GDPR”), UK GDPR, and similar laws.

If there is a conflict between this DPA and the Agreement with respect to data protection, this DPA controls.

1. Historical Services and Policy Updates

The Company has provided software platforms, CRM systems, merchant technology, and related services for many years prior to the Effective Date of this DPA.

This DPA represents a consolidated and updated framework governing continued and future processing of Personal Data as of the Effective Date, regardless of when the Customer first began using the Services. Continued use of the Services on or after the Effective Date constitutes acceptance of this DPA.

2. Definitions

• “Personal Data” means information relating to an identified or identifiable natural person processed under the Agreement.
• “Processing” means any operation performed on Personal Data (e.g., collection, storage, transmission, display).
• “Controller” means the entity that determines the purposes and means of Processing.
• “Processor” means the entity that processes Personal Data on behalf of the Controller.
• “Subprocessor” means a third party engaged by the Processor to process Personal Data.
• “Platform” means the unified CRM environment accessible through BrokersOnTheGo.com and NYPassRater.com.
• “Services” means all software, platforms, applications, APIs, and tools provided by the Company, including:
  • WebDB
  • USD GoPay
  • USD GoSign
  • MVRNOW
  • Omitarisk
  • CRM and workflow tools
  • Messaging and SMS services
  • Document management and e-signature tools
  • Driving record and property data informational searches
  • Merchant services and payment-related technology
  • Custom development services

3. Roles of the Parties

Customer is the Controller of Personal Data.

Company acts as a Processor when processing Personal Data on Customer’s behalf through the Platform and Services.

For its own business operations (e.g., billing, fraud prevention, compliance), Company may act as an independent Controller, as described in the Privacy Policy.

4. Subject Matter, Duration, Nature, and Purpose of Processing

Subject Matter: Provision of CRM, merchant services, messaging, e-signature, search tools, and related software functionality.

Duration: The term of the Agreement and any legally required retention period.

Nature of Processing: Hosting, storage, transmission, display, token-based transaction facilitation, email-sending functionality, and support operations.

Purpose: To provide and support the Services in accordance with Customer’s instructions and the Agreement.

5. Categories of Data and Data Subjects

Data Subjects

May include Customer’s:

• Users
• Merchants
• Employees
• Contractors
• Customers
• End users

Personal Data

May include:

• Contact information
• Identifiers
• Business and operational data
• Uploaded documents
• Communications and messaging content
• CRM records

Payment Data Clarification

The Company may briefly receive payment card data solely to transmit it to a third-party payment gateway (e.g., TSYS) for tokenization. The Company:

• Does not store full card numbers
• Does not store CVV or sensitive authentication data
• Retains tokens only for permitted transaction use

6. Customer Obligations

Customer represents and warrants that it:

• Has all necessary rights and lawful bases to provide Personal Data
• Will process Personal Data in compliance with applicable laws
• Will not instruct the Company to process data unlawfully

7. Processor Obligations

The Company shall:

• Process Personal Data only on documented instructions from Customer
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist Customer with data subject requests, security inquiries, and regulatory obligations
• Notify Customer of a Personal Data Breach without undue delay

8. Security Measures

The Company maintains commercially reasonable safeguards and is SOC 2 Certified, reflecting controls for:

• Security
• Availability
• Confidentiality

Measures include:

• Access controls
• Encryption in transit
• Monitoring and logging
• Incident response procedures
• Secure AWS cloud infrastructure

9. Subprocessors

Authorized Subprocessors

Customer authorizes the Company to engage Subprocessors, including:

• Amazon Web Services (AWS) – cloud hosting and infrastructure
• Amazon S3 – document storage
• AWS-certified managed IT provider – infrastructure administration
• Third-party payment processors (e.g., TSYS) – transaction processing
• Messaging and telecom providers – SMS delivery
• Email integration providers (Google/Microsoft OAuth) – sending emails on behalf of users

Subprocessor Changes

The Company may add or replace Subprocessors. Continued use of the Services after notice constitutes acceptance. Customer may object on reasonable data protection grounds.

10. International Data Transfers

Personal Data may be processed in the United States or other jurisdictions where Subprocessors operate.

Where required, transfers are supported by appropriate safeguards (e.g., standard contractual clauses).

11. Assistance with Data Subject Rights

The Company will provide reasonable assistance to enable Customer to respond to data subject requests under applicable law.

12. Deletion or Return of Data

Upon termination of the Agreement, the Company will, upon Customer’s request and subject to legal requirements, delete or return Personal Data within a reasonable period.

13. Audits

Upon reasonable notice and at Customer’s expense, the Company may provide relevant information or summaries necessary to demonstrate compliance, including SOC 2 reports or security documentation, subject to confidentiality.

14. CRM Email-Sending Functionality (Google & Microsoft OAuth)

When Customer uses the Platform’s email-sending features:

• The Company processes Personal Data only to send emails on Customer’s behalf
• The Company does not access or store inbox or sent-folder data
• The Company does not store attachments; they remain on the user’s email server
• If a user deletes an email or attachment from Gmail/Outlook, the CRM may still display the email history entry, but attachments will no longer be accessible

Customer acknowledges that:

• OAuth permissions are granted directly by users
• Users may revoke access at any time
• The Company does not control the availability of email provider services

15. Limitation of Liability

Any liability under this DPA is subject to the limitations and exclusions set forth in the Agreement. The Company’s total liability will not exceed the fees paid in the preceding twelve (12) months, to the extent permitted by law.

16. Governing Law

This DPA is governed by the laws specified in the Agreement (New York), without regard to conflict-of-law principles.