Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Concert Capital Management, LLC ("Processor", "Service Provider", "intake.link", or "Company") and the entity that creates an account and uses the Service ("Controller", "Business", or "Tenant").

This DPA applies to the processing of Tenant Data (including End Client Personal Information) by intake.link on behalf of Tenant in connection with the Service.

If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to data protection obligations.

Capitalized terms not defined in this DPA have the meanings in the Terms of Service and Privacy Policy. In addition:

• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Processor" means the entity that processes Personal Data on behalf of a Controller.
• "Business", "Service Provider", "Personal Information", "Sell", "Share" have the meanings set forth in the CCPA/CPRA, where applicable.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Subprocessor" means a third party engaged by Processor to process Personal Data on Processor's behalf.

Processor will:

• process Tenant Data only on documented instructions from Tenant (including configurations and use of the Service)
• ensure authorized personnel are subject to confidentiality obligations
• implement commercially reasonable security measures designed to protect Tenant Data
• assist Tenant with data subject requests as described in Section 8, considering the nature of processing
• notify Tenant of a Personal Data breach affecting Tenant Data without undue delay as described in Section 9
• upon termination, delete or return Tenant Data as described in Section 10, subject to lawful retention

Tenant will:

• ensure a lawful basis for processing and sharing Tenant Data with Processor
• provide required notices and obtain required consents from End Clients
• ensure forms, disclosures, and communications comply with applicable law and professional obligations
• not upload or process PHI requiring HIPAA compliance
• implement appropriate access controls, policies, and security measures for users and connected systems
• respond to End Client requests as Controller/Business

The Service is hosted in the United States. If GDPR/UK GDPR applies and Personal Data is transferred internationally, Processor will implement appropriate safeguards, which may include Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms, as applicable.

Tenant is responsible for responding to End Client requests. Processor will provide commercially reasonable assistance to Tenant to respond to data subject requests, taking into account the nature of processing and the information available to Processor.

• enabling export or deletion features where available
• providing Tenant reasonable access to Tenant Data for retrieval, correction, or deletion
• responding to Tenant's written request for assistance where required by applicable law

If Processor receives a request directly from an End Client relating to Tenant Data, Processor will, where legally permitted, direct the request to Tenant.

Processor will notify Tenant without undue delay after becoming aware of a Personal Data breach affecting Tenant Data and will provide information reasonably necessary for Tenant to meet its breach notification obligations.

Processor's notice may include:

• a description of the incident
• categories of data involved (if known)
• mitigation steps taken or planned
• recommended actions for Tenant (if applicable)

Upon termination of the Service or at Tenant's written request, Processor will, within commercially reasonable timeframes, make Tenant Data available for export (if requested within the retention window) and delete Tenant Data, subject to lawful retention requirements and legitimate needs (security, fraud prevention, dispute resolution).

Some deletion may be subject to technical limitations and backup systems where deletion is not immediately feasible. Any retained data will remain protected under this DPA.

Processor maintains a security program aligned to the Security Policy and commercially reasonable practices. Key measures include:

• TLS/SSL encryption in transit
• encryption at rest where supported by vendors
• access controls and least-privilege practices
• logging and monitoring for security and reliability
• incident response practices

Tenant acknowledges no security measure guarantees absolute security.

Tenant may request reasonable information necessary to demonstrate Processor's compliance with this DPA. If Tenant requires an audit due to legal obligations, the parties will cooperate in good faith to agree on scope, timing, confidentiality safeguards, and cost allocation.

Processor may satisfy audit requests by providing third-party attestations, security documentation, or summaries where appropriate, and may decline requests that are excessively burdensome or compromise security.

Where CCPA/CPRA applies, the parties agree:

• Processor acts as a Service Provider with respect to Tenant Data
• Processor will not Sell Tenant Data
• Processor will not retain, use, or disclose Tenant Data for purposes other than providing the Service, except as permitted by law
• Processor will not combine Tenant Data with data from other sources except as permitted by law, including for security, fraud prevention, and internal analytics to improve the Service consistent with law

This DPA is subject to the limitations of liability, disclaimers, and other risk allocation terms in the Terms of Service, unless a written order form expressly states otherwise.

If there is a conflict between:

• this DPA and the Terms of Service, this DPA controls for data protection obligations
• this DPA and any SCCs or other transfer mechanism, the transfer mechanism controls for international transfer matters

Questions about this DPA or data processing: inbox@intake.link