Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of, and is subject to, the master subscription/services/license agreement, order form, or other written agreement between Customer and SupplyMover governing Customer’s use of the Service (the “Agreement”). Capitalized terms not defined in this DPA have the meaning given in the Agreement.

Last Updated: September 16, 2025
Contact for privacy/security: info@supplymover.com
Mailing address: SupplyMover, 37000 Grand River Ave Ste 300, Farmington Hills, MI 48335

1. Definitions

• Applicable Data Protection Laws: All laws/regulations applicable to each party’s processing of Personal Data under the Agreement, including as applicable: U.S. state privacy laws (e.g., CCPA/CPRA, Colorado, Connecticut, Virginia, Utah) and Canadian privacy law (e.g., PIPEDA), each as amended and including implementing regulations.
• Customer: The entity identified as customer in the Agreement.
• Customer Data: Personal Data submitted to or collected by the Service by or on behalf of Customer and processed by SupplyMover on Customer’s behalf to provide the Service.
• Data Subject Request (DSR): A request to exercise rights under Applicable Data Protection Laws (e.g., access, deletion, correction, portability, opt-out).
• Personal Data (or personal information): Information relating to an identified or identifiable natural person, including Sensitive Personal Information (e.g., precise geolocation).
• Security Incident: A breach of SupplyMover’s security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data transmitted, stored, or otherwise processed by SupplyMover. Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Data (e.g., pings, port scans, unsuccessful login attempts, or DDoS without data access).
• Service: SupplyMover’s hosted CRM/ERP platform and related support services as defined in the Agreement.
• Sub-processor: Any third party engaged by SupplyMover to process Customer Data to support the Service.

2. Roles; scope; instructions

2.1 Roles. As between the parties, Customer is a controller/business and SupplyMover is a processor/service provider with respect to Customer Data processed under the Agreement. For SupplyMover’s own operations data (e.g., billing, marketing), SupplyMover acts as a controller/business.

2.2 Scope and purpose. SupplyMover will process Customer Data solely: (a) to provide, maintain, and secure the Service; (b) to prevent, detect, and remediate fraud, abuse, or security risks; (c) to provide technical support; and (d) as otherwise set forth in the Agreement and Customer’s documented instructions.

2.3 Instructions. Customer instructs SupplyMover to process Customer Data as necessary to provide the Service. Additional or conflicting instructions must be agreed in writing. Customer is responsible for its configuration of the Service, for the accuracy of Customer Data, and for providing required notices and obtaining any necessary consents.

2.4 Service-provider restrictions (CCPA/CPRA). SupplyMover will not sell or share Customer Data (as defined by CCPA/CPRA). SupplyMover will not retain, use, or disclose Customer Data for any purpose other than the business purposes specified in the Agreement or as otherwise permitted by law, and will not combine Customer Data with personal information from other sources except as permitted (e.g., to detect security incidents or protect against illegal activity).

3. Confidentiality and personnel

SupplyMover ensures persons authorized to process Customer Data are subject to confidentiality obligations (via employment agreements/policies), receive appropriate privacy/security training, and access Customer Data only as necessary (least privilege).

4. Security

4.1 Security measures. SupplyMover implements and maintains appropriate technical/organizational measures designed to protect Customer Data as described in Annex II (Technical and Organizational Measures), including: encryption in transit/at rest; secure credential storage (hashing); role-based access control and MFA for privileged access; logging/monitoring; backups/DR; vulnerability management and patching; annual penetration testing; and employee security awareness.

4.2 Customer responsibilities. Customer secures its account credentials, configures the Service (including role-based access within Customer’s tenant), and is responsible for its own systems/networks used to access the Service.

5. Security Incidents

SupplyMover will notify Customer within 72 hours after confirming a Security Incident involving Customer Data. The notice will describe, to the extent known: nature of the incident; categories/approximate volume of affected data subjects and records; likely consequences; and measures taken/proposed to address it. Notification is not an admission of fault. SupplyMover will take appropriate steps to contain, investigate, and remediate and will keep Customer reasonably informed.

6. Sub-processors

6.1 Use of sub-processors. Customer authorizes SupplyMover to engage Sub-processors to support the Service. SupplyMover imposes obligations on Sub-processors that are no less protective than those in this DPA and remains responsible for their performance.

6.2 Information and notice. A current list of Sub-processors is set out in Annex III (Sub-processors) and is also available upon request at info@supplymover.com. SupplyMover will provide at least 30 days’ prior notice of any addition or replacement of a Sub-processor (email, in-product, or website notice).

6.3 Objections. Customer acknowledges and agrees that no objection right applies. If Customer has concerns, the parties will discuss commercially reasonable alternatives; any termination rights are as set forth in the Agreement.

7. Assistance; Data Subject Requests

7.1 Cooperation. Taking into account the nature of processing, SupplyMover will assist Customer with reasonable technical/organizational measures to fulfill Customer’s obligations to respond to DSRs, regulator inquiries, and privacy-impact assessments or prior consultations, without undue delay and, where legally required, within 30 days.

7.2 Requests received by SupplyMover. If SupplyMover receives a DSR or privacy inquiry that identifies Customer, SupplyMover will promptly forward it to Customer and will not respond except to confirm receipt and direct the requester to Customer, unless legally required.

7.3 Deletion requests. Upon Customer’s documented instruction to delete Customer Data (including in response to a data subject request), Workd will log and track the request, identify and flag Customer Data in scope, and delete or de-identify such Customer Data without undue delay, except to the extent retention is required by law or for the establishment, exercise, or defense of legal claims. Any retained copies are restricted to those purposes and placed beyond use until purged in accordance with Workd’s retention schedule.

8. Return and deletion of Customer Data

8.1 During term. Throughout the term, Customer may export Customer Data using the Service’s available tools or by written request to SupplyMover.

8.2 Termination. Upon termination or expiration of the Agreement, SupplyMover will make Customer Data available for 30 days for Customer to export. After that window, SupplyMover will permanently delete Customer Data from active systems and apply deletion to backups in the ordinary course of business. If Customer requests custom extraction or migration assistance beyond self-service export, such services may be provided under a Statement of Work pursuant to the Agreement’s transition services provisions and at the then-current rates. SupplyMover may retain copies as required by law/regulation or for the establishment, exercise, or defense of legal claims, subject to continued confidentiality and security.

Secure disposal. Deletion is performed in a manner designed to prevent loss, theft, misuse, or unauthorized access (e.g., cryptographic erasure for encrypted storage, logical deletion with suppression, and backup expiry/rotation). Deletions to active systems are applied to backups in the ordinary course of business.

9. International transfers

Customer Data is primarily hosted in the United States. If SupplyMover later transfers Customer Data internationally, it will implement appropriate safeguards (e.g., standard contractual clauses) where required by law. If SCCs are required for a specific Customer, the parties may execute them via a separate annex/addendum referencing this DPA.

10. Audits and information rights

10.1 Reports and responses. Upon written request, SupplyMover will provide its most recent SOC 2 report, third-party security assessments (if available), and responses to reasonable security questionnaires, subject to confidentiality.

10.2 Audit. Customer may conduct an audit as required by law or after a material Security Incident impacting Customer Data, upon at least 30 days’ prior written notice, during normal business hours, and without unreasonable disruption. Audits may include review of SupplyMover policies, certificates, and independent audit reports. Any on-site audit is at Customer’s expense and subject to reasonable confidentiality, safety, and scope limitations. Audit frequency is limited to once in any 12-month period unless required by a regulator or following a material Security Incident.

11. Customer obligations

Customer will: (a) ensure it has a lawful basis and provides required notices for processing Customer Data in the Service; (b) not submit children’s data to the Service; (c) avoid storing full payment card numbers, bank account numbers with security codes/passwords, government IDs, or other highly sensitive data in free-text fields; (d) configure role-based access and retention settings appropriate to its use; and (e) instruct users to avoid including Sensitive Personal Information in free-text fields unless necessary and authorized.

12. Retention

Unless otherwise agreed in writing or required by law: (a) Customer controls retention of Customer Data in its tenant; (b) visit-tracking geolocation logs are retained for up to 2 years by default unless Customer requests earlier deletion; and (c) SupplyMover applies deletion or de-identification when data is no longer needed for the purposes permitted by this DPA.

13. Miscellaneous

13.1 Order of precedence. In case of conflict between this DPA and the Agreement regarding data protection, this DPA controls. Otherwise, the Agreement governs.

13.2 Liability. Each party’s liability under this DPA is subject to the limitations/exclusions of liability set out in the Agreement.

13.3 Governing law. The governing law and venue are as stated in the Agreement. (Your MSLA states Michigan law and venue in Oakland County / E.D. Mich.)

13.4 Changes. SupplyMover may update this DPA to reflect legal or operational changes, with notice to Customer where changes are material.

14. Notices

Notices under this DPA are provided pursuant to the Notices section of the Agreement. For SupplyMover, a copy may be sent to info@supplymover.com (in addition to any formal notice addresses). Security Incident notifications will be sent to the contact(s) Customer designates in the Agreement or in the Service’s admin console.

Annex I — Details of Processing

Subject matter: Processing of Customer Data in connection with provision of the Service.
Duration: For the term of the Agreement and the 30-day export window following termination; limited archival as required by law.
Nature and purpose: Hosting, storage, retrieval, transmission, analysis, and other processing of Customer Data as necessary to provide and secure the Service; support; maintenance; incident prevention/response.
Types/categories of Customer Data: Identifiers (name, business contact details, IP, device IDs); professional information (employer, title/role); commercial data (orders, subscriptions, payment status metadata); internet/electronic activity (logs, events, pages viewed); precise geolocation (when the customer enables visit tracking); and other data that Customer or its users input (e.g., notes, attachments). Special/sensitive data is not required for use of the Service but may be present incidentally in free-text fields per Customer’s instructions.
Categories of data subjects: Customer’s users; Customer’s prospects, leads, contacts, and business partners whose information Customer manages in the Service.
Customer obligations: Provide required notices; obtain consents where needed; configure the Service; and avoid prohibited data as set forth in Section 11.

Annex II — Technical and Organizational Measures (TOMs)

1. Governance & risk management: Policies and standards; risk assessments; roles/responsibilities; vendor risk management.
2. Access control: Role-based access; least privilege; MFA for administrative access; strong password policies; timely provisioning/deprovisioning; periodic access reviews.
3. Encryption & key management: TLS in transit; encryption at rest for applicable data stores; secure key management.
4. Identity & authentication: Secure credential storage (password hashing); session management; brute-force protection.
5. Logging & monitoring: Logs for authentication, admin actions, and data export events; centralized log management; alerting and review.
6. Application & infrastructure security: SDLC with code review; dependency management; secrets management; change management; hardened configurations; network segmentation; firewalls/WAF as applicable.
7. Vulnerability management: Regular vulnerability scanning; patch management; remediation based on risk; annual penetration testing with remediation tracking.
8. Business continuity & disaster recovery: Backups; recovery objectives; periodic testing; provider resilience.
9. Data protection & retention: Data classification/minimization; retention schedules; secure deletion; pseudonymization/aggregation where appropriate.
10. Secure disposal program: documented retention/destruction schedules; logging and ticketing of deletion requests; suppression of retained records; cryptographic erasure and media sanitization; backup lifecycle management to ensure eventual purge.
11. Incident response: Plan covering detection, containment, eradication, recovery, and post-incident reviews; customer notification as set forth in this DPA.
12. Personnel security & training: Background checks as permitted by law; confidentiality via employment agreements; onboarding and periodic security/privacy training; acceptable use policy.
13. Physical & environmental security: Use of reputable hosting providers with industry-standard physical security controls.

Annex III — Sub-processors

Current Sub-processors (last updated: September 16, 2025)

Notes: (a) Use of AI and speech providers is feature-dependent and initiated by Customer; (b) SupplyMover configures providers to disable training on Customer Data where provider controls exist; and (c) processing locations reflect the provider’s primary U.S. regions as used by SupplyMover and may evolve. SupplyMover will provide at least 30 days’ prior notice of additions or replacements to this list as set forth in Section 6.2.