Data Processing Addendum

This Data Processing Addendum ("Addendum" or "DPA") forms part of the Terms and Conditions ("Agreement") between Seygov, a product of Nassau Technologies LLC ("Seygov," "we," "us," or "our"), and the subscribing government agency or organization ("Subscriber," "you," or "your"). This Addendum governs the processing of Subscriber Data through the Seygov platform and related services ("Services") and applies when Seygov processes personal information on behalf of the Subscriber in connection with the delivery of the Services.

1. Introduction and Purpose

Seygov provides web-hosted, deployable application solutions designed for public sector use. In the course of providing the Services, Seygov may process personal information submitted by Subscribers, their authorized users, and members of the public who interact with Subscriber-deployed applications. This Addendum establishes the rights and obligations of the parties with respect to such processing and is intended to ensure that personal information is handled in a manner consistent with applicable law and the expectations of the parties.

2. Definitions

• "Subscriber Data" means all personal data, content, or information submitted by the Subscriber, its authorized users, or members of the public through Subscriber-deployed applications, or otherwise generated through the Subscriber's use of the Services, including but not limited to intake records, form submissions, uploaded documents, user account information, and system-generated metadata.
• "Processing" has the meaning set forth in applicable data protection law and includes any operation or set of operations performed on personal data, including collection, storage, use, disclosure, transmission, or deletion.
• "Controller" means the entity that determines the purposes and means of Processing personal data.
• "Processor" means the entity that Processes personal data on behalf of the Controller.
• "Subprocessor" means any third party engaged by Seygov to Process Subscriber Data in connection with the delivery of the Services.
• "Personal Information" means any information that identifies, relates to, or could reasonably be linked to an identified or identifiable natural person, as defined under applicable law.

3. Roles of the Parties

• The Subscriber acts as the Controller with respect to Subscriber Data, including all personal information collected from members of the public through Subscriber-deployed applications.
• Seygov acts as the Processor, processing Subscriber Data solely as directed by the Subscriber and as necessary to provide the Services.
• Each party shall comply with its respective obligations under applicable federal, state, and local data protection laws.
• Where members of the public submit personal information through a Subscriber-deployed application, the Subscriber — as Controller — is solely responsible for all legal obligations with respect to that data, including required notices, disclosures, consent mechanisms, and data subject rights fulfillment. Seygov's role is limited to processing such data on the Subscriber's behalf as a Processor.

4. Scope and Purpose of Processing

Seygov shall process Subscriber Data solely for the following purposes:

• To provide, operate, maintain, and support the Services as described in the Agreement;
• To store and manage intake records, form submissions, and uploaded documents submitted through Subscriber-deployed applications;
• To facilitate administrative functions including status management, notifications, reporting, and data export;
• To provide customer support and address technical issues reported by the Subscriber;
• To maintain platform security, integrity, and operational continuity;
• To comply with applicable law or valid legal process.

Seygov shall not:

• Sell, rent, trade, or disclose Subscriber Data to any third party for marketing, advertising, or any commercial purpose;
• Retain, use, or disclose Subscriber Data for any purpose other than providing the Services as described in this Addendum and the Agreement;
• Combine Subscriber Data with data from other sources for purposes unrelated to the delivery of the Services.

5. Subscriber Responsibilities as Controller

As Controller, the Subscriber is solely responsible for:

• Ensuring that all Subscriber Data processed through the Services is collected, used, and disclosed in accordance with applicable law, including all required legal bases, authorizations, and consents;
• Providing all required privacy notices and disclosures to members of the public prior to collecting their personal information through Subscriber-deployed applications;
• Configuring deployed applications in a manner that limits the collection of personal information to what is necessary for the Subscriber's stated purposes;
• Responding to all data subject requests from members of the public, including access, correction, and deletion requests;
• Ensuring that Subscriber-deployed applications comply with all applicable accessibility, privacy, public records, and government data requirements;
• Complying with all applicable federal, state, and local laws governing the collection and processing of personal information, including but not limited to the New York SHIELD Act and applicable U.S. federal data protection laws;
• Ensuring that all authorized users of the Services within the Subscriber's organization comply with the Agreement and this Addendum.

6. Security Measures

Seygov shall implement and maintain administrative, technical, and physical safeguards appropriate to the nature and sensitivity of Subscriber Data, including but not limited to:

• Encryption of data in transit using HTTPS/TLS (TLS 1.2 or higher);
• Encrypted storage of database backups;
• Secure hashing of user passwords — passwords are never stored in plaintext;
• Role-based access controls enforced through the platform's user group and permissions system;
• Private, access-controlled storage for all uploaded documents and files, served exclusively through authenticated controller routes;
• CSRF token protection on all form submissions;
• Bot verification on public-facing application submission forms;
• API authentication via scoped bearer tokens;
• Web application firewall and intrusion-prevention controls at the server level;
• IP address logging on all public-facing form submissions for security and audit purposes;
• Secure software development practices aligned with OWASP Top 10 guidance;
• Regular patching and vulnerability management for operating systems, server software, and application dependencies.

7. Subprocessors

The Subscriber acknowledges and authorizes Seygov to engage Subprocessors to support the delivery of the Services. Current Subprocessors include:

• Stripe, Inc. — for subscription payment processing;
• U.S.-based hosting providers — for server infrastructure, storage, and related services.

Seygov shall provide Subscribers with reasonable notice of any material changes to its Subprocessor arrangements. Seygov shall impose data protection obligations on all Subprocessors consistent with those set forth in this Addendum and shall remain responsible for the performance of Subprocessors to the extent required by applicable law.

8. Data Retention and Deletion

• Active Accounts: Subscriber Data is retained for as long as the Subscriber's account remains active and for a reasonable period following account termination to facilitate data retrieval, subject to Seygov's operational and legal requirements.
• Termination: Following account termination, Seygov may permanently delete Subscriber Data after a reasonable retention period at Seygov's sole discretion and without further notice. SEYGOV MAKES NO GUARANTEE REGARDING THE AVAILABILITY OF SUBSCRIBER DATA FOLLOWING ACCOUNT TERMINATION.
• Deletion Requests: Subscribers may request deletion of specific Subscriber Data by contacting Seygov through the methods provided on the Seygov website. Seygov will make reasonable efforts to fulfill deletion requests but is not obligated to fulfill requests where retention is required by applicable law or is necessary for legitimate operational purposes.
• Backups: Encrypted backups are performed on Seygov's own schedule for internal operational purposes only. Backups are not guaranteed to be available, current, or restorable on demand. Subscribers are solely responsible for independently exporting and archiving their own Subscriber Data on a regular basis.
• Subscriber Responsibility: Seygov strongly recommends that all Subscribers regularly export and independently archive their Subscriber Data using the export tools available within the platform. Seygov shall not be liable for any data loss arising from a Subscriber's failure to maintain independent backups.

9. Breach Notification

In the event of a confirmed security breach affecting Subscriber Data within Seygov's own systems, Seygov shall notify affected Subscribers without undue delay and in accordance with applicable law. Breach notifications shall include, to the extent known at the time of notification:

• The nature and scope of the breach;
• The categories of Subscriber Data potentially affected;
• The remedial actions taken or planned by Seygov;
• Recommended steps Subscribers may take to mitigate potential harm to affected individuals.

Seygov's breach notification obligations are limited to confirmed breaches of Seygov's own systems and infrastructure. Seygov is not responsible for breaches arising from Subscriber-controlled systems, third-party integrations configured by the Subscriber, compromised Subscriber credentials, or any other cause outside of Seygov's direct control.

10. Law Enforcement and Government Requests

Seygov will not disclose Subscriber Data to law enforcement agencies, government authorities, or other third parties except as required by applicable law, valid legal process, or court order. Where legally permitted and practicable, Seygov shall promptly notify the Subscriber of any such request prior to disclosure so that the Subscriber may seek appropriate legal relief. Seygov shall not be liable for any disclosure of Subscriber Data made in good faith compliance with applicable law or valid legal process.

11. Data Subject Rights

To the extent that members of the public who have submitted information through a Subscriber-deployed application assert data subject rights — including but not limited to rights of access, correction, deletion, or objection — such requests shall be directed to and handled exclusively by the Subscriber as Controller. Seygov, as Processor, will cooperate with Subscribers in responding to verified data subject requests to the extent technically feasible and required by applicable law. Seygov is not obligated to respond directly to data subject requests from members of the public and assumes no responsibility for the Subscriber's fulfillment of such requests.

12. Force Majeure

Seygov shall not be liable for any failure or delay in processing or protecting Subscriber Data caused by events beyond Seygov's reasonable control, including but not limited to acts of god, natural disasters, pandemics, war, terrorism, civil unrest, government actions or regulations, power outages, internet or telecommunications failures, cyberattacks, zero-day vulnerabilities, denial-of-service attacks, or other malicious third-party actions beyond Seygov's reasonable ability to prevent or mitigate.

13. Governing Law and Jurisdiction

This Addendum shall be governed by and construed in accordance with the laws of the United States and the laws of the state in which Nassau Technologies LLC is incorporated, without regard to conflict-of-law principles. Any disputes arising out of or relating to this Addendum shall be subject to the arbitration and dispute resolution provisions set forth in Seygov's Terms and Conditions.

14. Entire Agreement

This Addendum, together with Seygov's Terms and Conditions, Privacy Policy, and Security & Compliance Statement, constitutes the entire agreement between the parties with respect to the processing of Subscriber Data. This Addendum supersedes all prior discussions, negotiations, representations, or agreements, whether oral or written, concerning its subject matter. In the event of any conflict between this Addendum and the Terms and Conditions, the terms of this Addendum shall govern with respect to data processing matters.