Data Processing Addendum

1. Introduction

This DPA supplements the Agreement between Customer and Route X. It applies when Route X processes Customer Personal Data on behalf of Customer in connection with providing the Services.

Route X is a service provided by Cornerstone Strategy LLC — an all-in-one coaching management SaaS designed for individual coaches, clients, coaching firms, Organization Admins, affiliated coaches, corporate participants, and other authorized users.

This DPA forms part of the Agreement. If Customer agrees to the Agreement, Order Form, or a written contract that references or incorporates this DPA, Customer is bound by the terms of this DPA. This DPA sets out the parties' agreement regarding the processing of Customer Personal Data and is intended to support compliance with Applicable Data Protection Laws.

2. Definitions

Terms used in this DPA but not defined herein shall have the meanings given in the Agreement. In this DPA, the following terms have the following meanings.

• "Applicable Data Protection Laws" means all data protection and privacy laws and regulations applicable to the processing of Customer Personal Data under this DPA, including where applicable: the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"), the Swiss Federal Act on Data Protection ("Swiss FADP"), Japan's Act on the Protection of Personal Information ("APPI"), the California Consumer Privacy Act and California Privacy Rights Act ("California privacy laws"), and other applicable privacy and data protection laws.
• "Controller" means a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing Personal Data, or the equivalent role under Applicable Data Protection Laws (including, where applicable, a "business" under California privacy laws).
• "Processor" means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of a Controller, or the equivalent role under Applicable Data Protection Laws (including, where applicable, a "service provider" or "contractor" under California privacy laws).
• "Customer Personal Data" means Personal Data submitted, uploaded, stored, or otherwise made available to the Services by Customer, Customer's authorized users, or Customer's representatives, which Route X processes on behalf of Customer.
• "Personal Data" means information relating to an identified or identifiable individual, or other information that constitutes "personal data," "personal information," or equivalent terms under Applicable Data Protection Laws.
• "Processing" or "Process" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure, transmission, alteration, deletion, or destruction.
• "Services" has the meaning given in the Agreement and refers collectively to Route X's website, web application, features, integrations, and related tools provided by Route X.
• "Subprocessor" means a third party engaged by Route X to process Customer Personal Data on behalf of Route X in connection with the Services.
• "Security Incident" means a confirmed security breach of Customer Personal Data processed by Route X that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Security Incident does not include unsuccessful attempts or activities such as failed login attempts, pings, port scans, denial-of-service attacks, or similar events that do not compromise the security of Customer Personal Data.
• "Data Subject" means an identified or identifiable individual to whom Personal Data relates.
• "Agreement" means the agreement, Order Form, Terms of Service, Master Services Agreement, Statement of Work, or other written contract entered into between Customer and Route X under which Customer accesses or uses the Services.
• "Customer" means the entity identified in the applicable Agreement or Order Form, including coaching firms, organizations, other legal entities or businesses, and, where applicable, individual users acting for business purposes.
• "Route X" means Cornerstone Strategy LLC (doing business as Route X).

3. Roles of the Parties

Under this DPA, to the extent Applicable Data Protection Laws apply, Customer is generally the Controller of Customer Personal Data, and Route X is a Processor processing Customer Personal Data on behalf of Customer. Where Customer acts as a processor for another controller, Customer warrants that it has authority to instruct Route X under this DPA. Different roles may apply in specific circumstances as required by Applicable Data Protection Laws or unless otherwise stated in a written agreement.

Customer determines the purposes and means of processing Customer Personal Data. Customer is responsible for determining what Personal Data to submit to the Services, which users to grant access, and how to configure and use the Services.

Route X processes Customer Personal Data on behalf of Customer in accordance with this DPA, the Agreement, Customer's documented instructions, and Applicable Data Protection Laws.

If Route X determines that a Customer instruction violates Applicable Data Protection Laws, Route X will notify Customer to that effect, unless prohibited by law. Route X has no obligation to monitor Customer's compliance with Applicable Data Protection Laws and may suspend the relevant processing until such instruction is corrected or confirmed.

4. Customer Instructions

Customer instructs Route X to process Customer Personal Data for the following purposes:

• Providing, operating, maintaining, securing, and supporting the Services
• User registration, authentication, account management, and role-based access controls
• Client and contact management
• Coaching session management (including session booking, session logs, and related records)
• Goal management
• Action item management
• Reflection logs and growth records
• Scheduling, booking, calendar availability, meeting link generation, and external integrations
• Billing, subscriptions, payments, and related administrative functions
• Customer support, troubleshooting, maintenance, security, and service-related communications
• Fulfilling obligations under the Agreement, Applicable Data Protection Laws, and Customer's documented instructions

Customer's instructions are comprised of the Agreement, this DPA, the Order Form, Customer's configuration of the Services, Customer's use of the Services, and any additional written instructions agreed by the parties. Customer may provide additional documented instructions consistent with the Services and Applicable Data Protection Laws. Route X may charge a reasonable fee for instructions that materially exceed the standard features of the Services, unless otherwise required by law.

5. Processing Details

The subject matter, duration, nature and purposes of processing, categories of Data Subjects, and categories of Customer Personal Data processed under this DPA are set out in Exhibit A (Processing Details).

The Services are not designed to collect or store highly sensitive information, medical records, psychotherapy records, legal records, tax records, financial advice records, or emergency response records, except where Route X explicitly supports this and Customer is authorized to submit such data under the Agreement.

Customer is responsible for determining whether the Services are appropriate for the type and category of Personal Data Customer chooses to submit. Customer must not submit Personal Data for which the Services are not designed or suited.

6. Route X Processing Obligations

Route X shall:

• Process Customer Personal Data only in accordance with Customer's documented instructions, this DPA, the Agreement, and Applicable Data Protection Laws (unless otherwise required by the law to which Route X is subject)
• Impose appropriate confidentiality obligations on personnel authorized to process Customer Personal Data
• Implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data (as further described in Section 9 (Security Measures) and Exhibit B (Security Measures))
• Reasonably assist Customer in fulfilling Customer's obligations under Applicable Data Protection Laws, taking into account the nature of the processing and information available to Route X
• Provide Customer with reasonable assistance in responding to Data Subject Requests in accordance with Section 12
• Notify Customer of Security Incidents in accordance with Section 14
• Use Subprocessors only in accordance with this DPA and as set out in Section 10
• Delete or return Customer Personal Data upon termination or expiration of the Services in accordance with Section 15

7. Customer Responsibilities

Customer is responsible for:

• Complying with Applicable Data Protection Laws in connection with its use of the Services
• Obtaining the notices, consents, permissions, authorizations, and legal bases necessary for Route X to process Customer Personal Data in the manner contemplated by the Agreement and this DPA
• Having the right to provide Customer Personal Data to Route X for the purposes contemplated in the Agreement
• Appropriately configuring the Services for Customer's use case
• Managing user access, roles, permissions, invitations, and account lifecycle within the Services
• Ensuring authorized users comply with the Agreement and applicable Route X policies, including the Acceptable Use Policy
• Not submitting data prohibited by the Agreement or inappropriate for the Services
• Responding to Data Subject Requests addressable using the features of the Services
• Maintaining accurate billing, account, and organizational information
• Where Customer is a coaching firm or organization, managing access for firm administrators, affiliated coaches, organization administrators, clients, participants, employees, contractors, and invited users in accordance with Customer's internal policies, applicable law, and contractual obligations

8. Confidentiality

Route X shall impose appropriate confidentiality obligations on personnel authorized to process Customer Personal Data through employment agreements, services agreements, internal policies, or other legally binding means.

Route X limits access to Customer Personal Data to personnel who require access to provide, protect, support, and improve the Services, or for other purposes permitted under the Agreement.

9. Security Measures

Route X implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the varying likelihood and severity of risks to the rights and freedoms of natural persons.

Route X's security measures include, as applicable, where available, where implemented, or where supported by infrastructure:

• HTTPS / TLS encryption in transit
• Infrastructure-level encryption at rest where supported
• Access controls and authentication requirements
• role-based permissions
• Administrative access controls and least-privilege practices
• Credential and secret management practices
• Protection of OAuth tokens and integration credentials
• Logging and monitoring of security-relevant events where available
• Backup and recovery practices where applicable
• Secure development practices
• Controls on file storage and access permissions where file upload or storage is used

Details of Route X's security measures are set out in Exhibit B (Security Measures) and the Security Overview. Route X may update the security measures from time to time during the term of the Agreement, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data.

No service can eliminate security risk entirely. The measures described in this DPA are designed to reduce, not eliminate, security risks.

10. Subprocessors

Customer hereby generally authorizes Route X to use Subprocessors for the provision of the Services. Route X shall impose data protection obligations on Subprocessors by written contract that are substantially equivalent to those in this DPA, taking into account the nature of the services provided by the Subprocessor.

Route X shall be liable for the performance by Subprocessors of their obligations regarding Customer Personal Data to the extent required by Applicable Data Protection Laws.

Route X may maintain or make available a current Subprocessor List at a public URL or upon request. Initial categories of Subprocessors are set out in Exhibit C (Subprocessor Categories).

Route X shall provide notice of material changes to Subprocessors as required by Applicable Data Protection Laws or the Agreement. Customer may object to a new Subprocessor on reasonable data protection grounds within the period specified by Route X (or, if no period is specified, within a reasonable time after notice). The parties shall work in good faith to resolve such objections. If the parties are unable to resolve an objection, Customer may, as Customer's sole remedy and subject to the Agreement, terminate the affected portion of the Services.

11. International Data Transfers

Customer acknowledges that Route X and Subprocessors may process Customer Personal Data in the United States and other countries where Route X or Subprocessors operate. Customer Personal Data may be transferred across borders to enable the provision of the Services.

Where Applicable Data Protection Laws require a lawful transfer mechanism, Route X shall use appropriate transfer mechanisms as applicable, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, adequacy decisions, or other approved transfer mechanisms.

Where required, the parties shall enter into or incorporate by reference the relevant Standard Contractual Clauses or other transfer provisions. Customer authorizes Route X, where permitted by Applicable Data Protection Laws, to enter into Standard Contractual Clauses or equivalent transfer provisions with Subprocessors on Customer's behalf.

12. Data Subject Requests

Route X shall reasonably assist Customer in responding to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Laws with respect to Customer Personal Data ("Data Subject Requests"), through appropriate technical and organizational measures, taking into account the nature of the processing and to the extent technically feasible and legally required.

If Route X receives a Data Subject Request directly from a Data Subject regarding Customer Personal Data, Route X may direct the Data Subject to Customer or forward the request to Customer, unless Applicable Data Protection Laws require Route X to respond directly.

Customer is primarily responsible for responding to Data Subject Requests to the extent addressable through the features of the Services (for example, accessing, exporting, correcting, or deleting Customer Personal Data using available tools).

13. Compliance Assistance

Route X shall provide Customer with reasonable assistance regarding Customer's obligations in relation to the following, taking into account the nature of the processing and information available to Route X:

• Security of processing
• Personal data breach notification
• Data protection impact assessments
• Prior consultation with supervisory authorities where required
• Data Subject Requests
• Other relevant obligations under Applicable Data Protection Laws

Route X may charge a reasonable fee for assistance that materially exceeds standard support, except where such assistance is required due to a breach of this DPA by Route X.

14. Security Incidents

Route X shall notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data.

Such notification shall include, to the extent reasonably available to Route X at the time of notification:

• The nature of the Security Incident
• The categories of Customer Personal Data affected or potentially affected
• The categories of Data Subjects affected or potentially affected
• Measures taken or proposed to address the Security Incident, including, where appropriate, measures to mitigate possible adverse effects
• Measures Customer may take to mitigate potential adverse effects

Route X may provide additional information as it becomes available. Notification or response to a Security Incident does not constitute an admission of fault or liability by Route X.

Customer is responsible for determining whether notification to Data Subjects, regulatory authorities, customers, employees, participants, or other third parties is required, unless Route X is directly required to provide such notification by law.

15. Customer Personal Data Deletion or Return

Upon termination or expiration of the Agreement, Route X shall delete or return Customer Personal Data in accordance with the Agreement, Customer's documented instructions, and Applicable Data Protection Laws.

Customer may export Customer Personal Data using available Service features prior to termination or expiration, to the extent supported by the Services. If Customer wishes to retain a copy, Customer is responsible for appropriately exporting or backing up Customer Personal Data prior to termination or expiration.

Notwithstanding the foregoing, Route X may retain Customer Personal Data as required or permitted by law for billing, legal, compliance, security, backup, audit, dispute resolution, or other legitimate business purposes. Backup copies of Customer Personal Data may persist for a period in accordance with Route X's backup and retention practices, and will be overwritten or deleted in the ordinary course of those practices.

16. Audit and Information Rights

Route X shall provide Customer with information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and legal constraints.

Customer may request information about Route X's security measures, Subprocessors, and data handling practices. Route X may respond by providing documentation, the Security Overview, certification reports where available, responses to security questionnaires, or other relevant information.

Where Applicable Data Protection Laws or contractual obligations require an on-site or other audit, such audit shall:

• Be limited to information reasonably necessary to demonstrate compliance with this DPA
• Be conducted during normal business hours
• Be conducted upon reasonable prior written notice
• Be conducted in a manner that does not unduly disrupt Route X's business operations
• Not compromise the security, confidentiality, or availability of Route X's systems, other customers' data, or third-party information

Route X may refuse or limit audit requests that are excessive, duplicative, unreasonable, or that create security or confidentiality risks. The parties shall discuss in good faith any specific concerns regarding compliance with this DPA. Reasonable fees may be charged for audits requested beyond those required by Applicable Data Protection Laws.

17. Customer Data Ownership

As between the parties, Customer retains all rights, title, and interest in and to Customer Personal Data, subject to licenses granted under the Agreement. Route X does not acquire any ownership of Customer Personal Data under this DPA or the Agreement.

Route X processes Customer Personal Data only in accordance with this DPA, the Agreement, Customer's documented instructions, and Applicable Data Protection Laws.

18. Use of Anonymized/Aggregated Data

Route X may process de-identified, aggregated, or anonymized data derived from use of the Services (limited to data that does not identify and cannot reasonably identify Customer, Customer's authorized users, or individual Data Subjects) for purposes such as security, analytics, service improvement, reliability, performance monitoring, and product development.

Route X will not use identifiable Coaching Content for AI model training without the explicit authorization of Customer or the relevant user, except as required or permitted by the Agreement, the Privacy Policy, or Applicable Data Protection Laws.

19. Regulated and Sensitive Data

Route X is a coaching management platform. The Services are not designed to function as a system of record for medical, psychotherapy, legal, tax, financial, emergency response, or other regulated professional services, except as expressly agreed in writing.

Customer must not submit regulated or highly sensitive data to the Services unless all of the following conditions are met:

• Customer has the necessary rights, consents, notices, authorizations, and legal bases
• The submission of such data is permitted under the Agreement
• The Services are appropriate for such data
• Route X has explicitly agreed in writing where required

Sensitive data may include categories of data that receive heightened legal protection under Applicable Data Protection Laws or other applicable law, such as health information, mental health information, biometric data, government-issued identification numbers, financial account information, trade secrets, employment records, and similar categories.

20. Third-Party Integrations

The Services may allow Customer or authorized users to connect calendar providers, video meeting providers, payment processors, email tools, storage providers, and other external integrations.

Customer is responsible for ensuring that Customer and its authorized users have the right to connect third-party accounts and process data through such integrations. Customer is also responsible for obtaining any required consent from individuals whose data may be accessed through such connections.

Route X processes data received from third-party integrations only to the extent necessary to provide the connected features of the Services, such as availability calculation, calendar event creation or update, meeting link generation, billing event processing, and related workflows.

Route X is not responsible for third-party services not under Route X's control. Such third-party services may process data in accordance with their own terms, privacy policies, security practices, and data processing terms. Customer is encouraged to review the policies of relevant third-party providers as part of Customer's own assessment.

21. Order of Precedence

In the event of any conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA shall prevail.

In the event of any conflict between this DPA and any applicable Standard Contractual Clauses or other mandatory transfer provisions under Applicable Data Protection Laws, such clauses or transfer provisions shall prevail to the extent of the conflict.

In the event of any conflict between this DPA and a separate written agreement between Customer and Route X that specifically addresses the processing of Customer Personal Data, that separate written agreement shall prevail to the extent of the conflict.

22. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except to the extent prohibited by Applicable Data Protection Laws.

Nothing in this DPA shall limit either party's liability to the extent that such limitation is prohibited by Applicable Data Protection Laws.

23. DPA Changes

Route X may update this DPA from time to time to reflect changes to the Services, Applicable Data Protection Laws, Subprocessors, security practices, or business operations.

Where Route X makes a material change that materially reduces Customer's rights or Route X's obligations regarding Customer Personal Data, Route X shall provide Customer with reasonable notice by email, in-app notice, website notice, customer account notice, or other reasonable means.

If Customer continues to use the Services after the effective date of an updated DPA, Customer is deemed to have accepted the updated DPA, unless otherwise required by Applicable Data Protection Laws or a separate written agreement between the parties.

24. Contact

For questions or notices regarding this DPA, please contact:

Exhibit A: Processing Details

1. Subject Matter

Route X processes Customer Personal Data to provide a coaching management SaaS for individual coaches, coaching firms, organizations, clients, participants, and related users.

2. Duration

Customer Personal Data is processed for the duration of the Agreement and for the period necessary for legal, billing, security, backup, audit, compliance, dispute resolution, and other legitimate business purposes.

3. Nature of Processing

Processing operations include the following where applicable:

• collection（収集）
• recording（記録）
• organization（整理）
• structuring（構成）
• storage（保存）
• retrieval（検索）
• consultation（参照）
• display（表示）
• transmission（送信）
• modification（変更）
• deletion（削除）
• export（エクスポート）
• access control（アクセス制御）
• analysis for operational and security purposes analysis（分析）
• support and troubleshooting

4. Purposes of Processing

Customer Personal Data is processed for the following purposes where applicable:

• User registration and account management
• Authentication and authorization
• Client and contact management
• Coaching session scheduling and booking
• Session logs and coaching records
• Goal management
• Action item tracking
• Reflection and growth record management
• Organization and membership management
• role-based permissions
• Calendar and meeting integrations
• Billing and subscription management
• Customer support
• Security, fraud prevention, monitoring, and audit
• Service maintenance and improvement

5. Data Subjects Categories

Customer Personal Data may relate to the following categories of Data Subjects where applicable:

• Individual coaches
• Affiliated coaches
• Coaching firm administrators
• Organization administrators
• Clients
• Corporate participants
• Customer employees or contractors
• Invited users
• Billing contacts
• Support contacts
• Other individuals whose information is submitted to the Service by Customer or its authorized users

6. Customer Personal Data Categories

Customer Personal Data may include the following where applicable:

• Name
• email address
• Phone number if provided
• Organization or company name
• Role, title, user type
• Account credentials or authentication identifiers
• Profile information
• Coaching relationship information
• Client records
• Session dates/times, notes, logs, and related metadata
• Goals, action items, reflections, and growth records
• Booking and scheduling information
• Timezone and availability information
• Calendar integration metadata
• Meeting integration metadata
• Billing identifiers, plan information, and subscription status
• Support communications
• Uploaded files or shared materials where applicable
• Audit and security logs
• Integration tokens or identifiers where applicable

7. Special Categories or Sensitive Data

The Services are not designed to collect or store special categories of Personal Data or highly sensitive data, except where explicitly supported by the Services and agreed in writing. However, coaching-related materials entered by Customer or its users may contain sensitive or confidential information. Customer is responsible for ensuring that any sensitive data submitted to the Services is lawful, appropriate, authorized, and in compliance with the Agreement and Applicable Data Protection Laws.

8. Frequency

Processing occurs continuously or as needed during Customer's use of the Service.

Exhibit B: Security Measures

This Exhibit describes the technical and organizational measures Route X implements or is in the process of implementing to protect Customer Personal Data, as applicable, where available, where implemented, or where supported by infrastructure. Route X may update these measures from time to time during the term of the Agreement, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data.

1. Access Control

• Authentication required for protected Service areas
• role-based access controls
• Restricted administrative access
• User access restricted by account, role, organization, or authorization level
• Account suspension, expiry, or blocking where applicable

2. Authentication and Session Security

• Login and session management controls
• Password reset and account recovery controls where available
• token handling controls
• Logout and session invalidation where applicable
• Protection against unauthorized access to protected routes and APIs

3. Data Protection

• HTTPS / TLS encryption in transit
• Infrastructure-level encryption at rest where supported
• Reasonable protections for personal data, coaching data, billing identifiers, and integration data
• data minimization practices
• Limiting access to personnel with appropriate business need

4. Integration Security

• OAuth-based authorization flows where supported
• Controls designed to prevent OAuth access or refresh tokens from appearing in frontend URLs, browser history, or client-side logs
• token storage protection
• Documented OAuth scopes and callback configuration where applicable
• Integration disconnect or reconnect flows where applicable

5. Payment Security

• Payment processing through third-party payment processors such as Stripe
• Route X does not store full payment card numbers
• Billing portal or payment processor tools may be used for managing subscriptions, invoices, and payment methods
• Webhook validation and subscription status synchronization where applicable

6. File and Storage Security

• Access restrictions on uploaded or shared files
• Private storage configuration where applicable
• Controlled access methods such as signed URLs where implemented
• Least-privilege access to storage systems where applicable
• Upload limits or content restrictions where applicable

7. Logging and Monitoring

• Security-relevant logs where available
• Administrative action logs where available
• Logs of organization, role, subscription, and user status changes where available
• Error and performance logs for reliability and support
• Monitoring designed to detect suspicious activity where implemented

8. Secure Development

• secret and credential management practices
• environment variable management
• Removal or avoidance of real credentials in sample configuration files
• Code review or development review practices
• Dependency management
• DTO validation, input validation, API error handling practices
• Pre-release testing for critical workflows

9. Incident Response

• Assessment of suspected Security Incident events
• Containment and investigation
• Recovery measures
• Notification as required by applicable law or contractual obligations
• Post-incident improvements where appropriate

Exhibit C: Subprocessor Categories

To support the provision of the Services, Route X may use the following categories of Subprocessors, as applicable. Specific providers within each category may change over time, and not all categories are used for all Customers or features.

Route X aims to separately maintain and update the current Subprocessor List as providers are added, changed, or removed.

Exhibit D: Jurisdiction Supplements

1. GDPR / UK GDPR

Where GDPR or UK GDPR applies to the processing of Customer Personal Data, the parties intend that this DPA satisfies the requirements of a processor contract under Article 28 of the GDPR (and corresponding provisions of UK GDPR), including obligations regarding:

• Processing only in accordance with the Controller's documented instructions
• Confidentiality obligations for personnel authorized to process Personal Data
• Appropriate technical and organizational security measures
• Use of Subprocessors
• Assistance with Data Subject Requests
• Assistance with security, breach notification, data protection impact assessments, and prior consultation
• Deletion or return of Personal Data and provision of information necessary to demonstrate compliance

Where Customer Personal Data is transferred to a country outside the European Economic Area, United Kingdom, or Switzerland that does not provide an adequate level of data protection, the parties shall use Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, or other lawful transfer mechanisms as applicable.

2. Japan APPI

Where Japan's Act on the Protection of Personal Information ("APPI") applies, Customer is responsible for establishing a lawful basis for providing Personal Data to Route X, giving required notices under APPI, and obtaining necessary consent.

Route X shall process Customer Personal Data in accordance with this DPA and implement appropriate security measures commensurate with the nature of the processing.

Where APPI cross-border transfer requirements apply, Customer is responsible for determining whether additional notices, consents, contractual measures, or other transfer mechanisms are required, unless Route X expressly assumes such responsibility in a written agreement.

3. California Privacy Laws

California privacy laws が適用され、Route X が Customer の "service provider" または "contractor" として Customer Personal Data を処理する場合、以下が適用されます。

• Route X shall process Customer Personal Data only for the business purposes set out in the Agreement and this DPA.
• Route X shall not "sell" or "share" Customer Personal Data for cross-context behavioral advertising unless explicitly authorized by Customer and permitted by Applicable Data Protection Laws.
• Route X shall not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer, except as permitted by Applicable Data Protection Laws and the Agreement.

Exhibit E: Customer Instructions and Configuration Responsibilities

Customer is responsible for appropriately configuring and using the Services. Customer's responsibilities include, where applicable:

• Assigning appropriate user roles
• Removing users who no longer need access
• Reviewing organization administrator and firm administrator permissions
• Managing invitations for clients, participants, coaches, and members
• Connecting only third-party accounts to which Customer has authorization
• Obtaining consent for calendar, meeting, file, and data sharing where required
• Not submitting unnecessarily highly sensitive data
• Exporting data prior to cancellation or expiration if Customer wishes to retain a copy
• Responding to Data Subject Requests within the scope Customer can address through the Service's features

Route X is not responsible for acts, omissions, or configuration choices by Customer, its administrators, or its authorized users that result in unintended data processing, access, or disclosure within the Services.