Data Processing Addendum

Last Revised: August 14th, 2025

This Data Processing Addendum ("DPA") is incorporated into, and is subject to the terms and conditions of, the Terms of Service (the "Agreement") between Customer and Plutou, Inc. ("Company") (collectively, the "Parties"). Unless otherwise defined in this DPA, all capitalized terms will have the meaning given to them elsewhere in this DPA or the Agreement.

1. Definitions

In this DPA:

• "Customer Personal Data" means Personal Data provided to Company in connection with the Plutou Platform by (i) Customer or (ii) Authorized Users.

• "Data Protection Law" means all laws that apply to the Processing of Customer Personal Data under the Agreement, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder, including the California Privacy Rights Act of 2020 and any other applicable U.S. state data privacy laws.

• "Data Subject" means the individual to whom Customer Personal Data relates.

• "Personal Data" has the meaning given to it in the Data Protection Law, and includes "Personal Data," "personally identifiable information," and equivalent terms as such terms may be defined by the Data Protection Law.

• "Processing" (including its cognate "Process") means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• "Security Incident" means a breach of Company's security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Customer Personal Data.

Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2. Customer's Instructions

Company will Process Customer Personal Data only in accordance with Customer's instructions. By entering into this DPA, Customer instructs Company to Process Customer Personal Data to provide the Plutou Platform pursuant to the Agreement, as further specified by Customer's use of the Plutou Platform.

3. Processing of Customer Personal Data

3.1 Role

Company serves as a service provider or processor, meaning that Company Processes Customer Personal Data at the direction of and on behalf of Customer. A description of Company's Processing of Customer Personal Data is set forth in Schedule 1 attached hereto.

3.2 Scope

The extent of Customer Personal Data Processed by Company is determined and controlled by Customer in its sole discretion and may include names, email addresses, and other Personal Data that Customer may upload to the Plutou Platform.

3.3 Compliance

Each party will comply with the obligations applicable to it under the Data Protection Law with respect to the Processing of Customer Personal Data. Customer represents and warrants that it has the necessary consent or other lawful basis to provide Customer Personal Data to Company for Processing in accordance with this DPA and the Agreement.

3.4 Company Obligations

When Company Processes Customer Personal Data, it will:

1. Except as permitted by applicable law, the Agreement or this DPA, not (a) "sell" or "share" (each as defined in the Data Protection Law) Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the services specified in the Agreement, or (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between the Company and Customer.

2. Require Company's personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data.

3. Provide reasonable assistance necessary for Customer to comply with its obligations under the Data Protection Law.

4. Promptly notify the Customer of any request made by a Data Subject in relation to Customer Personal Data. Company will, at the Customer's written request, provide the Customer with reasonable assistance in fulfilling any Data Subject requests Customer is required to fulfill under Data Protection Law.

5. Unless prohibited by law, inform Customer if Company receives a request, complaint or other inquiry regarding the Processing of Customer Personal Data.

6. Inform Customer if it can no longer comply with its obligations under this DPA. Upon notice to Company, Customer may take reasonable and appropriate steps to remediate Company's use of Customer Personal Data.

7. Upon termination of the Agreement, as instructed by Customer, delete or return Customer Personal Data, except where continued retention of Customer Personal Data is in accordance with applicable law or the Agreement.

4. Subprocessing

4.1 Use of Subprocessors

Customer agrees that Company may use third-party suppliers to Process Customer Personal Data on its behalf for the provision of the Plutou Platform (each a "Subprocessor").

4.2 Subprocessor Agreements

When engaging any Subprocessor, Company will enter into a written contract with such Subprocessor containing data protection obligations consistent with those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the services provided by such Subprocessor.

5. Data Security

5.1 Security Measures

Company will implement and maintain technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access as described in Schedule 2 attached hereto ("Security Measures").

5.2 Customer Responsibilities

Customer agrees that, without limitation of Company's obligations under Section 5.1 of this DPA, Customer is solely responsible for its use of the Plutou Platform, including (a) making appropriate use of the Plutou Platform to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Plutou Platform; and (c) backing up Customer Personal Data.

6. Security Incident

6.1 Notification

If Company becomes aware of a Security Incident, Company will: (a) notify Customer of the Security Incident without undue delay after becoming aware of it; and (b) take reasonable steps to identify the cause of such Security Incident and take those steps as Company deems necessary and reasonable in order to remediate the cause of such Security Incident to the extent the remediation is within Company's reasonable control.

6.2 Customer Responsibility

Customer is solely responsible for complying with incident notification requirements applicable to Customer. Company's notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by Company of any fault or liability with respect to the Security Incident.

7. Audit

7.1 Information Access

Company will make available to Customer, at Customer's request, reasonable information as necessary to demonstrate compliance with this DPA.

7.2 Audit Reports

To the extent Company makes available to Customer confidential summary reports ("Audit Report") prepared by third-party security professionals, upon request from Customer, Company may provide such Audit Reports under confidentiality obligations.

7.3 Additional Audits

If Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, Company to provide for an audit subject to reasonable confidentiality, timing, scope and notice requirements.

8. General

8.1 Conflicts

If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Customer Personal Data.

8.2 Severability

If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

8.3 Liability

Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement. Customer acknowledges that Company's limitations of liability are reasonable in light of the fees paid and the nature of the services.

8.4 Governing Law

This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

---

Schedule 1: Description of Processing

1. Categories of Data Subjects

This DPA applies to Company's Processing of Customer Personal Data relating to Customer's employees, contractors or representatives.

2. Types of Personal Data

The extent of Customer Personal Data Processed by Customer is determined and controlled by Customer in its sole discretion and includes driver and vehicle information, such as driver names, phone numbers, email addresses, GPS location data, route history, and service activity logs.

3. Subject-Matter and Nature of the Processing

Customer Personal Data will be subject to the Processing activities that Company needs to perform in order to provide the Plutou Platform pursuant to the Agreement.

4. Purpose of the Processing

Company will Process Customer Personal Data for purposes of providing the Plutou Platform and performing other business or operational functions in support of the Platform provision pursuant to the Agreement.

5. Duration of the Processing

Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 3.4(g) of the DPA.

6. Rights and Obligations of the Parties

The rights and obligations of the parties relating to the Processing of Customer Personal Data are set forth in the DPA.

---

Schedule 2: Security Measures

Company implements and maintains the following Security Measures:

1. Organizational management and dedicated staff responsible for the development, implementation and maintenance of the Company's information security program.

2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Company's organization, monitoring and maintaining compliance with the Company's policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

3. Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Customer Personal Data that is transmitted over public networks or stored at rest.

4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).

5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Company's passwords that are assigned to its employees are changed periodically.

6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.

7. Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Company facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.

8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Company's possession.

9. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Company's technology and information assets.

10. Incident management procedures design to allow Company to investigate, respond to, mitigate and notify of events related to the Company's technology and information assets.

11. Network security controls that provide for the use of enterprise firewalls and layered DMZ architecture, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

12. Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.

---

Schedule 3: List of Subprocessors

The following Subprocessors are authorized to Process Customer Personal Data:

Subprocessor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure and hosting	United States
Supabase	Database and authentication services	United States
Vercel	Web hosting and deployment	United States
Sentry	Error monitoring and logging	United States
PostHog	Product analytics	United States
Stripe	Payment processing	United States

Company maintains an up-to-date list of Subprocessors and may update this list from time to time. Customers will be notified of material changes to Subprocessors in accordance with the Agreement.