Data Processing Adendum

This Moovs Data Processing Addendum ("DPA") supplements and is incorporated by reference into the Moovs Terms of Service, together with any terms applicable to any additional Moovs services that you choose to use (the"Terms") by and between You (or "Customer"), and Swoop, Inc. ("Moovs"), which outline the specific business purposes and services related to the DPA. In case of any conflict between the Terms and this DPA, the DPA shall prevail with respect to the processing of Your Personal Data.

You and Moovs (each a "Party", together the"Parties"), agree that this DPA sets forth the Parties' obligations governing the processing of Your Personal Data in connection with the Terms and Your use of the Services.

Capitalized terms used but not defined in this DPA shall have the same meaning given to them in the Terms:

A. Applicable Data Protection Law(s): Any data protection or privacy laws applicable to Moovs' processing of Your Personal Data under the Terms, their implementing regulations and secondary legislation, each as may be amended, updated or replaced from time to time, including (as applicable, based on the location or residence of Customer and/or Your Client(s)):
1. The California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA");
2. Virginia Consumer Data Protection Act ("VCDPA");
3. Colorado Privacy Act ("CPA");
4. Connecticut Data Privacy Act ("CTDPA");
5. Utah Consumer Privacy Act ("UCPA");
6. Texas Data Privacy and Security Act ("TDPSA");
7. Oregon Consumer Privacy Act ("OCPA");
8. Montana Consumer Data Privacy Act ("MCDPA"); and
9. Once effective, similar comprehensive privacy laws in other U.S. states (together, "U.S. Data Protection Laws").
B. Client: An individual or entity that uses, engages with, and/or purchasestransportation services through Your implementation of the Moovs platform.
‍C. Personal Data: Information or data defined as 'personal data,' 'personal information,'or 'personally identifiable information' (or analogous term) under ApplicableData Protection Laws from or about Your Clients that is made available to Moovs(or third-parties acting on Moovs' behalf) by You (or third-parties acting onYour behalf) as part of using the Services, as well as other personal data Youchoose to share with Moovs about Your Clients as part of using the Services.
‍D. Data Rights Request: A valid and lawful request by an individual to exercise availablerights pertaining to Personal Data under an Applicable Data Protection Law.
‍E. Data Controller: The Party that determines the purposes and means of the processing ofPersonal Data, or as otherwise defined under any Applicable Data ProtectionLaw.
‍F. Data Processor or Service Provider: The Party or other entity or business that providesservices on behalf of and processes Personal Data at the direction and onbehalf of the Data Controller, and shall be interpreted in accordance with theApplicable Data Protection Laws.
‍G. Personal Data Breach: In relation to Your Personal Data, shall be interpreted in accordancewith Applicable Data Protection Law.
‍H. "Process," "processes," or "processing": (a) Any operation or set ofoperations which is performed on Personal Data or on sets of Personal Data,whether or not by automated means, such as collection, recording, organization,structuring, storage, adaptation or alteration, retrieval, consultation, use,disclosure by transmission, dissemination or otherwise making available,alignment or combination, restriction, erasure or destruction; or (b) thedefinition given to such term(s) under the Applicable Data Protection Law.
‍I. "Subprocessor(s)": Affiliated companies or third-party Data Processors or ServiceProviders that may process Personal Data at Moovs' direction for the purpose ofproviding the Services.
‍J. "You," "Your," or "Customer": Means the business that uses theServices and is a Party to the Terms with Moovs.

Moovs receives and processes Your Personal Data in order to provide You with the Services and as otherwise set forth below. Depending on which of theServices You request or use, Moovs will process the categories of Personal Dataset forth at Appendix A, in the manner described therein.The parties acknowledge and agree that with regard to the Processing of Personal Data under the Agreement:
1. You are the Data Controller;
2. Moovs is the Data Processor or Service Provider; and
3. Moovs shall only process Personal Data on behalf of and in accordance with Your documented instructions for the specific purposes of performing the Services under the Agreement.

Moovs shall only process Your Personal Data as a Data Processor orService Provider as necessary to provide and improve its Services or as otherwise permitted by Applicable Data Protection Laws. As part of its provision and ongoing improvement of its Services, Moovs may aggregate, anonymize or de-identify Your Personal Data. To the extent Moovs receives from You Personal Data that has been de-identified, Moovs will maintain and use the data only in a de-identified fashion.

The following section describes the Parties' respective obligations with respect to the processing of Personal Data covered by this DPA.
‍A. General Compliance The Parties will comply with their respective obligations under Applicable Data Protection Laws. Moovs shall have no obligation to interpret or advise You on Your obligations under Applicable Data Protection Laws, including with respect to Personal Data covered by this DPA. You are solely responsible for determining Your legal and regulatory obligations, including evaluating whether the technical and organizational measures of the Services are consistent with Your independent legal and regulatory obligations.
‍B. Moovs' Obligations
‍Data Security Moovs will implement and maintain appropriate technical and organizational measures designed to protect Your Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure, as set forth in Appendix B.
‍Personal Data Breach Notification     and Investigation a) As required by Applicable Data Protection Laws, Moovs will provide notice to You upon Moovs confirming any Personal Data Breach.b) Such notice shall include the information required under ApplicableData Protection Laws to the extent such information is reasonably available to Moovs. Moovs' response to, or notice of, a Personal Data Breach is not an acknowledgment by Moovs of any fault or liability.c) Moovs agrees to investigate any Personal Data Breach, and use commercially reasonable efforts to identify, prevent, mitigate, and remedy the effects.
‍Data Rights Requests a) To the extent required under Applicable Data Protection Laws, Moovs will facilitate Your ability to process and respond to Data Rights Requests from Your Clients related to Your use of the Services.b) To obtain assistance in responding to any such Data Rights Request, forward the Request to Moovs via the Moovs Customer administrative console/portal, unless Moovs notifies You of a different mechanism.
‍C. Your Obligations With Respect to Personal Data
‍Privacy Notices and Transparency: You represent and warrant that     You are in compliance with all obligations under Applicable Data     Protection Laws to provide notice and transparency concerning Your     processing of Personal Data under the Terms and in connection with Your     use of the Services. To the extent required under Applicable Data     Protection Laws, You shall communicate to the relevant individuals all     disclosures necessary for Moovs to lawfully and fairly process Personal     Data in connection with this DPA, including by providing a link to Moovs'     Privacy Policy or to Your own Privacy Policy.
‍Client Rights and Permissions: You represent and warrant that  you have all necessary rights, permissions, and consents to make available     Personal Data to Moovs in accordance with the Terms, Your use of the     Services You receive and Applicable Data Protection Laws.
‍Data Rights Requests: You represent and warrant that     You provide the ability for Your Clients to exercise Data Rights Requests,     as required under Applicable Data Protection Laws, with respect to all     Personal Data processed by Moovs for which You are the Data Controller.
‍Regulatory Inquiries: Unless prohibited by applicable     law, You will notify us promptly in accordance with the Notice provision     in the Terms of any governmental, regulatory or other third party inquiry     or complaint concerning Your use of the Services.

This section applies only to the extent that: (i) U.S. Data ProtectionLaws apply to You in connection with Your use of the Services; and (ii) the following provisions are required by U.S. Data Protection Laws and You are a"business" or "controller" under these laws.A. Moovs will not: (i) retain, use, or disclose such Personal Data outside its direct business relationship with You or for any other purpose other than for the limited and specified purposes identified in this DPA and/orthe Terms, including retaining, using or disclosing such Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, and/or the Terms, (ii) "sell" or "share" suchPersonal Data within the meaning of the CCPA/CPRA; or (iii) combine such PersonalData with Personal Data that it receives from other sources, in each case except as permitted under U.S. Data Protection Laws.B. Moovs will (i) provide the same level of privacy protection requiredof businesses or Data Controllers by such laws, and inform You if it determinesthat it can no longer meet these obligations, in which case You may takereasonable and appropriate steps to stop or remediate any unauthorizedprocessing of such Personal Data, (ii) ensure personnel who it authorizes toprocess Personal Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality, (iii) upon reasonable written request, and as part of enabling You to take reasonable and appropriate steps to ensure Moovs uses such Personal Data in a manner consistent with U.S.Data Protection Laws, provide the SOC2 report showing a reasonable assessment of Moovs' information security program; and (iv) upon termination of itsServices to You, Moovs will initiate its purge process to delete or de-identify the Personal Data.C. You represent and warrant that You will not share with Moovs anyPersonal Data of an individual who has exercised an opt-out right that You have committed to honoring or any sensitive Personal Data of an individual who has not consented to the processing of such sensitive data.

A. Global Data TransfersYou acknowledge that Personal Data may be transferred and processed in any country in which Moovs, its affiliated companies or third party service providers are located. Any transfer of Personal Data to these recipients will be made in compliance with Applicable Data Protection Laws.
‍B. Response to Legal RequestsYou acknowledge that, in the course of providing the Services to You, Moovs may share Your Personal Data (i) to comply with legal requirements or to respond to court orders or other similar government or regulatory demands; or(ii) to prevent or investigate suspected fraud, threats to physical safety,illegal activity, or violations of a contract (such as the Terms) or ourpolicies (such as our Acceptable Use Policy).Moovs will make reasonable efforts before producing such Personal Data to ensure that such disclosure is permitted under Applicable Data Protection Laws and will be treated as confidential information under the applicable legal framework.
‍C. Disclosure in CorporateTransactionsYou acknowledge that, in the course of providing the Services to You, Moovs may be required to share Personal Data with potential counterparties to any corporate or restructuring transaction.
‍D. Moovs' Use of Subprocessors/ServiceProvidersYou acknowledge that, in the course of providing the Services to You, Moovs may use Sub processors to process Personal Data. Moovs maintains an updated list of all Sub processors used. If Applicable Data Protection Laws grant you such rights, You may object to Moovs' use of a Sub processor, and if Moovs is unable or unwilling to accommodate such requests, You may, in accordance with such laws, terminate Your use of the impacted Services within30 days of such notification in accordance with the Terms.Moovs' use of Sub processors to process Personal Data that You provide will be in compliance with Applicable Data Protection Laws. Where Moovs engages a Sub processor, Moovs will enter into a written agreement with the Sub processorthat imposes contractual obligations that are substantially the same as the ones set out in this DPA.
‍E. DPA AmendmentYou acknowledge and agree that Moovs may amend this DPA from time to timeby posting the relevant amended and restated DPA on Moovs' website, availableat https://moovs.com/legal/dpa and such amendments to the DPA are effective asof the date of posting. Your continued use of the Services after the amendedDPA is posted to Moovs' website constitutes Your agreement to, and acceptanceof, the amended DPA. If You do not agree to any changes to the DPA, do notcontinue to use the Service.

Appendix A - Categories of Personal Data
Appendix B - Data Security

As part of Your use of the Services, and depending on which Services Youuse, we may receive and process the following categories of Personal Data toprovide the Services: Client name, email, contact, and     location information. Transportation service booking     and transaction information. Update(s) about the status of     transportation service(s). Client activity in Your     transportation platform, including services viewed and/or included in     carts. Client preference signals,     including Global Privacy Control ("GPC"), opt-out and opt-in     signals. Client device information for     device(s) used when visiting Your platform, including IP address, browser,     and network activity. Other information about the     Clients' interactions with You. Any other Personal Data You     choose to make available with Moovs.

Moovs will maintain an information security program designed to (a)enable You to secure Your Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure; (b) identify reasonably foreseeable risks to the security and availability of the Services You receive; and (c) minimize security risks to the Services.
‍I. Moovs' information security program will include the following safeguards:
A. Logical Security
Access Controls Moovs will make its systems accessible only to authorized personnel, andonly as necessary to maintain and provide the Services. Moovs will maintain access controls and policies designed to manage authorizations for access to its systems, including through the use of firewalls and/or other technology and authentication controls.
‍Restricted User Access Moovs will (i) provision and restrict access to its systems in accordance with least privilege principles based on personnel job functions
‍Vulnerability Assessments Moovs will maintain a vulnerability assessment and penetration testing program, responsible for investigating and tracking identified issues with theServices to resolution where necessary.
‍Application Security Moovs maintains an application security program responsible for protecting Services from application security threats.
‍Change Management Moovs will maintain controls designed to log, authorize, test, approve and document changes to existing Services resources, and will document change details within its change management or deployment tools. Moovs will test changes according to its change management standards prior to migration to production.
‍Data Integrity As appropriate, Moovs will maintain controls designed to provide data integrity during transmission, storage and processing within the Services.
‍Availability Moovs will (i) implement redundancy where appropriate for the Servicesto minimize the effect of a malfunction on the Services, (ii) design theServices to anticipate and tolerate failures, and (iii) implement appropriateprocesses designed to move Personal Data traffic away from the affected areaswhen necessary to recover from failures.
‍Business Continuity and Disaster Recovery Moovs will maintain a risk management program designed to support the continuity of its critical business functions, including processes and procedures for identification of, response to, and recovery from, events that could prevent or materially impair Moovs' provision of the Services You receive.
‍Incident Management Moovs provides documentation for You to report security or availability incidents, ask security or availability questions, and submit information about potential security or availability issues. Moovs will maintain corrective action plans and incident response plans designed to detect, mitigate, investigate, and respond to potential security threats to the Services.
‍B. Physical SecurityWhere necessary to protect Services, Moovs will (i) implement reasonablemeasures designed to prevent unauthorized physical access, damage, orinterference to the Services, (ii) use appropriate control devices designed torestrict physical access to the Services to only authorized personnel who havea legitimate business need for such access, and (iii) perform periodic reviewsto validate adherence with these standards.
‍C. Moovs Employees Moovs employees who are authorized to access Personal Data are bound byobligations of confidentiality as part of their terms of employment. Moovs willimplement and maintain employee security training programs regarding Moovsinformation security requirements. The security awareness training programswill be reviewed and updated periodically.
‍II. SOC 2 Compliance Moovs is in the process of obtaining a SOC 2 Type 2 report, which isexpected to be issued in Q2 2025. Upon completion, Moovs will make available toCustomer information regarding its compliance with the standards set forth inthe SOC 2 Type 2 report.
‍III. Modifications to this Appendix Moovs reviews its security measures from time to time, and may updatethis Appendix in its sole discretion. Any such updates will replace priorversions of this Appendix as of the date that Moovs publishes the updatedversion.

If you have any questions about this Privacy Policy, please contact us.