Data Processing Agreement

Effective date: April 1, 2026 · Version 1.0 · Enterprise Template

This Data Processing Agreement ("DPA") supplements and forms part of the agreement between StorScale LLC ("StorScale", the "Processor") and the customer identified in the Order Form or on signature block below (the "Controller") under which StorScale provides the Services. This DPA reflects the parties' agreement on the processing of Personal Data as required by applicable data protection laws, including the California Consumer Privacy Act ("CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and, where applicable, the EU and UK General Data Protection Regulation ("GDPR") and equivalent U.S. state privacy laws.

1. Definitions

1. "Applicable Data Protection Law" means all privacy and data protection laws applicable to the processing of Personal Data under this DPA, including the CCPA/CPRA, other U.S. state privacy laws, the GDPR, and the UK GDPR and Data Protection Act 2018.
2. "Controller" means the customer entity that determines the purposes and means of the processing of Personal Data. In CCPA terms, the Controller is the "Business".
3. "Processor" means StorScale, which processes Personal Data on behalf of the Controller. In CCPA terms, the Processor is the "Service Provider".
4. "Sub-Processor" means any third party engaged by StorScale to process Personal Data on behalf of the Controller.
5. "Personal Data" means information relating to an identified or identifiable natural person that is processed by StorScale on behalf of the Controller in connection with the Services.
6. "Data Subject" means the natural person to whom Personal Data relates (including the Controller's employees, contractors, and tenants where applicable).
7. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by StorScale or its Sub-Processors.
8. "Services" means the StorScale platform, APIs, web interfaces, and related services provided to the Controller under the Order Form or Terms of Use.
9. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission Implementing Decision 2021/914 of June 4, 2021 (for EU transfers) and the UK International Data Transfer Addendum (for UK transfers).

2. Subject matter, duration, nature, and purpose

1. Subject matter. StorScale processes Personal Data on behalf of the Controller to provide the Services described in the Order Form or Terms of Use.
2. Duration. This DPA applies for the term of the Order Form or Terms of Use and any period during which StorScale continues to process Personal Data on behalf of the Controller thereafter.
3. Nature. The processing comprises collection, storage, analysis (including automated analysis and generation of pricing, marketing, and operational insights), organization, transmission to authorized Sub-Processors, deletion, and the other operations described in Annex B.
4. Purpose. The purpose of processing is to deliver the Services, generate insights and recommendations, support the Controller's operations, detect and prevent fraud and abuse, and comply with legal obligations.

3. Categories of Data Subjects and Personal Data

Unless otherwise specified in an Order Form:

• Categories of Data Subjects: Controller's personnel (employees, contractors, authorized users); Controller's tenants and prospects to the extent their data is present in connected Property Management Systems or uploaded by the Controller; website visitors to Controller-owned properties that connect analytics to StorScale.
• Categories of Personal Data: identifiers (name, email, phone, IP address, device identifiers); business contact and account data (job title, company, role); commercial information (subscription tier, facility address, unit types, rate history, revenue figures, tenant ledger summaries where exposed by the PMS); internet or network activity (logins, page views, API calls); inferred characteristics derived from usage (segments, benchmarks).
• Sensitive or special-category data: StorScale does not request and does not require sensitive personal information (such as social security numbers, driver's license numbers, precise geolocation, or biometric identifiers) to operate the Services. Controller should not upload such data. If the Controller's PMS exports contain tenant payment card numbers, SSNs, or other sensitive identifiers, the Controller is responsible for redaction prior to upload or authorization.

4. Processor obligations

1. Documented instructions. StorScale shall process Personal Data only on the documented instructions of the Controller, including those set out in the Order Form, the Terms of Use, this DPA, and configuration actions the Controller takes in the Services. StorScale will promptly inform the Controller if, in StorScale's opinion, an instruction infringes Applicable Data Protection Law.
2. Confidentiality. StorScale ensures that personnel authorized to process Personal Data are bound by written obligations of confidentiality.
3. Security. StorScale implements and maintains the technical and organizational security measures described in Annex A, which shall be at a level appropriate to the risks presented by the processing.
4. Assistance with Data Subject requests. Taking into account the nature of the processing, StorScale assists the Controller with appropriate technical and organizational measures to respond to Data Subject rights requests (access, correction, deletion, portability, restriction, objection, opt-out) in accordance with Applicable Data Protection Law. Standard DSAR tooling is available in the Controller's account; bespoke assistance is billed at StorScale's then-current professional services rates.
5. Assistance with Controller compliance. StorScale provides reasonable assistance to the Controller with data protection impact assessments, consultations with supervisory authorities, and notifications required under Applicable Data Protection Law.
6. Breach notification. StorScale notifies the Controller of a confirmed Personal Data Breach affecting the Controller's Personal Data without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the breach. The notification includes the nature of the breach, categories and approximate number of Data Subjects concerned, likely consequences, and measures taken or proposed.
7. No sale; no cross-context behavioral advertising. StorScale does not sell Personal Data, does not share Personal Data for cross-context behavioral advertising, and does not combine Personal Data received from the Controller with Personal Data received from other sources except as necessary to provide the Services.
8. No training of third-party AI on Controller Personal Data. StorScale does not use Controller Personal Data to train or fine-tune third-party AI foundation models. Automated analysis occurs through API calls with contractual prohibitions on downstream model training.
9. Records of processing. StorScale maintains records of processing activities as required under Applicable Data Protection Law and makes them available to the Controller on reasonable request.

5. Sub-Processors

1. General authorization. The Controller grants StorScale general authorization to engage Sub-Processors for the provision of the Services. The current Sub-Processors and their roles are listed in Annex B.
2. Notice of new Sub-Processors. StorScale will notify the Controller at least thirty (30) days before the effective date of engaging a new Sub-Processor by updating Annex B and notifying the Controller's designated contact by email. You can subscribe to Sub-Processor change notifications at hello@storscale.ai.
3. Right to object. The Controller may object to a new Sub-Processor on reasonable data protection grounds within thirty (30) days of notice. The parties will work in good faith to resolve the objection. If unresolved, either party may terminate the affected Services with prorated refund of prepaid fees.
4. Flow-down obligations. StorScale imposes on each Sub-Processor data protection terms that are substantially the same as those in this DPA. StorScale remains liable for the acts and omissions of Sub-Processors as if they were its own.

6. International transfers

1. Hosting location. Primary processing and storage of Personal Data occurs in the United States. Edge delivery may occur globally via content delivery networks.
2. EU / EEA / UK / Swiss transfers. Where the Controller provides Personal Data subject to the GDPR, the UK GDPR, or the Swiss Federal Act on Data Protection, transfer to the United States is subject to the Standard Contractual Clauses as set out in Annex C, which are incorporated by reference. For transfers from the UK, the UK International Data Transfer Addendum to the SCCs applies. For transfers from Switzerland, references to the GDPR shall be understood as references to the Swiss FADP as appropriate.
3. Data Privacy Framework. Where StorScale or a Sub-Processor is certified under the EU-U.S. Data Privacy Framework, transfers may alternatively rely on that certification.
4. Transfer impact assessment. StorScale has performed a transfer impact assessment and will provide a summary on written request.

7. Audit rights

1. Audit on request. StorScale makes available to the Controller the information necessary to demonstrate compliance with this DPA. No more than once in any twelve (12) month period (and more frequently if required by a supervisory authority or following a Personal Data Breach), the Controller may audit StorScale's compliance with this DPA.
2. Process. Audits are conducted on at least thirty (30) days' prior written notice, during business hours, subject to confidentiality obligations, in a manner that does not unreasonably interfere with StorScale's operations, and at the Controller's expense.
3. Third-party reports. Where available, the Controller agrees to accept in lieu of on-site audit any current SOC 2 Type II, ISO 27001, or equivalent third-party audit report produced by an independent auditor. StorScale will share such reports under NDA.
4. Supervisory authority audits. StorScale will cooperate with audits carried out by a supervisory authority under Applicable Data Protection Law.

8. Return or deletion of Personal Data

1. Upon termination or expiration of the Services, StorScale will, at the Controller's option, return or delete all Personal Data processed under this DPA.
2. The Controller may export Personal Data through self-service tooling for thirty (30) days after termination. After the export window, StorScale will delete Personal Data from active systems within thirty (30) days and from backups within the subsequent ninety (90) days as backups roll over.
3. StorScale may retain Personal Data to the extent required by law, in which case the confidentiality and security obligations of this DPA continue to apply.
4. StorScale will certify deletion in writing on request.

9. Liability

Each party's liability under or in connection with this DPA is subject to the limitations of liability in the Terms of Use or Order Form. Nothing in this DPA limits either party's liability for breaches of Applicable Data Protection Law where such limitation is prohibited by law, or for indemnification obligations owed to Data Subjects under the Standard Contractual Clauses.

10. Conflict, term, and miscellaneous

1. Order of precedence. In the event of a conflict, the order of precedence is: (i) the Standard Contractual Clauses (where applicable); (ii) this DPA; (iii) the Order Form; (iv) the Terms of Use.
2. Term. This DPA takes effect on the Effective Date of the Order Form or, if earlier, when StorScale first processes Personal Data on behalf of the Controller, and continues for the term of the Services and any period during which processing continues.
3. Governing law and venue. Governed by the law and venue specified in the Terms of Use or Order Form, except where Applicable Data Protection Law requires otherwise.
4. Severability. If any provision of this DPA is invalid or unenforceable, the remaining provisions remain in force.
5. Changes. Material changes to the Sub-Processor list will be notified under Section 5. Other changes require written agreement of both parties, except where required by law.