Data Processing Agreement

Between:

• The Controller: The customer (plumbing contractor or business) subscribing to FixRep services, hereinafter referred to as the "Controller" or "Customer".
• The Processor: NanoCorp, operating the FixRep platform, with contact address privacy@fixrep.nanocorp.app, hereinafter referred to as the "Processor" or "FixRep".

Effective date: March 29, 2026

1. Definitions

For the purposes of this Data Processing Agreement ("DPA"):

• "Controller" means the natural or legal person (the Customer) who determines the purposes and means of the processing of personal data.
• "Processor" means FixRep (operated by NanoCorp), which processes personal data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"), as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• "DSAR" means a Data Subject Access Request, being any request made by a data subject to exercise their rights under the GDPR.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

2. Subject Matter and Duration of Processing

2.1 Subject Matter

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the FixRep platform and related services. The Processor provides a software-as-a-service platform that scrapes publicly available reviews from third-party platforms (including Google and Yelp) and uses artificial intelligence to analyze those reviews and generate suggested responses for plumbing contractors.

2.2 Duration

This DPA shall remain in effect for the duration of the Controller's subscription to the FixRep platform and shall automatically terminate upon termination or expiry of the Controller's service agreement, subject to the obligations set out in Section 10 (Term and Termination) below.

3. Nature and Purpose of Processing

The Processor processes personal data for the following purposes:

1. Review scraping — Collecting publicly available reviews, including reviewer names, review content, star ratings, and associated metadata from third-party review platforms (Google, Yelp, and similar services).

2. AI analysis — Analyzing review sentiment, identifying key themes, and categorizing feedback using artificial intelligence models.

3. Response generation — Generating AI-powered suggested rebuttals and responses to reviews for use by the Controller.

4. Dashboard and reporting — Presenting collected data and generated responses within the Controller's account dashboard.

5. Payment processing — Processing subscription payments through third-party payment providers.

4. Types of Personal Data Processed

The following categories of personal data are processed under this DPA:

5. Categories of Data Subjects

The data subjects whose personal data may be processed under this DPA include:

• Review authors — Individuals who have posted publicly available reviews on third-party platforms such as Google and Yelp.
• Business representatives — Employees, owners, or agents of the Controller who use the FixRep platform.

6. Obligations of the Processor

FixRep, as Processor, undertakes the following obligations:

6.1 Processing on Documented Instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

6.2 Confidentiality

The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data shall be limited to those personnel who require such access for the performance of their duties.

6.3 Technical and Organizational Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

• Encryption — Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
• Access controls — Role-based access controls, multi-factor authentication for administrative access, and principle of least privilege.
• Backups — Regular automated backups with secure, encrypted storage and tested restoration procedures.
• Monitoring — Logging and monitoring of access to personal data and systems processing personal data.
• Incident response — Documented incident response procedures for the detection, containment, and remediation of data breaches.
• Infrastructure security — Use of industry-standard cloud infrastructure providers with appropriate certifications (e.g., SOC 2, ISO 27001).

6.4 Sub-processor Management

The Processor shall not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

The following sub-processors are authorized as of the effective date of this DPA:

The Processor shall impose on each sub-processor, by way of a contract, the same data protection obligations as set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of any sub-processor's obligations.

6.5 Assistance with Data Subject Rights (DSAR)

The Processor shall assist the Controller, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR, including the rights of access, rectification, erasure, restriction, data portability, and objection.

Upon receiving a DSAR directly from a data subject, the Processor shall promptly forward it to the Controller and shall not respond to the data subject directly without the Controller's prior written authorization, unless required by applicable law.

6.6 Data Breach Notification

In the event of a Data Breach affecting personal data processed on behalf of the Controller, the Processor shall:

1. Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Data Breach.

2. Provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform data subjects of the Data Breach under the GDPR.

3. The notification shall include, at a minimum:

- A description of the nature of the Data Breach, including where possible the categories and approximate number of data subjects and records concerned.

- The name and contact details of the Processor's data protection point of contact.

- A description of the likely consequences of the Data Breach.

- A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

6.7 Return or Deletion of Data

Upon termination or expiry of the service agreement, the Processor shall, at the Controller's choice:

• Return all personal data to the Controller in a commonly used, machine-readable format; or
• Delete all personal data and existing copies, unless European Union or Member State law requires storage of the personal data.

The Processor shall complete the return or deletion within 30 days of termination and shall provide written confirmation of deletion upon request.

6.8 Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be conducted with reasonable prior written notice of at least 30 days, during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by the Processor.

7. Obligations of the Controller

The Controller undertakes the following obligations:

1. Lawful basis — The Controller shall ensure that it has a valid legal basis for the processing of personal data that it instructs the Processor to carry out, including any necessary consents or legitimate interest assessments.

2. Documented instructions — The Controller shall provide clear, documented instructions to the Processor regarding the processing of personal data.

3. Accuracy — The Controller shall ensure, to the extent reasonably practicable, that personal data provided to the Processor is accurate and up to date.

4. Data subject communication — The Controller shall be responsible for informing data subjects about the processing of their personal data as required by Articles 13 and 14 of the GDPR.

5. Compliance — The Controller shall comply with all applicable data protection laws and regulations in relation to its use of the FixRep platform.

6. Notification — The Controller shall promptly notify the Processor of any changes to applicable data protection laws that may affect the Processor's obligations under this DPA.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs) — The Processor shall enter into the European Commission's Standard Contractual Clauses (as adopted by Commission Implementing Decision (EU) 2021/914) with any sub-processor located outside the EEA that does not benefit from an adequacy decision.
• Transfer Impact Assessments — Where required, the Processor shall conduct transfer impact assessments to evaluate whether the laws of the recipient country provide an adequate level of protection.
• Supplementary measures — Where necessary, the Processor shall implement supplementary technical, organizational, or contractual measures to ensure that the level of protection afforded to personal data is not undermined by the transfer.

The Controller acknowledges that certain sub-processors listed in Section 6.4 are located in the United States and that transfers to those sub-processors are governed by the appropriate safeguards described above.

9. Liability

1. Each party shall be liable for damages caused by processing that infringes this DPA or the GDPR, in accordance with Article 82 of the GDPR.

2. The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the lawful instructions of the Controller.

3. A party shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

4. Nothing in this DPA shall limit or exclude either party's liability for damages that cannot be limited or excluded under applicable law.

10. Term and Termination

1. This DPA shall enter into force on the effective date stated above and shall remain in force for the duration of the Controller's subscription to the FixRep platform.

2. Upon termination or expiry of the service agreement for any reason, the provisions of this DPA shall continue to apply to any personal data still in the possession of the Processor until such data has been returned or deleted in accordance with Section 6.7.

3. Either party may terminate this DPA for cause if the other party materially breaches its obligations under this DPA and fails to cure such breach within 30 days of receiving written notice thereof.

11. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of France, without regard to its conflict of laws principles. Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts of Paris, France.

12. General Provisions

1. Entire agreement — This DPA, together with the Controller's service agreement and the Privacy Policy, constitutes the entire agreement between the parties with respect to the processing of personal data.

2. Amendments — This DPA may only be amended in writing, signed by both parties.

3. Severability — If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

4. Precedence — In the event of a conflict between this DPA and the service agreement, this DPA shall prevail with respect to data protection matters.

13. Contact

For any questions regarding this DPA, please contact:

Email: privacy@fixrep.nanocorp.app

This Data Processing Agreement is effective as of March 29, 2026.