Data Processing Addendum

1. Definitions

"Personal Information" means information relating to an identified or identifiable natural person that Customer submits to the Service, including staff account data (name, work email) and operational metadata (IP addresses in audit logs).

"Input Data" has the meaning in the Terms. Input Data is limited to operational inventory as described in the Operational Data Boundary. Prohibited Data (including PHI) must not be submitted.

"Process" means any operation performed on Personal Information, including collection, storage, use, disclosure, and deletion.

2. Roles

Customer is the controller (or equivalent) of Personal Information it submits. Inventifornia is the processor, processing Personal Information solely to provide the Service per Customer's documented instructions (account configuration, user management, and use of Service features).

3. Processing instructions

Inventifornia will Process Personal Information only to:

• Provide, maintain, and secure the Service
• Comply with applicable law or valid legal process
• As otherwise documented in the Terms, this DPA, or Customer's written instructions

4. Security measures

Inventifornia implements administrative, technical, and physical safeguards described in the Trust Center, including encryption in transit, access controls, RBAC, audit logging, and rate limiting. Inventifornia may update safeguards provided they do not materially reduce overall security.

5. Subprocessors

Customer authorizes Inventifornia to engage subprocessors listed at /trust/subprocessors, subject to 30-day advance change notification. Inventifornia remains responsible for subprocessors' performance of data protection obligations.

6. Data subject rights

Inventifornia will assist Customer, to the extent technically feasible, in responding to verifiable data subject requests (access, correction, deletion) by providing export and account management tools. Customer is responsible for validating requester identity.

7. Security incident notification

Inventifornia will notify Customer without undue delay and in any event within seventy-two (72) hours after confirming a Security Incident that results in unauthorized access to, acquisition of, or disclosure of Customer Personal Information. Notification includes known facts, affected data categories, and remediation steps. Details in the Incident Response plan.

8. Retention and deletion

Upon termination, Inventifornia will delete or return Customer Personal Information per the Data Retention schedule: 30-day export window, deletion from active production systems within 90 days, subject to legal hold or backup rotation.

9. International transfers

Personal Information may be processed in the United States, Canada, or other countries where Inventifornia or subprocessors operate. Customer consents to such transfers when using the Service.

10. Audits

Upon reasonable written request (no more than once per 12 months), Inventifornia will provide information necessary to demonstrate compliance with this DPA, including Trust Center documentation and security questionnaire responses. On-site audits require 30 days' notice and are subject to confidentiality and scheduling constraints.

11. Operational data boundary

Customer acknowledges that Inventifornia does not offer HIPAA BAAs and that Prohibited Data must not be submitted. The Operational Data Boundary is incorporated by reference.

12. Contact

Data protection inquiries: security@inventifornia.com