U.S. State Privacy Processor Terms Addendum

Last updated: February 10, 2026

1. Roles; Scope

(a) Roles

Customer is the business/controller (or equivalent) and H33 is the service provider/processor (or equivalent) with respect to Personal Data Processed by H33 on Customer's behalf via the Services.

(b) Instructions

Customer instructs H33 to Process Personal Data only as necessary to provide, secure, maintain, and improve the Services, to prevent fraud/abuse, to comply with law, and as otherwise permitted by the Terms.

2. No Sale / No Sharing / No Cross-Context Advertising

H33 will not sell Personal Data or share Personal Data for cross-context behavioral advertising (as those terms are defined under applicable law). H33 will not retain, use, or disclose Personal Data for any purpose other than the purposes stated in Section 1(b), except as permitted by U.S. State Privacy Laws.

3. Confidentiality; Access Controls

H33 will ensure that personnel authorized to Process Personal Data are subject to confidentiality obligations and that access is limited to those with a need to know to provide the Services.

4. Security Measures

H33 will implement reasonable administrative, technical, and organizational safeguards designed to protect Personal Data, as described in the Security Exhibit (incorporated by reference).

5. Subprocessors

Customer authorizes H33 to engage Subprocessors to Process Personal Data for the purposes described in Section 1(b). H33 will engage Subprocessors under written agreements (which may include the Subprocessor's standard terms) that are commercially reasonable for the nature of the services provided and that are designed to:

• Require the Subprocessor to Process Personal Data only to provide services to H33 (and not for the Subprocessor's own unrelated purposes)
• Prohibit the Subprocessor from selling or sharing Personal Data (as those terms are defined under applicable law)
• Prohibit retaining, using, or disclosing Personal Data outside of the direct business relationship between the Subprocessor and H33 or for any purpose other than performing the services for H33, except as otherwise permitted by applicable law
• Prohibit combining Personal Data processed on H33's behalf with personal data obtained from other sources except to the extent permitted by applicable law for a permitted purpose
• Impose confidentiality obligations
• Require the Subprocessor to maintain reasonable security measures appropriate to the services provided

Where required by applicable U.S. State Privacy Laws, H33 will use commercially reasonable efforts to obtain contractual commitments from Subprocessors that support H33's obligations under this Addendum, recognizing that certain Subprocessors offer standardized terms on a non-negotiable basis.

6. Consumer Requests; Assistance

Customer is responsible for responding to consumer/data subject requests under U.S. State Privacy Laws. H33 will provide commercially reasonable assistance, taking into account the nature of the Services and information available to H33.

Assistance beyond standard support (e.g., repeated/custom reporting) may be subject to reasonable fees and scheduling unless prohibited by law. H33 is not required to complete Customer vendor questionnaires or provide bespoke certifications or attestations unless expressly agreed in an Order Form.

H33 may decline requests that are disproportionate, require disclosure of other customers' information, or would compromise security.

7. Deletion and Return

Upon termination of the Services, H33 will delete or return Personal Data in accordance with the Terms, subject to legal retention requirements and routine backup retention/technical constraints.

8. Verification; Audits (Limited; Reports-Only)

To the extent required by applicable U.S. State Privacy Laws, Customer may take reasonable steps to verify H33's compliance with this Addendum.

Unless otherwise agreed in an Order Form, such verification is satisfied by H33 making available, in its discretion, then-current third-party security reports (if available) or a written security summary referencing the Security Exhibit, no more than once per year (except following a confirmed Security Incident). Any such materials are H33 Confidential Information.

No on-site audits are permitted, and Customer may not require H33 to complete vendor questionnaires, certifications, or attestations beyond the foregoing.

9. Notice; Stop/Remediate

H33 will notify Customer if H33 determines it can no longer meet its obligations under this Addendum with respect to Personal Data.

Upon such notice (or if Customer reasonably believes unauthorized Processing has occurred), Customer may take commercially reasonable and appropriate steps to stop and remediate the unauthorized Processing, including by suspending or terminating the affected Processing and/or the Services, consistent with the Terms.

10. No Expansion of Liability

This Addendum does not expand H33's liability or Customer remedies beyond the Terms unless an Order Form expressly states otherwise. For clarity, this Addendum creates no security warranty and does not modify any SLA or service commitment.