Data Processing Addendum

Last updated: 01.10.2026

This Data Processing Addendum (“DPA”) forms part of the ClearCheck Terms of Use or other written agreement governing use of the ClearCheck service (the “Agreement”) entered into between:

CLEARCHECK LTD
Registration Number: HE 478941
Private Limited Company registered in Cyprus
(“Company”, “Processor”, “Service Provider”, “we”, “us”),

and

The customer using the ClearCheck service
(“Customer”, “Controller”, “Business”, “you”).

This DPA applies to the extent Company processes Personal Data on behalf of Customer in connection with the ClearCheck platform (“Service”).

If there is a conflict between this DPA and the Agreement regarding Personal Data processing, this DPA shall control.

Effective Date: [Insert date]

1. Definitions

“Personal Data” means any information relating to an identified or identifiable individual processed under this DPA.

“Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

“Customer Data” means Personal Data submitted by or on behalf of Customer into the Service, as well as data processed by the Service in order to generate informational outputs.

“Data Protection Laws” means applicable privacy and data protection laws, including, where applicable:

• U.S. state privacy laws (including the California Consumer Privacy Act as amended by the CPRA),

• the EU General Data Protection Regulation (“GDPR”) and UK GDPR (if applicable).

2. Roles of the Parties

2.1 Customer as Controller / Business
Customer acts as the controller (or “business” under applicable U.S. privacy laws) with respect to Customer Data.

2.2 Company as Processor / Service Provider
Company acts as a service provider / processor, processing Customer Data only:

• to provide, operate, and maintain the Service
• to generate informational outputs based on user-provided and third-party data
• to ensure security, integrity, and functionality of the Service

2.3 No Independent Use

Company does not:

• sell Customer Data
• use Customer Data for advertising
• use Customer Data for independent profiling or decision-making purposes

3. Scope and Purpose of Processing

3.1 Company processes Customer Data solely as necessary to:

• provide access to the ClearCheck platform
• generate and deliver informational reports based on available data sources
• administer accounts, billing, and support
• ensure system functionality, security, and fraud prevention
• comply with applicable legal obligations

3.2 Company does not process Customer Data to:

• make decisions about individuals
• provide recommendations regarding individuals
• determine eligibility for employment, housing, credit, insurance, or other regulated purposes

4. Customer Responsibilities

Customer is solely responsible for:

• determining the lawful basis for processing personal data
• ensuring that its use of the Service complies with applicable laws
• obtaining any required notices, disclosures, or permissions
• verifying the accuracy and appropriateness of data submitted

Customer shall not use the Service in a manner that violates applicable data protection or consumer protection laws.

Customer agrees not to use the Service for:

• employment decision-making
• tenant screening
• credit eligibility determinations
• insurance underwriting
• or any other purpose regulated under the Fair Credit Reporting Act (FCRA) or similar laws

5. Confidentiality

Company ensures that all personnel authorized to process Customer Data are subject to confidentiality obligations appropriate to the nature of the data and their access.

6. Security Measures

6.1 Company maintains appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

6.2 Security measures are proportionate to the nature of the Service and risk profile and are described at a high level in Exhibit C.

6.3 Security measures are appropriate to the nature of an informational data processing service and associated risk profile.

7. Subprocessors

7.1 Authorization
Customer provides general authorization for Company to engage Subprocessors as necessary to provide the Service.

7.2 List of Subprocessors
Company’s current Subprocessors are listed in Exhibit B.

7.3 Changes
Company may update Subprocessors from time to time and will make updated information available upon request.

7.4 Flow-Down Obligations
Company enters into written agreements with Subprocessors imposing data protection obligations no less protective than those in this DPA.

7.5 Responsibility
Company remains responsible for Subprocessors’ compliance with their processing obligations.

8. Personal Data Breach

8.1 Company will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data.

8.2 Company will provide reasonable information and cooperation to assist Customer in meeting any breach notification obligations under applicable law.

8.3 Notification does not constitute an admission of fault or liability.

9. Data Subject Requests

9.1 If Company receives a request from a data subject relating to Customer Data, Company will, where legally permitted, refer the request to Customer.

9.2 Company will provide reasonable assistance to Customer in responding to such requests where technically feasible and legally permitted.

Company does not independently respond to data subject requests regarding Customer Data except as instructed by Customer or required by applicable law.

10. Retention and Deletion

10.1 Company retains Customer Data only for the period necessary to:

• provide and operate the Service
• maintain system security and integrity
• comply with legal, regulatory, and accounting obligations

10.2 Upon termination of the Agreement, Company will delete or return Customer Data upon Customer’s written request, unless retention is required by applicable law or necessary for legitimate operational purposes (including security, fraud prevention, or backup systems).

10.3 Customer acknowledges that certain data may persist in backup systems for a limited period consistent with standard data retention practices.

11. Audits

11.1 Upon reasonable written request, Company will provide information reasonably necessary to demonstrate compliance with this DPA, including summaries of security measures.

11.2 Any audit rights shall be exercised:

• no more than once per 12-month period
• with at least 30 days’ prior written notice
• during normal business hours
• in a manner that does not disrupt Company operations

11.3 Company may satisfy audit obligations by providing third-party certifications, reports, or independent assessments where available.

11.4 All audits are subject to confidentiality obligations and reasonable security restrictions.

12. US State Privacy (CCPA / CPRA)

To the extent applicable:

12.1 Company acts as a Service Provider / Contractor with respect to Customer Data.

12.2 Company will not:

• sell or share Customer Data
• retain, use, or disclose Customer Data for any purpose other than providing the Service
• combine Customer Data with data obtained from other sources except as necessary to operate the Service

12.3 Company certifies that it understands and will comply with the restrictions applicable to Service Providers under U.S. state privacy laws.

12.4 Company processes Customer Data solely to provide informational outputs and does not process Customer Data to make decisions about individuals or determine eligibility for employment, housing, credit, insurance, or other regulated purposes.

13. International Transfers

Customer acknowledges that Customer Data may be processed in the European Union and other jurisdictions where Company or its subprocessors operate.

Where required by applicable Data Protection Laws, Company will implement appropriate safeguards, including contractual protections such as Standard Contractual Clauses.

14. Order of Precedence

In the event of a conflict between:

• any applicable data transfer mechanism
• this DPA
• the Agreement

the order of precedence shall apply in the sequence listed above, unless otherwise required by applicable law.

15. Contact

Privacy Contact: [email protected]
Company: CLEARCHECK LTD

Exhibit A — Processing Details

Service: ClearCheck informational data platform.

Nature of Processing:

Collection, storage, organization, and analysis of Customer-provided data and data obtained from public and third-party sources in order to generate informational reports.

Purpose:

Provision of informational reports and related platform functionality, including account management, billing, support, and security.

Processing does not include:

• making decisions about individuals
• determining eligibility for employment, housing, credit, insurance, or other regulated purposes

Categories of Data Subjects:

• Individuals whose information is submitted by Customer
• Authorized users of the Service

Categories of Personal Data:

• Name
• Phone number
• Email address
• Address information (if available)
• Public record data
• Report output data
• Technical and usage data

Special Categories:

Customer is solely responsible for ensuring that any sensitive personal data submitted is lawful and appropriate.

Exhibit B — Subprocessors

Company may engage subprocessors to support operation of the Service, including hosting, payments, communications, and infrastructure providers.

All subprocessors are subject to contractual obligations consistent with this DPA.

Exhibit C — Security Measures (High-Level)

Company implements appropriate technical and organizational measures, including:

• role-based access controls
• encrypted data transmission
• secure hosting infrastructure
• monitoring and logging of system activity
• backup and recovery procedures
• internal access restrictions and change management

These measures are designed to protect personal data against unauthorized access, loss, misuse, or alteration.