Data Processing Addendum

This Data Processing Addendum (this "DPA") is entered into by and between Cap Orbit, Inc., a Delaware corporation ("Cap Orbit", "we", "us", or "our"), and the Customer identified in the applicable Order ("Customer", "you", or "your"), and forms part of the Cap Orbit Terms of Service between the parties (the "Terms"). This DPA is incorporated into and governed by the Terms. It applies to Cap Orbit's Processing of Customer Content and Personal Information in connection with the Service. Capitalized terms used but not defined in this DPA have the meanings given in the Terms.

This DPA is drafted exclusively under United States federal and state law. All Customers are United States based businesses, and all Processing under this DPA occurs in the United States. The exclusion of non-United States data protection regimes is addressed in Section 14.4.

Effective Date: June 18, 2026, or the effective date of the Terms if earlier.

1. Definitions

1.1 Incorporated definitions. The following defined terms from the Terms apply in this DPA with the same meaning:

• "Service" means the Cap Orbit platform, including the AI terminal, the deal workflows, related applications and any APIs, and the Documentation.
• "Customer Content" means all data, documents, files, Inputs, and Outputs that the Customer or its Authorized Users upload to, submit to, or generate in the Service.
• "Input" means prompts, instructions, files, and other data submitted to the Service by the Customer or an Authorized User.
• "Output" means the responses, models, memos, documents, and other materials the Service generates in response to Input.
• "Authorized User" means an individual the Customer permits to access the Service under a seat.
• "Usage Data" means metadata about use of the Service (for example model identifiers, token counts, request duration, timestamps, and feature interactions), excluding Customer Content.
• "Subprocessor" means a third party Cap Orbit engages to Process Customer Content in providing the Service.
• "Order" or "Order Form" means the ordering document or online subscription that specifies the plan, seats, and fees.
• "Documentation" means Cap Orbit's published user and technical documentation for the Service.

1.2 Additional definitions. For purposes of this DPA:

(a) "Applicable Privacy Laws" means the United States state privacy and data protection laws applicable to the Processing of Personal Information under this DPA, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act and its implementing regulations (collectively, the "CCPA"), and comparable comprehensive US state privacy laws in effect during the term (collectively, the "State Privacy Laws"), in each case as and to the extent they apply to the relevant Processing.

(b) "Personal Information" means information that identifies, relates to, or could reasonably be linked to a particular individual, as defined by Applicable Privacy Laws. References in this DPA to Personal Information include "personal data" as that term is used in the State Privacy Laws. Personal Information that is part of Customer Content is referred to as Customer Personal Information.

(c) "Business" and "Controller" mean the Customer in its capacity as the entity that determines the purposes and means of the Processing of Customer Personal Information. "Business" has the meaning given in the CCPA; "Controller" has the meaning given in the State Privacy Laws.

(d) "Service Provider" and "Processor" mean Cap Orbit in its capacity as the entity that Processes Customer Personal Information on behalf of, and on the documented instructions of, the Customer. "Service Provider" has the meaning given in the CCPA (Cal. Civ. Code section 1798.140(ag)); to the extent Cap Orbit acts as a "contractor" under the CCPA, that term has the meaning given in Cal. Civ. Code section 1798.140(j). "Processor" has the meaning given in the State Privacy Laws (for example, Va. Code section 59.1-578; Colo. Rev. Stat. section 6-1-1305; Conn. Gen. Stat. section 42-520; Tex. Bus. and Com. Code section 541.104; Utah Code section 13-61-301; Or. Rev. Stat. section 646A.578; Mont. Code Ann. title 30, chapter 14, part 28, and the parallel statutes of the other States).

(e) "Consumer" means a natural person who is a resident of a State whose Applicable Privacy Law applies, acting in an individual or household capacity, and, for California, including a natural person acting in a business-to-business or employment context to the extent the CCPA so provides.

(f) "Process" or "Processing" means any operation performed on Personal Information, whether or not by automated means, including collection, use, storage, disclosure, analysis, retention, organization, structuring, transmission, deletion, or otherwise handling Personal Information, as those terms are used in Applicable Privacy Laws.

(g) "Sell" or "Sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating Personal Information to a third party for monetary or other valuable consideration, as defined in the CCPA and, where applicable, the State Privacy Laws.

(h) "Share" or "Sharing" means disclosing or making available Personal Information to a third party for cross-context behavioral advertising, as defined in the CCPA. References to "Sharing" include "targeted advertising" as that term is used in the State Privacy Laws.

(i) "Deidentified Data" means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual, and that is processed and maintained in accordance with the deidentification requirements of Applicable Privacy Laws (for example Cal. Civ. Code sections 1798.140(m) and 1798.145(a)).

(j) "Security Incident" means a breach of Cap Orbit's security leading to the unauthorized acquisition, access, use, or disclosure of Customer Personal Information in Cap Orbit's possession or control. A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Information, including pings, port scans, denial of service attacks, or other unsuccessful events.

1.3 Interpretation. Where an obligation in this DPA is required only by a specific Applicable Privacy Law, that obligation applies only to the extent that law applies to the relevant Processing. Obligations expressly limited by their terms (for example, audit-cooperation obligations that do not apply in States such as Utah and Iowa, which do not require controller assessments) apply only where the corresponding statutory trigger exists. This construction is intended to avoid creating obligations that no Applicable Privacy Law requires.

2. Roles and Scope of Processing

2.1 Roles. As between the parties and with respect to Customer Personal Information, the Customer is the Business and Controller, and Cap Orbit is the Service Provider and Processor. In the Enterprise (Bring Your Own Cloud) deployment model, Cap Orbit's role as Service Provider and Processor is limited to the data it actually Processes (account and identity metadata, billing data, Usage Data, and any transient operational Processing), while the Customer operates the infrastructure that Processes Customer Content, as described in Section 13.4. Each party will comply with its own obligations under Applicable Privacy Laws.

2.2 Scope and instructions. Cap Orbit will Process Customer Content, including Customer Personal Information, only as a Service Provider and Processor, for the limited and specified business purpose of providing, securing, supporting, maintaining, and operating the Service for the Customer, and only on the documented instructions of the Customer. The Terms, this DPA, the applicable Order, the Customer's and its Authorized Users' use and configuration of the Service, and any further written instructions agreed by the parties together constitute the Customer's complete and final documented instructions to Cap Orbit for the Processing of Customer Content. Cap Orbit will not Process Customer Content for any purpose that is not a specified business purpose under this DPA. The details of the Processing required by the State Privacy Laws (instructions, nature and purpose, types of Personal Information, duration, and the rights and obligations of the parties) are set out in Annex 1.

2.3 Lawfulness of instructions. Cap Orbit will Process Customer Content in accordance with Applicable Privacy Laws applicable to its role as a Service Provider and Processor. Cap Orbit is not responsible for determining whether the Customer's instructions, or the Customer's collection or use of Customer Content, comply with laws applicable to the Customer as a Business or Controller. If Cap Orbit believes an instruction violates Applicable Privacy Laws, it will inform the Customer.

2.4 No service provider relationship for the Customer's own controller activities. This DPA does not make Cap Orbit a Business or Controller with respect to Customer Content. Cap Orbit's separate handling of account and identity metadata, billing data, and Usage Data as a Business or Controller for its own operational, security, billing, metering, and product-improvement purposes is described in the Cap Orbit Privacy Policy, including Cap Orbit's disclosures to service providers and its practices regarding Sales and Sharing for targeted advertising. That handling is not subject to the Service-Provider and Processor restrictions in Section 3, except that Usage Data and such metadata never include Customer Content.

3. Service-Provider and Processor Obligations and Restrictions

3.1 Core restrictions. With respect to Customer Personal Information, Cap Orbit will not:

(a) Sell or Share the Customer Personal Information;

(b) retain, use, or disclose the Customer Personal Information for any purpose other than the business purpose of providing the Service specified in this DPA and the Order, or as otherwise permitted by Applicable Privacy Laws, including any purpose that would constitute a commercial purpose other than the specified business purposes;

(c) retain, use, or disclose the Customer Personal Information outside the direct business relationship between Cap Orbit and the Customer; or

(d) combine the Customer Personal Information that Cap Orbit receives from, or on behalf of, the Customer with Personal Information that Cap Orbit receives from, or on behalf of, any other person, or that Cap Orbit collects from its own interaction with any Consumer, except as expressly permitted by Applicable Privacy Laws to perform a specified business purpose (for example, as permitted by Cal. Code Regs. tit. 11, section 7050(c)).

3.2 Certification. Cap Orbit certifies that it understands the restrictions set out in Section 3.1 and will comply with them. This certification is provided to satisfy the contractor certification requirement of the CCPA (Cal. Civ. Code sections 1798.140(j) and 1798.100(d), and Cal. Code Regs. tit. 11, section 7051) and the corresponding service-provider and contractor requirements of the CCPA.

3.3 Same level of privacy protection. Cap Orbit will comply with the obligations applicable to it under Applicable Privacy Laws and will provide the same level of privacy protection for Customer Personal Information as Applicable Privacy Laws require of the Customer as a Business and Controller, in each case with respect to the Processing Cap Orbit performs.

3.4 Customer right to monitor; stop and remediate. The Customer may take reasonable and appropriate steps to ensure that Cap Orbit uses Customer Personal Information in a manner consistent with the Customer's obligations under Applicable Privacy Laws, as further described in Section 12. On reasonable written notice from the Customer, Cap Orbit will take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Information.

3.5 Notice of inability to comply. Cap Orbit will notify the Customer in writing if Cap Orbit determines that it can no longer meet its obligations under Applicable Privacy Laws as a Service Provider or Processor with respect to Customer Personal Information. On such notice, the Customer may direct Cap Orbit to stop the affected Processing or to take other reasonable and appropriate steps to remediate the unauthorized use of Customer Personal Information.

3.6 Confidentiality. Cap Orbit will ensure that personnel authorized to Process Customer Personal Information are subject to a duty of confidentiality, whether by written agreement, professional obligation, or statutory duty.

3.7 Permitted retention and use. Notwithstanding Section 3.1, Cap Orbit may retain, use, and disclose Customer Personal Information as expressly permitted by Applicable Privacy Laws, including to comply with applicable law, legal process, or a governmental request, provided that Cap Orbit limits any such retention, use, or disclosure to what the relevant law or process requires.

4. Customer Content and AI Training

4.1 No model training by default. Cap Orbit does not use Customer Content, Inputs, or Outputs to train, fine-tune, retrain, or otherwise develop or improve any artificial intelligence model or machine-learning model, whether Cap Orbit's own model or any third party's model, unless the Customer expressly opts in or gives written instructions for that use in an Order or other written or electronic agreement. If Customer opts in, that opt-in is a documented instruction under this DPA and will describe the scope of the permitted use, the categories of data covered, and any available revocation mechanism.

4.2 Permitted operational use. Cap Orbit may Process Customer Content as necessary to provide, secure, support, troubleshoot, maintain, protect, and operate the Service for the Customer, to enforce the Agreement and Acceptable Use Policy, to prevent abuse or security threats, and as otherwise permitted by this DPA and applicable law. Cap Orbit collects and uses Usage Data, which is metadata only and contains no Customer Content, to operate, secure, meter, troubleshoot, bill for, support, analyze, and improve the Service. These operational uses are not model training.

4.3 AI inference path through Amazon Bedrock. AI inference for the Service runs inside Amazon Bedrock, operated by Amazon Web Services. Customer Content used for inference is sent to and processed by Amazon Bedrock and is not provided to Anthropic or any other model provider as a separate processor. As of the date of this DPA, Amazon Web Services publicly commits that neither it nor the third-party model providers use inputs to or outputs from Amazon Bedrock to train any models, that Amazon Bedrock does not share Customer data with model providers, and that user inputs and model outputs are not made available to model providers, supported architecturally by Amazon Bedrock's use of a Model Deployment Account, owned and operated by the Amazon Bedrock service team, to which model providers do not have access. The specific Amazon Web Services statements and source references that evidence this inference path are reproduced, for reference and without contractual effect, in Annex 4.

4.4 Nature of the Bedrock commitments. The statements reproduced in Annex 4 are service-level commitments of Amazon Web Services with respect to Amazon Bedrock. They describe the conduct of Amazon Web Services and the model providers and are reproduced to evidence the inference path; they are not representations or warranties of Cap Orbit beyond Cap Orbit's own commitment in Section 4.1. Cap Orbit's no-training commitment in Section 4.1 applies independently to Cap Orbit's own handling of Customer Content.

5. Customer Obligations

5.1 Controller responsibilities. As the Business and Controller, the Customer is responsible for the lawfulness of its collection and use of Customer Content and for its own compliance with Applicable Privacy Laws and any other laws applicable to it. The Customer determines the purposes and means of the Processing it instructs.

5.2 Rights, notices, and consents. The Customer represents and warrants that it has provided all notices, obtained all rights, permissions, and consents, and has a lawful basis necessary for Cap Orbit to Process Customer Content as contemplated by the Terms and this DPA, including with respect to Personal Information of third parties contained in Customer Content (for example, borrowers, guarantors, tenants, principals, and other individuals). The Customer will not submit Customer Content that it lacks the right to submit or to have Processed by the Service.

5.3 Sensitive and regulated data. Customer Content routinely includes personal and sensitive financial information about third parties. The Customer is the Business and Controller for that information and is solely responsible for its own regulatory obligations with respect to it, including, where applicable, the Gramm-Leach-Bliley Act and implementing regulations, applicable state financial-privacy laws, and any obligation to obtain opt-in consent before Processing categories of "sensitive data" under State Privacy Laws. To the extent the Customer's instructions require Cap Orbit to Process sensitive data or data subject to consent, Cap Orbit will Process such data only on the Customer's documented instructions and within the scope of any applicable consent the Customer has obtained. The Customer acknowledges that a substantial portion of Customer Content (for example, borrower and guarantor financials, tax returns, and personal financial statements) may constitute nonpublic personal information regulated by the Gramm-Leach-Bliley Act, that such information may be exempt from the CCPA and certain State Privacy Laws while remaining governed by the Gramm-Leach-Bliley Act, and that compliance with the Gramm-Leach-Bliley Act for such information is the Customer's responsibility. The technical and organizational measures described in Annex 2 are designed to support the Customer's oversight of Cap Orbit as a service provider under the Gramm-Leach-Bliley Act Safeguards Rule.

5.4 Consumer requests directed to the Customer. The Customer is responsible for responding to requests from its Consumers to exercise their rights under Applicable Privacy Laws. Cap Orbit will assist the Customer as described in Section 7.

5.5 Indemnity. The Customer's obligations to indemnify Cap Orbit with respect to its Inputs, its Customer Content, and its use of and decisions based on Outputs are set out in the Terms and apply to claims arising from the Customer's breach of this Section 5.

5.6 Profiling and automated decision-making. The Service assists the Customer in evaluating transactions and the individuals associated with them (for example, borrowers, guarantors, and principals). As between the parties, the Customer is the Business and Controller for any profiling or automated decision-making carried out in connection with its use of the Service and the Outputs, and is solely responsible for the resulting obligations under Applicable Privacy Laws (including any profiling opt-out rights, automated-decision-making requirements, and any required notices or assessments). Cap Orbit does not itself make decisions about Consumers using Customer Content. Consistent with the mandatory Output-review requirements of the Terms, the Customer will have qualified professionals independently review and verify all Outputs before relying on them, and no Output constitutes an automated decision made by Cap Orbit.

6. Subprocessors

6.1 Authorization. The Customer generally authorizes Cap Orbit to engage Subprocessors to Process Customer Content in providing the Service. The current Subprocessors and related service providers are identified in the Cap Orbit Subprocessor List. For the Cap Orbit-hosted (Pro) deployment model, Amazon Web Services is the Subprocessor that hosts and Processes Customer Content, including AI model inference through Amazon Bedrock in a United States region. Cap Orbit also uses service providers for identity, authentication, billing, metering, and public-website hosting, including WorkOS, Stripe, Metronome, and Vercel, as described in the Subprocessor List and Privacy Policy. Those service providers do not Process Customer Content except where the Subprocessor List expressly says otherwise. For the Enterprise (BYOC) deployment model, Amazon Web Services is the Customer's own account and is not a Cap Orbit Subprocessor for Customer Content; identity, billing, and metering service providers continue to apply as described in the Subprocessor List and Privacy Policy.

6.2 Anthropic is not a Subprocessor. The Claude models used by the Service are accessed exclusively through Amazon Bedrock. Anthropic is not a Subprocessor and does not receive Customer Content as a separate processor. Amazon Web Services, through Amazon Bedrock, is the contractual boundary for AI inference.

6.3 Flow-down. Cap Orbit will engage each Subprocessor under a written contract that requires the Subprocessor to meet obligations with respect to Customer Personal Information that are substantially equivalent to, and no less protective than, the applicable obligations in this DPA, including that the Subprocessor itself qualify as a service provider, contractor, or processor where Applicable Privacy Laws so require.

6.4 Notice of changes and opportunity to object. Cap Orbit will maintain the Subprocessor List and will provide a mechanism for the Customer to be notified of any intended addition or replacement of a Subprocessor that Processes Customer Content. Cap Orbit will provide at least ten (10) business days' advance notice before a new Subprocessor begins Processing Customer Content in the hosted (Pro) Service. The Customer may object to a new Subprocessor on reasonable, good-faith grounds relating to data protection by notifying Cap Orbit within ten (10) business days after notice. The parties will work in good faith to resolve the objection; if they cannot, the Customer's remedy is to cease using the affected feature or to terminate the affected portion of the Service as provided in the Terms.

6.5 Responsibility for Subprocessors. Cap Orbit remains responsible for the performance of each Subprocessor's obligations to the same extent Cap Orbit would be responsible if it performed the Processing directly, with respect to the Processing the Subprocessor performs on Customer Content.

7. Assistance with Consumer Rights Requests

7.1 Assistance. Taking into account the nature of the Processing and the information available to Cap Orbit, Cap Orbit will provide reasonable assistance to enable the Customer to respond to verified requests from Consumers to exercise their rights under Applicable Privacy Laws, including rights to know or access, to delete, to correct, to obtain a portable copy, and to opt out of Sale, Sharing, or targeted advertising. Because Cap Orbit does not Sell Customer Personal Information, Share it for cross-context behavioral advertising, use it for targeted advertising, or engage in profiling of Consumers for its own purposes, no opt-out action by Cap Orbit is required for those rights. This Section addresses Cap Orbit's own Processing only and does not characterize any profiling or automated decision-making that the Customer may perform using the Service or the Outputs, which is addressed in Section 5.6.

7.2 Pass-through of deletion and correction directions. On the Customer's documented instruction, Cap Orbit will delete, correct, or provide access to Customer Personal Information as necessary for the Customer to comply with a verified Consumer request, and will forward the relevant direction to any Subprocessor that Processes the affected Customer Personal Information. The Customer is responsible for verifying the identity of the requesting Consumer.

7.3 Requests received by Cap Orbit. If Cap Orbit receives a request directly from a Consumer relating to Customer Content, Cap Orbit will, to the extent legally permitted, promptly inform the Customer and will not respond to the request other than to direct the Consumer to the Customer, unless otherwise required by law or instructed by the Customer.

8. Security

8.1 Security program. Cap Orbit will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Customer Content against a Security Incident, appropriate to the nature of the Customer Content, consistent with Applicable Privacy Laws (including Cal. Civ. Code section 1798.81.5). A summary of these measures is set out in Annex 2.

8.2 Architecture. The security measures include the following, as further described in the Documentation and Annex 2:

(a) Per-tenant isolation. Each Customer organization is provisioned with its own database, its own object storage, and its own execution roles. Customer Content is not pooled or commingled across Customers.

(b) Brokered, non-standing access. The application does not hold direct standing credentials to tenant data. Each request mints a short-lived, scoped access token (approximately fifteen minutes) through a broker that re-verifies the requesting user's identity before issuing the token, after which the token expires. No long-lived keys sit in the data path.

(c) Identity. Sign-in runs through WorkOS AuthKit; single sign-on with the Customer's identity provider, including SAML-based single sign-on, is supported where the Customer configures it. Every service re-verifies the session on each call. There is no shared internal API key in the data path.

(d) Encryption. Customer Content is encrypted in transit using TLS or HTTPS and at rest using server-side encryption with AWS-managed keys and AWS Key Management Service. Storage access uses SigV4-signed requests and time-limited signed URLs (approximately fifteen minutes).

(e) Network controls. A web application firewall with rate limiting sits in front of the user-facing surface.

8.3 Customer responsibilities. The Customer is responsible for maintaining the security of its identity provider, its Authorized User accounts and credentials, its seat assignments and permissions, and, in the Enterprise (BYOC) deployment model, its own cloud account and the security controls described in Section 13.

9. Security Incident Notification

9.1 Notice. Cap Orbit will notify the Customer without undue delay, and in any event no later than seventy-two (72) hours after Cap Orbit confirms a Security Incident affecting Customer Personal Information in Cap Orbit's possession or control. The notice will include, to the extent then known and as it becomes available, a description of the nature of the Security Incident, the categories of Customer Personal Information affected, the measures taken or proposed to address it, and a contact point for further information.

9.2 Cooperation. Cap Orbit will take reasonable steps to investigate, mitigate, and remediate the Security Incident and will provide the Customer with reasonable cooperation and information in the Customer's possession that the Customer reasonably requires to meet the Customer's own obligations under Applicable Privacy Laws and applicable breach-notification laws.

9.3 No admission. Cap Orbit's notice of, or response to, a Security Incident is not an acknowledgment of fault or liability.

9.4 Enterprise (BYOC) model and controller-held data. Where Customer Content resides in the Customer's own cloud account under the Enterprise model, the Customer controls the relevant logs, monitoring, and access paths, and is responsible for detecting and responding to security events affecting Customer Content in that account, as described in Section 13. Cap Orbit's processor notice duty under Sections 9.1 and 9.2 applies to Security Incidents affecting Customer Personal Information in Cap Orbit's possession or control. In addition, if a security breach affects Personal Information that Cap Orbit holds as a Business or Controller (such as account and identity metadata, billing data, and Usage Data to the extent it contains Personal Information), Cap Orbit will notify the Customer of that breach consistent with Cap Orbit's own obligations under Applicable Privacy Laws and applicable breach-notification laws, even though that Personal Information is not Customer Personal Information.

10. Deletion and Return

10.1 On termination or request. On expiration or termination of the Terms, or on the Customer's earlier written request, Cap Orbit will delete or, at the Customer's election where technically feasible, return the Customer Content in Cap Orbit's possession or control, within sixty (60) days, unless the Customer instructs otherwise or applicable law requires retention.

10.2 In-service deletion behavior. During the term, deleted files move to a trash area retained for thirty (30) days and are then purged. Deals and chat sessions may be soft-archived and are retained until hard-deleted. Usage Data is retained for audit and billing purposes and does not contain Customer Content. There is no automated self-service bulk erasure across all data; deletion requests beyond the in-service controls are handled operationally on the Customer's instruction.

10.3 Backups and legal retention. Cap Orbit may retain Customer Content to the extent required by applicable law and in routine backup or archival systems, in which case the obligations of this DPA continue to apply to the retained Customer Content, which will be deleted in the ordinary course of Cap Orbit's backup cycling and will not be used for any purpose other than the retention basis.

10.4 Enterprise (BYOC) model. Where Customer Content resides in the Customer's own cloud account, the Customer controls its own retention and deletion directly, and Cap Orbit's deletion and return obligations under this Section apply only to the data Cap Orbit actually holds (for example, account and identity metadata, billing data, and Usage Data to the extent it contains Personal Information).

11. Deidentified Data

11.1 Deidentification commitments. If Cap Orbit creates Deidentified Data from Customer Content, Cap Orbit will: (a) take reasonable measures to ensure the information cannot be associated with a particular individual; (b) publicly commit to maintain and use the information only in deidentified form and not to attempt to reidentify it; and (c) contractually obligate any recipient of the Deidentified Data to comply with the same restrictions, in each case consistent with Applicable Privacy Laws (for example Cal. Civ. Code section 1798.140(m)). Cap Orbit will not attempt to reidentify any Deidentified Data, except as Applicable Privacy Laws permit solely to test that the deidentification was effective.

11.2 No conflict with no-training-by-default commitment. This Section does not authorize any use of Customer Content, in deidentified form or otherwise, to train, fine-tune, or improve any AI or machine-learning model except pursuant to the Customer's express opt-in or documented instruction under Section 4.

12. Audits and Assessments

12.1 Demonstrating compliance. On the Customer's reasonable written request, and no more than once in any twelve (12) month period absent a Security Incident or a legal or regulatory requirement, Cap Orbit will make available to the Customer information in Cap Orbit's possession that is reasonably necessary to demonstrate Cap Orbit's compliance with this DPA and Applicable Privacy Laws with respect to its Processing of Customer Personal Information.

12.2 Form of assistance. Cap Orbit will satisfy its obligations under this Section primarily by responding to a reasonable security and privacy questionnaire and by providing relevant policies, summaries of its technical and organizational measures, and any third-party audit reports or certifications (for example a SOC report) where available, rather than by open-ended on-site audits. Where a State Privacy Law that applies to the relevant Processing requires it, Cap Orbit will allow and reasonably cooperate with a reasonable assessment by the Customer, or will arrange for a qualified and independent assessor to assess Cap Orbit's policies and technical and organizational measures and make a report available to the Customer on request.

12.3 Limits. Any assessment will be conducted on reasonable advance notice, during business hours, subject to Cap Orbit's confidentiality and security requirements, and in a manner that does not interfere unreasonably with Cap Orbit's operations or compromise the security or Customer Content of any other customer. The obligations in the second sentence of Section 12.2 do not apply where the only Applicable Privacy Law for the relevant Processing is one that does not require controller assessments or independent-assessor cooperation (for example, the laws of Utah and Iowa), in which case the confidentiality, deletion and return, demonstrate-compliance, and Subprocessor flow-down duties of this DPA continue to apply.

13. Deployment Models

13.1 Two models. The Service is offered in two deployment models. The model that applies to the Customer is specified in the Order.

13.2 Cap Orbit-hosted (Pro). In the per-seat, Cap Orbit-hosted model, Customer Content is hosted and Processed in Cap Orbit-operated Amazon Web Services infrastructure in a United States region (us-east-1). In this model Cap Orbit acts as a Service Provider and Processor that holds and Processes Customer Content, the Subprocessor and service-provider arrangements described for the hosted model in Section 6.1 apply, and the full set of Service-Provider and Processor obligations in this DPA applies to Cap Orbit.

13.3 Enterprise (Bring Your Own Cloud). In the Enterprise model, the Service is deployed into infrastructure that the Customer owns (the Customer's own Amazon Web Services account, in the Customer's region). Customer Content stays in the Customer's cloud. Cap Orbit does not hold credentials that can write into the Customer's account, cross-account access is trigger-only, and Cap Orbit does not take possession of Customer Content. In this model the Customer controls its own storage, retention, deletion, encryption keys, audit logs, access paths, and access revocation, and the Customer's security team can audit every resource, log, and access path with its own tools and revoke access at any time.

13.4 Allocation of obligations in the Enterprise model. Because Cap Orbit does not hold or take possession of Customer Content in the Enterprise model, the obligations in this DPA that depend on Cap Orbit holding or Processing Customer Content (including the security, Security-Incident-notification, deletion and return, and audit obligations as they relate to Customer Content) are performed by the Customer with respect to Customer Content in the Customer's account, and Cap Orbit's corresponding obligations apply only to data Cap Orbit actually Processes or holds (for example, account and identity metadata, billing data, Usage Data, and any transient Processing necessary to operate the Service). WorkOS, Stripe, and Metronome continue to apply as described in Section 6.1 for identity and billing in both models. The marketing statement that a Customer's deals never leave its cloud describes the Enterprise model only.

14. General

14.1 Term. This DPA is effective for as long as Cap Orbit Processes Customer Content under the Terms and, with respect to surviving obligations (including deletion and confidentiality), until those obligations are fulfilled.

14.2 Order of precedence. This DPA is incorporated into and forms part of the Terms. In the event of a conflict: (a) the applicable Order controls over the Terms and this DPA as to commercial terms expressly addressed in the Order; (b) this DPA controls over the remainder of the Terms solely as to the Processing of Customer Content and Customer Personal Information; and (c) in all other respects the Terms control. The Acceptable Use Policy and Subprocessor List are referenced where applicable and do not override this DPA as to the Processing of Customer Content. The Privacy Policy is referenced for transparency and does not create instructions to process Customer Content or override this DPA.

14.3 Liability. Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms, and any reference in this DPA to a liability cap or to disputes, governing law, or venue is governed by the corresponding provisions of the Terms.

14.4 United States only. This DPA addresses only United States federal and state law. It does not incorporate the European Union General Data Protection Regulation, the United Kingdom or Swiss data protection regimes, the Standard Contractual Clauses, or any cross-border or international data transfer mechanism, and the parties agree that none applies to the Processing under this DPA.

14.5 Changes in law. If a change in Applicable Privacy Laws, or in the official guidance or regulations under them, materially affects either party's ability to comply with this DPA, the parties will negotiate in good faith to amend this DPA as reasonably necessary to address the change.

14.6 Notices. Notices under this DPA are given as provided in the Terms. Legal notices to Cap Orbit may be sent to legal@cap-orbit.com and at 1111B South Governors Avenue, Suite 40882, Dover, DE 19904. Privacy requests may be sent to privacy@cap-orbit.com.

14.7 No third-party beneficiaries. This DPA does not confer any rights or remedies on any person other than the parties, except as expressly provided by Applicable Privacy Laws.

Annex 1: Details of Processing

This Annex sets out the details of Processing required by the State Privacy Laws.

1. Nature and purpose of Processing. Cap Orbit Processes Customer Content to provide, secure, support, maintain, and operate the Service for the Customer. This includes ingesting and auto-classifying uploaded deal documents into a commercial real estate taxonomy; extracting data such as rent rolls and trailing-twelve-month statements; building underwriting models (spreadsheets); drafting screening, investment-committee, and credit memos and offering memoranda; building presentation decks; assembling PDFs; tracking asset-management performance against the original underwriting; producing portfolio exposure reports; generating session recaps; and storing, transmitting, and deleting Customer Content. AI inference occurs through Amazon Bedrock as described in Section 4.

1. Processing instructions. Cap Orbit Processes Customer Content only on the Customer's documented instructions, which consist of the Terms, this DPA, the Order, and the Customer's and its Authorized Users' use and configuration of the Service, together with any further written instructions agreed by the parties.

1. Types of Personal Information. Customer Content may contain Personal Information about the Customer's Authorized Users and about third parties, including borrowers, guarantors, tenants, principals, and other individuals identified in uploaded deal documents (for example, rent rolls, operating statements, trailing-twelve-month statements, budgets, borrower and guarantor financials, tax returns, personal financial statements, schedules of real estate owned, leases, estoppels, appraisals, environmental and engineering reports, title and insurance documents, purchase agreements, loan and closing documents, market studies and comps, and photos and plans), and may include sensitive financial information. Account and identity metadata Processed by Cap Orbit consists of an opaque identity-provider user identifier, the organization identifier, and a permissions list; names and email addresses are held by the identity provider and are not stored in Cap Orbit's primary application databases, though Cap Orbit may access them through the identity provider for the operational purposes described in the Privacy Policy.

1. Categories of Consumers / data subjects. The Customer's Authorized Users and the third-party individuals whose information appears in Customer Content.

1. Duration of Processing. For the term of the applicable subscription, plus the period required to delete or return Customer Content under Section 10 and any legally required retention period.

1. Rights and obligations of the parties. As set out in this DPA and the Terms.

Annex 2: Security Measures

Cap Orbit maintains reasonable and appropriate technical and organizational measures, including the following, with respect to Customer Content it holds or Processes:

1. Tenant isolation. Per-tenant hard isolation: each Customer organization receives its own database, its own object storage, and its own execution roles. No Customer Content is pooled across Customers.

1. Access control. Brokered, non-standing access: the application holds no direct standing credentials to tenant data. Each request mints a short-lived, scoped access token (approximately fifteen minutes) through a broker that re-verifies the requesting user's identity before issuing the token, after which the token expires. No long-lived keys sit in the data path.

1. Authentication and identity. Sign-in runs through WorkOS AuthKit; single sign-on with the Customer's identity provider, including SAML-based single sign-on, is supported where the Customer configures it. Every service re-verifies the session on each call. There is no shared internal API key in the data path. The browser session is an encrypted, HttpOnly functional session cookie issued by the identity provider.

1. Encryption. Encryption in transit (TLS or HTTPS) and at rest (server-side encryption with AWS-managed keys and AWS Key Management Service). Storage access uses SigV4-signed requests and time-limited signed URLs (approximately fifteen minutes). In the Enterprise (BYOC) deployment model, the Customer controls its own encryption keys within its own account, consistent with Section 13.3.

1. Network protection. A web application firewall with rate limiting in front of the user-facing surface.

1. Auditability (Enterprise / BYOC). Because resources reside in the Customer's own account, the Customer's security team can audit every resource, log, and access path with its own tools and can revoke access at any time.

1. Confidentiality. Personnel authorized to Process Customer Content are bound by a duty of confidentiality.

These measures may evolve as the Service develops, provided that Cap Orbit will not materially diminish the overall level of protection during the term.

Annex 3: Subprocessors

The current list of Subprocessors and related service providers is maintained in the Cap Orbit Subprocessor List. As of the Effective Date, the Subprocessor that Processes Customer Content for the Cap Orbit-hosted (Pro) model is Amazon Web Services (compute, storage, database, content delivery, and AI model inference through Amazon Bedrock; United States region). Cap Orbit also uses WorkOS (identity, authentication, and organization and seat membership), Stripe (payment processing and subscription billing), Metronome (usage metering and billing), and Vercel (hosting of the public marketing website only, with no Customer Content) as service providers as described in the Subprocessor List and Privacy Policy. Anthropic is not a Subprocessor; the Claude models are accessed exclusively through Amazon Bedrock. In the Enterprise (BYOC) model, Amazon Web Services is the Customer's own account and is not a Cap Orbit Subprocessor for Customer Content, while identity, billing, and metering service providers continue to apply.

Annex 4: Amazon Bedrock Reference Statements

This Annex reproduces statements published by Amazon Web Services regarding Amazon Bedrock, as referenced in Section 4.3. It is provided for reference only and has no independent contractual effect. These statements describe the conduct of Amazon Web Services and the third-party model providers and are not representations or warranties of Cap Orbit. The statements are current as of the date of this DPA and may be updated by Amazon Web Services from time to time.

1. In response to whether customer inputs to or outputs from Amazon Bedrock are used to train models, Amazon Web Services states: "No, AWS and the third-party model providers will not use any inputs to or outputs from Amazon Bedrock to train Amazon Nova, Amazon Titan, or any third-party models." (Amazon Bedrock FAQs, https://aws.amazon.com/bedrock/faqs/.)

1. Amazon Web Services states: "Amazon Bedrock never shares your data with model providers or uses it to train foundation models." (Amazon Bedrock Security, Privacy, and Responsible AI, https://aws.amazon.com/bedrock/security-privacy-responsible-ai/.)

1. In response to whether user inputs and model outputs are made available to third-party model providers, Amazon Web Services states: "No. Users' inputs and model outputs are not shared with any model providers." (Amazon Bedrock FAQs, https://aws.amazon.com/bedrock/faqs/.) Amazon Web Services describes this as supported architecturally by Amazon Bedrock's use of a Model Deployment Account owned and operated by the Amazon Bedrock service team, to which model providers do not have access, so that model providers do not have access to customer prompts and completions. (Amazon Bedrock User Guide, Data protection, https://docs.aws.amazon.com/bedrock/latest/userguide/data-protection.html.)

(c) 2026 Cap Orbit