Legal/Data Processing Agreement

Data Processing Agreement

v1.1
Effective March 26, 2026Swyft, Inc.Texas Corporation

This Data Processing Agreement ("DPA") is published by Swyft, Inc., a Texas corporation ("Swyft"), atswyft.co/legal/dpa and is incorporated by reference into the Master Services Agreement between Swyft and the entity identified as Client in the applicable Order Form ("Client"). By executing the MSA, Client agrees to the terms of this DPA as in effect on the MSA Effective Date. In the event of any conflict betweenthis DPA and the MSA, the terms of this DPA shall control with respect to the processing, management, storage or transfer of Client Data. Capitalized terms not defined herein have the meanings set forth in the MSA.

By signing the MSA, Client enters into this DPA on behalf of itself and in the name and on behalf of its Authorized User(s). For the purpose of this DPA only, and except where indicated otherwise, the term “Client” shall include Client and Authorized User(s).

Swyft may update this DPA from time to time. Swyft will provide at least fourteen (14) days' prior written notice to Client before any material updates take effect. Continued use of the Services after the effective date of any update constitutes Client's acceptance of the updated DPA. The current version is always available at swyft.co/legal/dpa.

01

Definitions
As used in this DPA:

  • "Applicable Privacy Laws" All U.S. federal and state data protection and privacy laws applicable tothe processing of Personal Data under this DPA, including the CaliforniaConsumer Privacy Act as amended by the California Privacy Rights Act(CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), theColorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA),the Utah Consumer Privacy Act (UCPA), and where applicable
  • "Client Data" All data and information uploaded to or processed through the Servicesby or on behalf of Client, as further defined in the MSA.
  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
  • Data Subject an individual who is the subject of Personal Information.
  • "Personal Data" (a) any information Swyft processes for Client that identifies or relates toan individual who can be identified directly or indirectly from that dataalone or in combination with other information in Swyft’spossession/control or that Swyft is likely to have access to, or (b) therelevant Privacy and Data Protection Requirements otherwise defined asprotected personal information.
  • “process”,“processes” or"processing" Any operation performed on Client Data or Personal Data, includingcollection, storage, use, transfer, disclosure, deletion, or destruction,whether automated or manual.
  • "Processor" means an entity that processes Personal Data on behalf of the Controller.
  • "Security Incident" As defined in Section 4 of the MSA. Unsuccessful attempts or activitiesthat do not result in unauthorized access to Client Data are excluded.
  • "Subprocessor" means any Processor engaged by Swyft to assist in fulfilling its obligations that involves the processing of Personal Data.
  • "European Data Protection Laws" The EU General Data Protection Regulation (Regulation (EU) 2016/679)("GDPR"), as implemented by applicable EU Member State law, to theextent applicable to the processing of Personal Data under this DPA.
  • "Data Subject" An identified or identifiable natural person to whom Personal Datarelates, as defined under European Data Protection Laws.
  • "Special Category Data" Personal Data revealing racial or ethnic origin, political opinions, religiousor philosophical beliefs, trade union membership, genetic data, biometricdata processed for the purpose of uniquely identifying a natural person,data concerning health, or data concerning a natural person's sex life orsexual orientation, as defined under Article 9 GDPR.
  • "Restricted Transfer" A transfer of Personal Data from the European Economic Area ("EEA") to acountry not recognized by the European Commission as providing anadequate level of data protection.
  • "Standard Contractual Clauses" The standard contractual clauses for the transfer of personal data to thirdcountries adopted by the European Commission under ImplementingDecision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
  • "Supervisory Authority" An independent public authority established under Article 51 GDPR by anEU Member State, responsible for monitoring compliance with EuropeanData Protection Laws.
02

Roles and Classification

2.1 Controller and Processor. For purposes of this DPA and Applicable Privacy Laws, Client is the Controller of, and Swyft is the Processor of, Personal Data included in Client Data. Swyft shall process all Client Data including Personal Data only on behalf of Client and in accordance with Client's documented instructions as set forth in this DPA and the MSA.

2.2 Independent Controller Carve-Out. Notwithstanding Section 2.1, Swyft may act as an independent Controller with respect to Aggregated Usage Data as described in Section 10 of the MSA. Swyft's use of Aggregated Usage Data as an independent Controller is limited to the purposes described in the MSA and shall not include Personal Data in identifiable form.

2.3 Client Responsibilities. Client is solely responsible for its use of the Services and Platform and Client represents and warrants that: (a) it has all necessary rights, consents, and authorizations to upload Client Data to the Services and to instruct Swyft to process such data; (b) its processing instructions to Swyft comply with Applicable Privacy Laws; (c) where European Data Protection Laws apply, Client has a valid lawful basis under the GDPR for each processing activity; (d) Client's use of the Services complies with all applicable professional responsibility rules; and (e) it will comply with the Security obligations set forth in this DPA. Swyft shall not be liable for any claim arising from Client's failure to comply with this Section 2.3, the DPA, the MSA or any other Schedules.

2.4 Authorized Users. By signing the MSA, Client enters into this DPA on behalf of itself and in the name and on behalf of its Authorized User(s). For the purpose of this DPA only, and except where indicated otherwise, the term "Client" shall include Client and Authorized User(s).

03

Processing Instructions and Restrictions

3.1 Scope of Processing. The subject matter, nature, purpose, and duration of processing, and thecategories of Personal Data and data subjects, are described in Schedule 1 (Processing Details) to this DPA.

3.2 Documented Instructions. Swyft shall process Personal Data for the purposes of providing theServices, as set forth in the MSA, or this DPA. Swyft shall not determine the purposes or means ofprocessing the Personal Data. Unless otherwise set forth herein or in the MSA, Client shall ensure that itis lawful under the Applicable Privacy Laws for Swyft to process the Personal Data and that necessarynotices have been or shall be provided to Data Subjects. Client shall also be responsible for theprocessing instructions it gives Swyft.

3.3 Prohibition on Sale or Sharing. Swyft shall not: (a) sell or share Personal Data as those terms aredefined under Applicable Privacy Laws; (b) retain, use, or disclose Personal Data for any purpose otherthan performing the Services; (c) retain, use, or disclose Personal Data outside the direct businessrelationship between the parties; or (d) combine Personal Data received from Client with Personal Dataobtained from other sources, except as expressly permitted by Applicable Privacy Laws.

3.4 Personnel Confidentiality. Swyft shall ensure that all Swyft personnel and contractors with accessto Personal Data are subject to appropriate confidentiality obligations and are prohibited from using ordisclosing Personal Data except as necessary to perform the Services.

3.5 Sensitive Data.
(a) Client acknowledges that the Services are not designed to process Sensitive Client Data asdefined in the MSA. Swyft shall have no liability for any Sensitive Client Data uploaded by Client inviolation of this restriction.
(b) Should Client shall upload Special Category Data to the Services or Platform, Client warrantsand represents that it has identified a valid condition under the GDPR. Swyft processes Special Category Data solely as instructed by Client and does not use such data for its own purposes. Client bears soleresponsibility for establishing and documenting the applicable GDPR condition.

04

Subprocessors

4.1 Authorization. Client hereby authorizes Swyft to engage Subprocessors to assist in providing theServices. This authorization constitutes Client's general written authorization to engageSubprocessors. Swyft shall enter into a written agreement with each Subprocessor imposing dataprotection obligations no less protective than those set forth in this DPA with respect to the protectionof Personal Information to the extent applicable to the nature of the services provided by such Sub-processor.

4.2 Disclosure. Swyft shall make available to Client, upon written request to legal@swyft.co, a list ofSubprocessors who may access or process Personal Data in connection with the Services.

4.3 Changes to Subprocessors. Swyft shall provide Client with at least thirty (30) days' prior writtennotice before engaging any new Subprocessor that will access or process Personal Data. Client mayobject to such engagement in writing within ten (10) days of receiving notice. If Client timely objects, theparties shall discuss the objection in good faith. If the parties cannot reach a commercially reasonableresolution within a reasonable period, Client may, as its sole and exclusive remedy, terminate theapplicable Order Form with respect to those Services that cannot be provided without use of the newSubprocessor.

4.4 Swyft Liability for Subprocessors. Swyft shall remain liable to Client for the acts and omissionsof its Subprocessors to the same extent Swyft would be liable if it had performed the services directly.

05

Security

  • 5.1 Technical and Organizational Measures. Swyft shall implement and maintain appropriatetechnical and organizational measures designed to protect Personal Data against unauthorized access,use, disclosure, alteration, or destruction, consistent with the security program described in the MSAand any requirements of Applicable Privacy Laws. Such measures shall be appropriate to the nature ofthe Personal Data, the state of the art, the costs of implementation, and the nature, scope, context, andpurposes of processing, as well as the risks to the rights and freedoms of natural persons.
  • 5.2 Updates to Security Measures. Swyft may update its security measures from time to time, provided that any updates shall not materially diminish the overall level of protection afforded to Personal Data.
  • 5.3 SOC 2. Swyft is working toward SOC 2 Type II certification. Upon completion, Swyft shall make summary audit reports available to Client upon written request, subject to reasonable confidentiality obligations.
  • 5.4 Client Security Obligations. Client is solely responsible for: (a) the security of Client's systems,devices, and access credentials used to access the Services; (b) configuring the Services in a mannerappropriate to Client's security requirements; and (c) maintaining data backups independent of theServices.
06

Security Incidents

6.1 Notification. In the event Swyft becomes aware of a confirmed Security Incident affecting Personal Data, Swyft shall notify Client without undue delay, and in no event later than seventy-two (72 hours) hours after becoming aware of the Security Incident, consistent with the MSA. Swyft's notification enables Client to fulfill its own notification obligations to Supervisory Authorities under Applicable Privacy Laws.

6.2 Notification Contents. Swyft's notification shall include, to the extent reasonably known at the time: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of individuals and records affected; (c) the likely consequences of the Security Incident; and (d) measures taken or proposed by Swyft to address the Security Incident. Swyft may provide information in phases as it becomes available, provided that an initial notice is issued within the 72-hour window.

6.3 Client Obligations. Client shall be responsible for all notifications to affected Data Subjects and Supervisory Authorities as required by applicable law. Swyft shall reasonably cooperate with Client's investigation of a Security Incident and provide such further information as Client reasonably requires to comply with its notification obligations.

6.4 No Admission. Swyft's notification of a Security Incident shall not constitute an admission of fault,liability, or responsibility with respect to the Security Incident.

07

Data Subject Rights

7.1 Cooperation. To the extent Client, in its use of the Services, does not have the ability to respond toa data subject request directly through the Services, Swyft shall provide reasonable assistance to Clientin fulfilling Client's obligations to respond to requests by Data Subjects seeking to exercise rights underApplicable Privacy Laws and, where European Data Protection Laws apply. Swyft's obligation to assistis limited to what is technically feasible given the nature of the Services.

7.2 Client Responsibility. Client is solely responsible for responding to data subject requests. Swyft shall promptly notify Client if Swyft receives a data subject request directly, and shall advise the data subject to direct their request to Client. Swyft shall not respond to data subject requests on Client's behalf without Client's prior written authorization.

7.3 Costs. Client shall bear any reasonable costs incurred by Swyft in providing assistance under this Section 7 beyond what is included in the standard Services.

08

Data Retention and Deletion

8.1 Retention During Term. Swyft shall retain Personal Data only for the duration of the MSA andapplicable Order Forms and corresponding wind-down period, and only as necessary to provide theServices, consistent with the storage limitation principle under Article 5(1)(e) GDPR where applicable.

8.2 Post-Termination Deletion. Upon termination or expiration of the MSA, Swyft shall make ClientData available for export for a period of thirty (30) days following the effective date of termination,consistent with the MSA. After such period, Swyft shall delete or destroy all Personal Data in itspossession or control, unless retention is required by applicable law. Upon Client's written request,Swyft shall certify in writing that deletion has been completed.

8.3 Legal Retention Obligations. Notwithstanding Section 8.2, Swyft may retain Personal Data to theextent required by applicable law, provided that Swyft shall: (a) notify Client of any such retentionobligation to the extent permitted by law; (b) process retained data only to the extent required by suchlaw; and (c) continue to protect such data in accordance with this DPA.

8.4 No Re-Identification. Swyft shall not attempt to re-identify any anonymized or aggregated dataderived from Client Data.

09

Compliance and Audit

9.1 Compliance Documentation and Audit. Upon Client's written request, no more than once per calendar year, Swyft shall make available to Client reasonable documentation evidencing Swyft's compliance with its obligations under this DPA, including any applicable SOC 2 audit reports, subject to Swyft's confidentiality obligations to third parties. Where European Data Protection Laws apply and the information provided is not sufficient to demonstrate compliance, Client may, on reasonable notice and at Client's expense, conduct or commission an audit of Swyft's processing activities, subject to Swyft's reasonable confidentiality and operational requirements. This audit right satisfies the requirement under Article 28(3)(h) GDPR.

9.2 Remediation Notice. Swyft shall promptly notify Client if Swyft determines that it can no longer meet its obligations under this DPA or Applicable Privacy Laws. Upon receiving such notice, Client may direct Swyft to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Personal Data.

9.3 Legal Requests. If Swyft receives a subpoena, court order, or other legal demand seeking access to Personal Data, Swyft shall, to the extent legally permitted: (a) promptly notify Client; and (b) cooperate with Client in seeking a protective order or other appropriate remedy. Swyft shall disclose only the minimum amount of Personal Data necessary to comply with any such legal demand.

10

HIPAA and Protected Health Information

10.1 Protected Health Information. To the extent that Client is a covered entity, Client shall ensure that Swyft is provided with a Business Associate Agreement. Any health information processed by Swyft shall otherwise be treated in accordance with the terms of this DPA as it applies to Personal Data.

11

Privacy Law Compliance

11.1 CCPA/CPRA Service Provider. With respect to Personal Data subject to the CCPA/CPRA, Swyft acts as a Service Provider as defined under the CCPA/CPRA. Swyft shall not: (a) sell or share CCPA Personal Information as defined by the CCPA/CPRA; (b) retain, use, or disclose CCPA Personal Information for any purpose other than performing the Services or as otherwise permitted by the CCPA/CPRA; or (c) combine CCPA Personal Information received from Client with Personal Data received from other sources, except as permitted by the CCPA/CPRA.

11.2 Other U.S. State Privacy Laws. To the extent Applicable Privacy Laws of any U.S. state apply to the processing of Personal Data under this DPA, Swyft shall comply with the obligations applicable to processors or service providers under such laws.

11.3 GDPR Compliance. To the extent European Data Protection Laws apply to the processing of Personal Data under this DPA, Swyft shall process such Personal Data in accordance with the obligations applicable to processors under the GDPR.

11.4 Cooperation. Swyft shall provide Client with all reasonably requested information necessary to enable Client to fulfill its own obligations under Applicable Privacy Laws and European Data Protection Laws, including the ability to respond to regulatory inquiries and demonstrate compliance.

12

Limitation of Liability

12.1 MSA Cap Applies. Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitation of liability set forth in the MSA. This DPA does not expand either party's liability beyond what is set forth in the MSA.

12.2 Governing Law and Updates. This DPA shall be governed by and construed in accordance with the laws of the State of Texas, consistent with the MSA. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the MSA. Swyft may update this DPA from time to time and shall provide fourteen (14) days prior written notice to Client. The updated DPA will be posted at swyft.co/legal/dpa. Continued use of the Services after the effective date of any update constitutes acceptance of the updated DPA.

Schedule 1 — Processing Details

Subject matterThe provision of the Platform and related Services as described in the MSAand applicable Order Form.
Nature of ProcessingStorage, organization, retrieval, analysis, visualization, and other processingactivities necessary to provide the Services. Swyft processes Client Datasolely to enable Authorized Users to view, analyze, and create visualizationsof Client Data through the Platform.
Purpose of ProcessingThe purpose of processing is the provision of the Services by Swyft to Clientpursuant to the MSA and applicable Order Form.
Duration of ProcessingFor the duration of the MSA and any active Order Form, plus the 30-daypost-termination data export window described in Section 8.2 of this DPA.
Categories of Data SubjectsDetermined and controlled by Client in its sole discretion. May include:Authorized Users of Client; Client's own clients (individuals whose dataappears in Client's case management systems); Client's employees, agents,and contractors.
Categories of Personal DataDetermined and controlled by Client in its sole discretion. May include:identification and contact data; professional and employment information;case-related data; system and access log data. Does not include SensitiveClient Data as defined in the MSA.
Data TransfersSwyft may store and process Client Data in data centers located in theUnited States. Swyft may utilize Subprocessors located in variousjurisdictions. All such arrangements are implemented with appropriatesafeguards as described in Section 5 of this DPA.

Questions about this DPA?

For data processing inquiries, audit requests, or subprocessor objections, contact our legal team. Enterprise customers may also request a countersigned copy of this DPA.

Contact legal team