Data Processing Addendum

Last Updated: August 11, 2025

This Data Processing Addendum (“Addendum”) supplements and forms part of the Terms and Conditions or other contractual relationship (collectively, the “Agreement”) between Facilisgroup, LLC, a United States entity, and Facilisgroup Canada, Inc., a Canadian entity (together, the “Controller”) and any party that processes Personal Data on behalf of Controller (“Processor”) and governs the Processor’s processing of Personal Data. This Addendum is effective upon Controller’s use of Processor’s services or on provision of Personal Data to Processor. In the event of a conflict between this Addendum and any agreement executed between Controller and Processor, this Addendum will control exclusively with respect to Personal Data.

Definitions

“Applicable Privacy Laws” means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of Personal Data.
“Personal Data” means any information the Processor processes for Controller that (a) identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household or (b) the Applicable Privacy Laws otherwise define as protected information.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available. The terms “Process,” “Processes,” and “Processed” shall have the same meaning.

Details of Processing

Controller is a “business” or “controller” and Processor is a “Service Processor” or “Processor” as those terms are defined under Applicable Privacy Laws. Processor Processes Personal Data solely for purposes of providing Controller with the services as described in the Agreement ( the “Business Purposes”).

Processor processes Personal Data of the following categories of data subjects:

Partners
End Users
Customers
Prospective Customers /Leads
Website Users /Visitors
Suppliers

Processor processes the following categories of Personal Data in connection with services provided under the Agreement on behalf of Controller:

Identity Data
- Name
- Contact Information
Transactional /Order Data
- Product names
- Quantity
- Price
- Order date
- Shipping Address
Technical Data
- Location Data
- Online Identifiers
- Usage Data

The duration of the Processing will be for the later of the term of the Agreement or until such time as the Processor deletes all Personal Data as described in this Addendum

Compliance

Processor will comply with its obligations related to processing Personal Data under Applicable Privacy Laws. Upon Controller’s reasonable written request, Processor will make available to Controller information necessary to demonstrate Processor has used Personal Data in compliance with Applicable Privacy Laws. Processor shall notify Controller in the event Processor determines that it cannot comply with Applicable Privacy Laws or this Addendum. Upon such notice or in the event Controller otherwise becomes aware of unauthorized Processing of Personal Data, Controller may take reasonable and appropriate steps to stop and remediate the unauthorized processing.

Processor Obligations

Processor will maintain the confidentiality of all Personal Data. Controller discloses Personal Data to Processor solely for the Business Purpose in accordance with Controller’s written instructions, and Processor will Process Personal Data solely for the Business Purpose, except where otherwise required by law. Processor will not (1) retain, use, or disclose Personal Data (i) for any purpose or commercial purpose other than the Business Purpose specified in this Addendum or the Agreement, (ii) in a way that does not comply with this Addendum or Applicable Privacy Laws, or (iii) outside the direct business relationship between Processor and Controller or (2) sell or share Personal Data. Processor must promptly notify Controller if, in its opinion, Controller’s instruction would not comply with Applicable Privacy Laws.

Processor must promptly comply with any Controller request or instruction requiring Processor to amend, transfer, or delete Personal Data, or to stop, mitigate, or remedy any unauthorized processing. Processor will assist Controller with meeting Controller’s compliance obligations under Applicable Privacy Laws, taking into account the nature of the Processor’s processing and the information available to Processor.

Processor will promptly notify Controller of any changes to Applicable Privacy Laws, or its ability to meet its obligations, that may adversely affect Processor’s performance of the Agreement or this Addendum.

Employees

Processor will limit Personal Data access to: (1) employees who require Personal Data access to meet Processor’s obligations under the Agreement and this Addendum, and (2) only those categories of Personal Data that are necessary for such employees to perform their duties. Processor will ensure all employees are adequately trained on, and informed of, the confidential nature of Personal Data and the requirements under Applicable Privacy Laws and this Addendum.

Data Security

Processor must implement appropriate technical and organizational measures designed to safeguard Personal Data against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage. Processor must take reasonable precautions to preserve the integrity of any Personal Data it processes to prevent any corruption or loss of Personal Data, including but not limited to establishing effective back-up data and restoration procedures.

Security Breaches and Loss of Personal Data

Processor will promptly, and without undue delay, notify Controller if any Personal Data (1) is lost or destroyed; (2) becomes damaged, corrupted, unavailable, or unstable; (3) is subject to unlawful processing; or (4) is impacted by a security breach. Processor will restore such Personal Data at its own expense. The Processor will reasonably cooperate with Controller in Controller’s handling of the incident, including, by assisting with any investigation and making available all relevant records and materials required to comply with Applicable Privacy Laws. Controller has the sole right to determine whether to provide notice of a security breach to any impacted individuals, regulators, law enforcement agencies, or others. Processor will cover all reasonable expenses associated with the performance of its obligations under this section unless the matter arose from Controller’s specific instructions. To the extent Processor causes or contributes to a security breach impacting Personal Data, Processor will reimburse Controller for the actual expenses Controller incurs when responding to and mitigating such incident and related damages.

Subcontractors

Processor may only authorize a third party (subcontractor) to process Personal Data if prior to engaging the subcontractor Controller is provided with notice of the proposed subcontracting with full details regarding such

subcontractor and a 30-day opportunity to object to such subcontracting. Processor must enter into a written agreement with subcontractors that contain terms substantially similar to those set forth in this Addendum, and Processor must maintain control over all Personal Data it entrusts to a subcontractor. Where a subcontractor fails to fulfill its obligations under the written agreement with Processor, Processor remains fully liable to Controller for the subcontractor’s performance of its obligations.

Responsibility for Consumer Rights Requests

Processor must notify Controller within three business days if it receives a request from a data subject to exercise any rights the individual may have regarding their Personal Data under Applicable Privacy Laws. Processor will provide full cooperation and assistance in responding to any data subject request, complaint, notice, communication, taking into account the nature of the information processed by and available to Processor.

Return or Deletion

At the end of Processor’s provision of services to Controller under the Agreement, Processor will, at the election of Controller, securely return or delete all Personal Data, unless Processor is required by law to retain such Personal Data. Processor may only use retained Personal Data strictly for the required retention purpose.

Audit

At least once per year, Processor will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Addendum. Upon Controller’s request, Processor will make all the relevant audit reports available to Controller for review.

Term

The term of this Addendum begins as of the date of the Agreement and will end upon the later of the duration of the Agreement or until such time as the Processor deletes all Personal Data as described in this Addendum.

Warranties

Processor warrants and represents that: (1) its employees or any other person accessing Personal Data on its behalf has received training on the Applicable Privacy Laws; (2) it and anyone operating on its behalf will process Personal Data in compliance with Applicable Privacy Laws and this Addendum; (3) it has no reason to believe any Applicable Privacy Laws prevent it from providing any of the Agreement’s contracted services; and (4) it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Data and accidental loss or destruction of, or damage, to Personal Data.

Contact

For questions about this Addendum, please contact us by email at [email protected] or write to us at:

Facilisgroup, LLC
ATTN: Chief Operations Officer
1600 S. Brentwood Blvd, Suite 800,
St. Louis, MO 63144.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.