Data Processing Addendum.

This Data Processing Addendum ("DPA") forms part of the agreement between Rlly, Inc. ("Rlly," "Processor") and the customer or design partner that has entered into the Design Partner Agreement or customer agreement with Rlly ("Customer," "Controller") (the "Agreement") and governs Rlly's processing of Personal Data on Customer's behalf. If there is a conflict, this DPA controls over the Agreement on the subject of data processing.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement. "Applicable Data Protection Laws" means all privacy and data-protection laws applicable to the processing, including the EU General Data Protection Regulation (2016/679) ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss FADP, and U.S. state laws including the California Consumer Privacy Act as amended ("CCPA"). "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," and "Sub-processor" have the meanings given in the GDPR (and, for U.S. state laws, the equivalent terms such as "business," "service provider," "consumer," and "personal information"). "SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914. "Customer Personal Data" means Personal Data within Customer Data that Rlly processes on Customer's behalf under the Agreement.

2. Roles and Scope of Processing

The parties acknowledge that, for Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of a third-party controller) and Rlly is the Processor (or Sub-processor). Rlly will process Customer Personal Data only:

• on Customer's documented instructions, including as set out in the Agreement, this DPA, and Customer's configuration and use of the product;
• as necessary to provide and support the product; and
• as required by applicable law, in which case Rlly will inform Customer of the legal requirement before processing unless the law prohibits it.

If Rlly believes an instruction violates Applicable Data Protection Laws, it will inform Customer. The subject matter, duration, nature and purpose of processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

3. Deployment Models

The scope of Rlly's processing depends on the deployment Customer selects:

• Hosted (multi-tenant). Rlly hosts the product and processes Customer Personal Data as Processor on the infrastructure described in Annex III.
• In-tenant (Customer's own Azure tenant). Where Customer deploys the product within Customer's own cloud tenant (for example, Rlly Max), Customer Personal Data, including transcripts, embeddings, and audit logs, remains within Customer's tenant and under Customer's control. In that model Rlly's processing of Customer Personal Data is limited to the support, configuration, and telemetry activities described in Annex I, and several obligations below apply only to the extent Rlly actually processes Customer Personal Data.

4. Customer Obligations

Customer is responsible for the lawfulness of its instructions and of the Personal Data it provides, including: establishing a valid legal basis for the processing; providing all required notices to Data Subjects; and obtaining all required consents. Without limiting the foregoing, Customer is responsible for obtaining all legally required consents and providing all required notices for the recording and AI processing of calls, as further described in the Call Recording and Consent Policy.

5. Confidentiality and Personnel

Rlly will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and are trained on their responsibilities.

6. Security

Rlly will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex II. Rlly may update its measures provided the level of protection is not materially reduced.

7. Sub-processors

Customer provides general authorization for Rlly to engage Sub-processors to process Customer Personal Data. Rlly will: (a) maintain a current list of Sub-processors, available at rlly.ai/security.html (the current list is summarized in Annex III); (b) impose data-protection obligations on each Sub-processor that are substantially similar to those in this DPA; and (c) remain liable for each Sub-processor's performance. Rlly will give Customer notice of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance. Customer may object on reasonable, data-protection grounds within that period; the parties will work in good faith to resolve the objection, and if they cannot, Customer may terminate the affected portion of the product as its exclusive remedy.

8. Data Subject Rights

Taking into account the nature of the processing, Rlly will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws. If Rlly receives such a request directly, it will, where legally permitted, advise the Data Subject to submit it to Customer and will not respond except on Customer's instruction.

9. Personal Data Breach

Rlly will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to help Customer meet its breach-notification obligations. Rlly's notification is not an acknowledgment of fault or liability.

10. Data Protection Impact Assessments

Rlly will provide Customer with reasonable assistance, taking into account the nature of the processing and the information available to Rlly, with data protection impact assessments and prior consultations with supervisory authorities that Customer is required to carry out.

11. Return and Deletion

On termination or expiry of the Agreement, and at Customer's choice, Rlly will delete or return Customer Personal Data and delete existing copies, unless retention is required by law. In the in-tenant deployment model, deletion of Customer Personal Data within Customer's tenant is controlled by Customer.

12. Audits and Information

Rlly will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party audit reports and certifications when available (see Annex II). Where Applicable Data Protection Laws give Customer an audit right, the parties will conduct audits no more than once per year (absent a legal requirement or a Personal Data Breach), on reasonable prior notice, during business hours, subject to confidentiality, and in a manner that does not disrupt Rlly's operations.

13. International Transfers

Where Rlly processes Customer Personal Data originating from the EEA, the UK, or Switzerland in a country without an adequacy decision, the SCCs are incorporated into this DPA by reference and apply as follows: Module Two (Controller to Processor) applies where Customer is a Controller, and Module Three (Processor to Processor) applies where Customer is itself a Processor. The optional docking clause applies; the governing law and forum are those selected in Annex I; the audit and Sub-processor provisions of this DPA satisfy the corresponding clauses; and the technical measures in Annex II are the technical measures for the SCCs. For UK transfers, the UK International Data Transfer Addendum applies to the SCCs. For Swiss transfers, references are read to include the Swiss FADP and the Swiss Federal Data Protection and Information Commissioner.

14. U.S. State Privacy Laws (Service-Provider Terms)

With respect to Personal Data subject to the CCPA and similar U.S. state laws, Rlly acts as a "service provider" (or "processor") and certifies that it will: (a) process Personal Data only to perform the services and the business purposes in the Agreement, and not for any other purpose; (b) not "sell" or "share" Personal Data as those terms are defined; (c) not retain, use, or disclose Personal Data outside the direct business relationship or combine it with data from other sources except as permitted by law; and (d) notify Customer if it determines it can no longer meet its obligations. Customer may take reasonable steps to remediate unauthorized use. Rlly will impose these obligations on its Sub-processors.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. This applies to liability under the SCCs to the extent permitted by law.

16. General

This DPA is governed by the law and subject to the forum stated in the Agreement, except where Applicable Data Protection Laws or the SCCs require otherwise. If any provision is invalid, the rest remains in effect. This DPA may be signed in counterparts, including electronically.

Annex I: Details of Processing

Parties. Data exporter: Customer (Controller, or Processor on behalf of its own controller). Data importer: Rlly, Inc. (Processor / Sub-processor).

Subject matter and duration. Processing of Customer Personal Data to provide the Rlly product for the term of the Agreement and any wind-down period.

Nature and purpose. Capture, transcription, storage, analysis, and automated processing of meetings and related records; generation of summaries, prompts, and recommended actions; execution of governed actions configured by Customer (such as CRM writes, messages, and outreach); and provision of related support and security.

Types of Personal Data. Identifiers and contact details (name, email, phone, job title, company); meeting content (audio, video, transcripts); communications drafted or sent through the product; CRM and deal records; usage and device data; and any other Personal Data Customer chooses to submit. Customer should not submit special-category data except as expressly agreed.

Categories of Data Subjects. Customer's personnel and authorized users; Customer's customers, prospects, and contacts; and other participants in calls or records Customer processes through the product.

Frequency of transfer. Continuous, for the term.

Competent supervisory authority (SCCs). To be completed based on Customer's lead authority.

Governing law / forum for the SCCs. As selected by the parties and aligned with the Agreement unless otherwise required.

Annex II: Technical and Organizational Measures

Rlly maintains measures designed to protect Customer Personal Data, including:

• Encryption of data in transit and at rest using industry-standard protocols.
• Access control. Role-based access on a least-privilege basis; support for Customer SSO and SCIM provisioning on applicable tiers.
• Governed actions and audit logging. A policy engine that validates agent actions against Customer-defined rules, with a cryptographically signed, tamper-evident audit log of actions.
• Tenant isolation and in-tenant option. Logical separation of Customer data in the hosted model, and an option to deploy within Customer's own Azure tenant with Customer-controlled keys and data residency.
• Network and platform security. Hosting on Microsoft Azure with platform security controls; bot management and protective controls at the network edge.
• Operational security. Change management, logging and monitoring, vulnerability management, and personnel confidentiality and training.
• Resilience. Backup and recovery processes appropriate to the service.
• Certifications. SOC 2 Type I is targeted for H2 2026, with Type II to follow. Rlly will make audit reports available under NDA when issued.

Annex III: Sub-processors

Current Sub-processors (representative; the authoritative list is at rlly.ai/security.html):

In the in-tenant deployment model, model inference and data storage occur within Customer's tenant and on the providers Customer selects, which may change the applicable Sub-processors.

Signatures