DATA PROCESSING ADDENDUM

TO THE STANDARD TERMS AND CONDITIONS FOR PROPERTY MANAGEMENT SOFTWARE

This Addendum (“Addendum”) to the Standard Terms and Conditions for Property Management Software (“Agreement”) between Customer (“Customer”) and ButterflyMX, Inc. (“Provider”) applies to Provider’s processing of Personal Information (as defined below) on behalf of Customer. Customer and Provider are collectively referred to as the “Parties” and each individually referred to as a “Party.”

Definitions. Unless otherwise defined herein, all terms are as defined in the Agreement or Applicable Data Privacy Laws (as hereinafter defined).

a) “Applicable Data Privacy Law(s)” means applicable federal or state laws, regulations, guidance or requirements related to the privacy and protection of Personal Information.

b) “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a natural person or household and that is collected, received, processed, or otherwise used by Provider in providing the services to Customer under the Agreement (the “Services”). The term Personal Information includes “Personal Data” and similar terms as defined under Applicable Data Privacy Laws.

Status of the Parties. Customer is the Controller/Business and Provider is a Processor/Service Provider as defined under Applicable Data Privacy Laws.

Description of Processing.

a) Customer Personal Information. The Parties anticipate that Provider may process Personal Information (including identifiers, personal records, professional or employment-related information, and commercial information) about employees or individual contractors of Customer for the business purposes of performing the Services specified in the Statement of Work or to process payments to Provider by Customer. Provider will not process Customer Personal Information for any other purpose unless instructed by Customer or authorized under Applicable Data Privacy Laws. The processing is expected to include collection, storage, combination, and deletion of Customer Personal Information. The processing shall continue for either: the term of the Agreement; until Provider is directed by Customer to cease the processing; or for so long as necessary to meet legal or recordkeeping requirements.

b) Tenant Personal Information. When Services are to be provided at an occupied property—Provider may process Personal Information (including identifiers, personal records, sensory data, usage data, and commercial information) about tenants, visitors, or other occupants (collectively, “Tenants”) of the properties at which Provider provides the Services. Provider will process Tenant Personal Information solely for the business purposes of performing the Services specified in the Statement of Work, in accordance with the instructions of Customer, or as authorized under Applicable Data Privacy Law. The processing is expected to include collection, storage, and deletion of Occupant Personal Information. The processing shall continue for either: the term of the Agreement; until Provider is directed by Customer to cease the processing; or for so long as necessary to meet legal or recordkeeping requirements.

Compliance with Law. The Parties shall comply with their respective obligations under Applicable Data Privacy Laws during the course, scope, and performance of the Services. Provider shall promptly notify Customer if it determines that it can no longer meet its obligations under this Addendum or Applicable Data Privacy Laws. Upon such notice, Customer shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Information by Provider.

Restrictions on Use of Personal Information. Provider shall not: (i) retain, use or disclose Personal Information for any purpose other than for the business purpose(s) set forth in Section 3 and in accordance with instructions from Customer; (ii) retain, use, or disclose Personal Information for a commercial purpose other than for the business purpose(s) set forth in Section 3 and in accordance with instructions from Customer, except as expressly permitted by Applicable Data Privacy Laws; (iii) “sell” or “share” Personal Information, as defined under Applicable Data Privacy Laws; (iv) retain, use or disclose Personal Information outside of the direct business relationship between Customer and Provider; or (v) combine Personal Information received from or on behalf of Customer with Personal Information received from another source or collected from Provider’s own interactions with an individual, except as specifically allowed under Applicable Data Privacy Laws.

Confidentiality. Provider will maintain the confidentiality of Personal Information and impose a duty of confidentiality with respect to the processing of Personal Information on Provider employees who process Personal Information under this Addendum.

Security. Provider will maintain reasonable security procedures and practices appropriate to the nature of the Personal Information to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure.

Cooperation and Assistance. Provider will provide reasonable assistance to Customer as relates to Customer’s compliance obligations under Applicable Data Privacy Laws, including assisting with responding to security incidents, assisting with privacy rights requests, and providing information and documents necessary for Customer to conduct and document any data protection assessments as may be required by Applicable Data Privacy Laws. When required by Applicable Data Privacy Laws, Customer will inform Provider of any individual privacy rights request that requires Provider’s assistance, and will provide Provider with all information within Customer’s possession that is necessary for Provider to comply with the request. Unless otherwise instructed by Customer in writing, when Provider receives a privacy rights request directly from a Tenant, Provider will process the request with respect to the Personal Information Provider maintains about the requestor.

Subcontractors. Provider acknowledges that the restrictions and obligations under Applicable Data Privacy Laws, this Addendum, and the Agreement apply even if Provider uses subcontractors to process Personal Information. Provider shall enter into a written agreement with each authorized subcontractor engaged to process Personal Information that imposes obligations on such subcontractor that are at least as restrictive as those imposed on Provider under this Addendum.

Demonstration of Compliance. Upon request by Customer, Provider shall make available to Customer information demonstrating Provider’s compliance with its obligations under this Addendum. When required under Applicable Data Privacy Laws, Provider will allow for, and contribute to, reasonable audits and inspections of Provider’s compliance with this Addendum by the Customer or Customer’s designated auditor. Such audits or inspections shall be conducted at a mutually agreed upon time and place, and shall be paid for by Customer.

Return or Destruction of Personal Information. Promptly upon the expiration or termination of the Agreement, or as otherwise requested by Customer, Provider shall, at Customer’s election as evidenced in writing, either (i) destroy or render unreadable or undecipherable all Personal Information in Provider’s possession, or (ii) securely return Personal Information to Customer.

Indemnity. Customer agrees to indemnify, defend, and hold harmless Provider and each of its officers, directors, employees, contractors and agents from and against all losses, fines, liabilities, damages, settlements, actions, claims, suits, investigations, or other proceedings (including, without limitation, legal fees and costs, identity protection assistance and similar services procured for consumers, and reasonable technical consultant fees) to the extent relating to or arising from: (i) Customer’s failure to comply with its obligations as set forth in this Addendum; (ii) Customer’s failure to comply with Applicable Data Privacy Laws.

Provider certifies that it understands the restrictions set forth herein and under Applicable Data Privacy Laws, and will comply with them.