Data Processing Addendum

Last updated: July 4, 2026

This Data Processing Addendum (“DPA”) forms part of the NoRamp Terms and Conditions (the “Agreement”) between NoRamp, Inc. (“NoRamp”) and the Merchant identified in the applicable NoRamp Account (“Merchant”), and applies to the extent NoRamp processes Customer Data that constitutes Personal Data on Merchant’s behalf in providing the NoRamp Services. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

1. Definitions

2. Roles and Scope

As between the parties, Merchant is the controller (or business) and NoRamp is the processor (or service provider) with respect to Personal Data. For clarity, NoRamp processes certain personal data as an independent controller for its own purposes, including account management, underwriting, compliance, and fraud prevention, as described in the NoRamp Privacy Policy; that processing is outside the scope of this DPA. The Processor (Stripe) processes personal data under the Processor Terms and its own privacy policy, and NoRamp is not responsible for the Processor’s processing.

3. Processing Instructions

NoRamp will process Personal Data only on Merchant’s documented instructions, including as set out in the Agreement and this DPA, unless required to do otherwise by applicable law, in which case NoRamp will inform Merchant of that legal requirement before processing unless the law prohibits such notice. NoRamp will promptly inform Merchant if, in NoRamp’s opinion, an instruction infringes Data Protection Laws. Acting as a service provider under the CCPA, NoRamp will not sell or share Personal Data, retain, use, or disclose Personal Data outside the direct business relationship with Merchant or for any purpose other than performing the NoRamp Services, or combine Personal Data with personal information from other sources except as permitted by the CCPA, and NoRamp certifies that it understands and will comply with these restrictions.

4. Details of Processing

Subject matter and duration: the provision of the NoRamp Services for the term of the Agreement. Nature and purpose: transmitting data and instructions to the Processor to facilitate Transactions, providing platform features, dispute assistance, and related support. Categories of data subjects: Merchant’s customers and end users. Categories of Personal Data: identification and contact data (such as name and email address), transaction data (such as amount, product or service description, and payment method metadata), and, where applicable, digital wallet addresses. Special categories of data are not intended to be processed and Merchant will not submit them.

5. Confidentiality and Personnel

NoRamp will ensure that persons authorized to process Personal Data are bound by written or statutory obligations of confidentiality and process Personal Data only as needed to provide the NoRamp Services.

6. Security

NoRamp will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures include encryption of Personal Data in transit, access controls and authentication requirements, logical separation of customer data, personnel access on a need-to-know basis, logging and monitoring, and periodic review of security practices. Card payment data is handled by the Processor in accordance with PCI-DSS.

7. Sub-processors

Merchant provides general written authorization for NoRamp to engage Sub-processors, including the categories of providers identified in the NoRamp Privacy Policy and the then-current list of Sub-processors available at noramp.io/subprocessors. NoRamp will impose on each Sub-processor data protection obligations no less protective than those in this DPA, and NoRamp remains liable for its Sub-processors’ performance. NoRamp will provide notice of new Sub-processors, by updating the list or by email, at least fifteen (15) days before the new Sub-processor processes Personal Data. Merchant may object in writing on reasonable data protection grounds within that period, and the parties will work in good faith to resolve the objection; if no resolution is reached, Merchant may terminate the Agreement as its sole remedy.

8. Data Subject Requests

Taking into account the nature of the processing, NoRamp will assist Merchant by appropriate technical and organizational measures, insofar as possible, in fulfilling Merchant’s obligation to respond to data subject requests to exercise rights under Data Protection Laws. If NoRamp receives a request directly from a data subject relating to Personal Data, NoRamp will, to the extent legally permitted, promptly notify Merchant and will not respond except to acknowledge receipt or direct the data subject to Merchant, unless legally required.

9. Personal Data Breach

NoRamp will notify Merchant without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Personal Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. NoRamp will provide reasonable cooperation with Merchant’s investigation and any notification obligations Merchant has under Data Protection Laws. NoRamp’s notification of a breach is not an acknowledgment of fault or liability.

10. Assistance

Taking into account the nature of the processing and the information available to NoRamp, NoRamp will provide reasonable assistance to Merchant with data protection impact assessments and prior consultations with supervisory authorities, to the extent required of Merchant under Data Protection Laws and related to NoRamp’s processing of Personal Data.

11. Deletion and Return

Upon termination of the Agreement, NoRamp will, at Merchant’s election made within thirty (30) days of termination, delete or return Personal Data processed on Merchant’s behalf, and delete existing copies, unless and to the extent applicable law requires continued storage, in which case NoRamp will isolate and protect the Personal Data from further processing except as required by law. Absent an election, NoRamp will delete Personal Data in accordance with its retention schedules.

12. Audits and Compliance Information

NoRamp will make available to Merchant information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party audit reports or security certifications where available. No more than once per twelve (12) month period, and upon at least thirty (30) days’ written notice, Merchant may conduct, or engage an independent auditor bound by confidentiality to conduct, an audit of NoRamp’s processing of Personal Data under this DPA, during business hours, in a manner that does not unreasonably disrupt NoRamp’s operations, and at Merchant’s expense. Where required by a supervisory authority or following a personal data breach, these frequency limits do not apply.

13. International Transfers

Where NoRamp processes Personal Data protected by the GDPR, UK GDPR, or Swiss law in a jurisdiction not recognized as providing an adequate level of protection, the parties agree that the SCCs (Module Two: controller to processor) are incorporated into this DPA by reference, with Merchant as data exporter and NoRamp as data importer, the details of processing in Section 4 serving as Annex I, the security measures in Section 6 serving as Annex II, and the following selections: Clause 7 (docking) included; Clause 9(a) Option 2 with the notice period in Section 7; Clause 11 optional language not included; Clause 17 governed by the law of Ireland; Clause 18 courts of Ireland. For transfers subject to UK GDPR, the UK Addendum applies with the parties’ details completed by reference to this DPA. For transfers subject to Swiss law, the SCCs apply as adapted for Switzerland, with the Swiss Federal Data Protection and Information Commissioner as the competent authority.

14. Liability and Order of Precedence

Each party’s liability arising out of or related to this DPA is subject to the limitations of liability set out in the Agreement, and references in the Agreement to a party’s liability mean that party’s aggregate liability under the Agreement and this DPA together. In the event of a conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA prevails. In the event of a conflict between this DPA and the SCCs or UK Addendum, the SCCs or UK Addendum prevail. This DPA terminates automatically upon termination of the Agreement, except that its obligations continue for so long as NoRamp processes Personal Data on Merchant’s behalf.