ProperForm Data Processing Addendum

Effective April 7, 2026

This Data Processing Addendum ("DPA") supplements and is incorporated into the ProperForm Business Terms of Service ("Terms") between ProperForm, Inc. ("ProperForm") and the business agreeing to the Terms ("Business"). This DPA governs ProperForm's processing of Personal Data (as defined below) in connection with ProperForm's provision of the Services to Business.

1. Definitions

As used in this DPA, the following terms have the meanings below. Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms.

"Applicable Privacy Law" means any U.S. federal or state law or regulation governing the privacy, security, or processing of personal data or personal information that applies to the processing of Personal Data under the Terms and this DPA, including without limitation: the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), and any other U.S. state or federal privacy law enacted after the date of this DPA that applies to the processing of Personal Data, as may be in effect from time to time.
"Business Purpose" means the specific limited and stated purpose(s) for which ProperForm processes Personal Data on behalf of Business, as described in Exhibit A to this DPA.
"Controller" means the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data, as defined under Applicable Privacy Law (including as the "Business" under the CCPA).
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, which may include Business's Team Members, Clients, and other individuals whose data Business submits to the Services.
"Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under Applicable Privacy Law. For purposes of this DPA, "Personal Data" refers to Personal Data unless otherwise specified.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, adaptation, retrieval, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction.
"Personal Data" means Personal Data that Business or its Team Members or Clients submit to, or that ProperForm collects on behalf of Business through, the Services. Personal Data excludes: (a) Usage Data (as defined in the Terms); (b) Personal Data that ProperForm independently collects from Business for ProperForm's own purposes as a Controller, such as Business account registration and billing data, which is governed by ProperForm's Privacy Policy; and (c) to the extent that Personal Data constitutes Protected Health Information, such data is governed by the BAA as provided in Section 2.3 of this DPA.
"Security Incident" means any confirmed unauthorized acquisition, access, use, or disclosure of Personal Data that compromises the security, confidentiality, or integrity of such data.
"Sensitive Personal Data" means the categories of personal data designated as "sensitive" or "sensitive personal information" under Applicable Privacy Law.
"Service Business" has the meaning given to it under the CCPA, and includes the equivalent role of "Processor" or "Contracted Processor" under other Applicable Privacy Laws.
"Subprocessor" means any third party engaged by ProperForm to process Personal Data on behalf of Business in connection with the Services.

2. Roles and Scope

2.1. Roles.

As between ProperForm and Business with respect to Personal Data:

(a) Business is the Controller (or "Business" under the CCPA) and determines the purposes and means of processing Personal Data; and (b) ProperForm is the Service Business (or "Processor" under other Applicable Privacy Laws) and processes Personal Data solely on behalf of and at the direction of Business, in accordance with the Terms and this DPA.

2.2. Scope.

This DPA applies to ProperForm's processing of Personal Data in connection with ProperForm's provision of the Services. This DPA does not apply to:

(a) Personal Data that ProperForm processes as a Controller for its own purposes (e.g., account, billing, and usage data), which is governed by ProperForm's Privacy Policy; or (b) Protected Health Information ("PHI") processed by ProperForm under the BAA, except as provided in Section 2.3 below.

2.3. HIPAA Coordination.

To the extent Personal Data includes PHI, the BAA governs ProperForm's processing of that PHI. This DPA applies to Personal Data that does not constitute PHI, as well as to any non-PHI personal data that is processed alongside PHI in the Services. In the event of any conflict between this DPA and the BAA with respect to PHI, the BAA controls.

3. Processing Instructions

3.1. Instructions.

ProperForm will process Personal Data solely: (a) to provide and operate the Services in accordance with the Terms; (b) as further documented in this DPA, the Terms, and any additional written instructions Business provides to ProperForm from time to time; and (c) as required by Applicable Privacy Law. ProperForm will promptly notify Business if, in ProperForm's reasonable judgment, a Business instruction would cause ProperForm to violate Applicable Privacy Law, in which case ProperForm is not required to follow that instruction until it is modified to comply.

3.2. Restrictions on Processing.

ProperForm will not:

(a) sell Personal Data within the meaning of Applicable Privacy Law(b) share Personal Data for cross-context behavioral advertising or targeted advertising purposes; (c) retain, use, or disclose Personal Data for any commercial purpose other than the Business Purposes specified in Exhibit A, as otherwise set forth in the Terms, or as required by Applicable Privacy Law; (d) retain, use, or disclose Personal Data outside of the direct business relationship between ProperForm and Business, except as required by Applicable Privacy Law; (e) combine Personal Data with Personal Data obtained from other sources or ProperForm's own interactions with consumers, except as permitted to provide the Services or as otherwise expressly permitted under Applicable Privacy Law; or (f) use Personal Data to train, fine-tune, or otherwise develop artificial intelligence or machine learning models, whether operated by ProperForm or any third party.

3.3. CCPA Certification.

ProperForm certifies that it understands the restrictions set forth in Section 3.3 and will comply with them in accordance with the CCPA.

4. Details of Processing

The subject matter, nature, purpose, duration, categories of Personal Data, and categories of Data Subjects involved in the processing of Personal Data under this DPA are set forth in Exhibit A.

5. Business Obligations

5.1. Legal Basis for Processing.

Business represents and warrants that: (a) it has and will maintain a lawful basis for processing Personal Data, and for disclosing Personal Data to ProperForm, under all Applicable Privacy Laws; (b) it has provided all required notices to, and obtained all required consents from, Data Subjects in connection with Business's submission of Personal Data to the Services; and (c) its instructions to ProperForm comply with all Applicable Privacy Laws.

5.2. Accuracy and Quality.

Business is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which Business acquires it.

5.3. Notice of Changes.

Business will notify ProperForm of any restrictions on, or changes to, the processing of Personal Data that may affect ProperForm's ability to perform its obligations under the Terms or this DPA.

6. Confidentiality

6.1. Personnel Obligations.

ProperForm will ensure that all ProperForm personnel authorized to process Personal Data are subject to enforceable confidentiality obligations with respect to such data, whether by contract or applicable professional obligation, and that such personnel process Personal Data only in accordance with ProperForm's instructions and this DPA.

6.2. Access Limitation.

ProperForm will limit access to Personal Data to personnel and Subprocessors who have a need to access such data for purposes of providing the Services.

7. Security

7.1. Security Measures.

ProperForm will implement and maintain appropriate administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized or unlawful access, acquisition, use, disclosure, alteration, or destruction. ProperForm's security measures will take into account: (a) the nature, scope, context, and purposes of processing; (b) the sensitivity of the Personal Data involved, including any Sensitive Personal Data; (c) current industry standards and best practices; and (d) the requirements of Applicable Privacy Law.

7.2. Specific Measures.

Without limiting Section 7.1, ProperForm's security program will include, as appropriate to the Services:

(a) encryption of Personal Data at rest and in transit using industry-standard protocols; (b) role-based access controls restricting access to Personal Data to authorized personnel; (c) multi-factor authentication for systems that store or provide access to Personal Data; (d) logging and monitoring of access to and use of Personal Data; (e) workforce training on privacy and information security obligations; and (f) physical security controls for facilities where Personal Data is processed.

7.3. Risk Assessments.

ProperForm will conduct and document periodic risk assessments to evaluate the sufficiency of its security measures, identify risks and vulnerabilities, and implement remediation measures as necessary.

7.4. Business's Security Responsibilities.

Business is responsible for implementing appropriate security measures for its own systems, networks, and devices, and for securing Personal Data prior to its transmission to ProperForm through the Services. ProperForm is not responsible for security incidents attributable to Business's own systems or failures.

8. Subprocessors

8.1. General Authorization.

Business grants ProperForm a general authorization to engage Subprocessors to process Personal Data in connection with the Services, as provided in this Section 8.

8.2. Subprocessor Obligations.

Before engaging any Subprocessor, ProperForm will ensure that the Subprocessor is bound by a written contract that imposes on the Subprocessor data protection obligations as protective of Personal Data to those applicable to ProperForm under this DPA.

8.3. Subprocessor List.

ProperForm will maintain a list of its current Subprocessors available at https://trust.properform.fit/subprocessors.

8.4. Changes to Subprocessors.

ProperForm will provide Business with prior written notice before adding or replacing a Subprocessor. Business may object to any such change, based on reasonable data privacy grounds, by providing written notice to ProperForm within 15 days of receiving notification. If the parties cannot resolve the objection through good-faith discussion within 30 days of Business's objection, either party may terminate the affected Services upon written notice in accordance with the Terms.

8.5. Liability for Subprocessors.

ProperForm remains liable to Business for the acts and omissions of its Subprocessors with respect to Personal Data to the same extent that ProperForm would be liable if performing the Subprocessor's services directly, subject to the limitations of liability in the Terms.

9. Data Subject Rights

9.1. Assistance.

Taking into account the nature of the processing, ProperForm will, to the extent reasonably practicable, provide Business with technical and organizational assistance in fulfilling Business's obligations to respond to Data Subject rights requests under Applicable Privacy Law, including requests to access, correct, delete, port, or opt out of certain processing of Personal Data.

9.2. Data Subject Requests.

If ProperForm receives a rights request directly from a Data Subject that relates to Personal Data, ProperForm will:

(a) promptly notify Business of the request, including the identity of the requestor and the nature of the request, to the extent permitted by Applicable Privacy Law; and (b) not respond to the request independently except as directed by Business or as required by Applicable Privacy Law.

ProperForm will cooperate with Business in responding to any such request within the timeframes required by Applicable Privacy Law.

10. Security Incidents

10.1. Notification.

ProperForm will notify Business of a confirmed Security Incident without unreasonable delay and, in any event, no later than 72 hours after ProperForm becomes aware that a Security Incident has occurred, to the extent reasonably practicable. Initial notification may be provided before all information specified in Section 10.2 is available; ProperForm will supplement the notification with additional information as it becomes available.

10.2. Notification Content.

Each Security Incident notification will include, to the extent available at the time of notification:

(a) the date(s) on which the Security Incident occurred and was discovered by ProperForm; (b) the nature of the Security Incident, including the categories and approximate number of Data Subjects affected and the categories and approximate volume of Personal Data involved; (c) the likely consequences of the Security Incident; (d) the measures ProperForm has taken or proposes to take to address and mitigate the Security Incident; and (e) the name and contact information of a ProperForm representative from whom Business may obtain additional information.

10.3. Cooperation.

ProperForm will cooperate with Business in:

(a) investigating and remediating the Security Incident; (b) Business's compliance with any notification obligations under Applicable Privacy Law, including notifications to regulatory authorities or affected individuals; and (c) any regulatory inquiries or proceedings related to the Security Incident.

Nothing in this DPA requires or authorizes ProperForm to make any notification to a regulatory authority or to affected individuals on Business's behalf, except as required by Applicable Privacy Law or expressly agreed by the parties in writing.

10.4. Mitigation.

ProperForm will take all reasonable measures to contain, mitigate, and remediate the Security Incident and to prevent its recurrence.

10.5. Unsuccessful Attempts.

ProperForm may experience routine unsuccessful attempts at unauthorized access, including pings, port scans, failed log-in attempts, denial-of-service attacks that do not result in a system compromise, and similar events that do not meet the definition of a Security Incident. This DPA constitutes advance general notice to Business of such events, and ProperForm is not required to provide individual notice of each such unsuccessful attempt.

11. Audit Rights

11.1. Compliance Documentation.

ProperForm will maintain documentation of its data protection practices, security measures, and processing activities under this DPA and will make such documentation available to Business upon written request, no more than once per calendar year absent a confirmed Security Incident.

11.2. Written Questionnaire.

Upon Business's written request, no more than once per calendar year (absent a confirmed Security Incident), ProperForm will respond to a reasonable written data protection questionnaire regarding ProperForm's security practices and compliance with this DPA. ProperForm will respond within 30 days of receiving the questionnaire.

11.3. Confidentiality of Audit Results.

All documentation, questionnaire responses, and information disclosed to Business in connection with any audit, assessment, or documentation request under this Section 11 constitute ProperForm's Confidential Information under the Terms and may not be disclosed by Business to any third party without ProperForm's prior written consent, except as required by Applicable Privacy Law.

12. Return and Deletion of Personal Data

12.1. Upon Termination.

Upon termination or expiration of the Terms or this DPA, subject to the Terms and DPA, ProperForm will, at Business's written election and to the extent technically feasible:

(a) return to Business all Personal Data in ProperForm's possession or control in a commercially reasonable, portable format; or (b) delete all Personal Data in ProperForm's possession or control, including Personal Data held by Subprocessors.

12.2. Exceptions.

ProperForm may retain Personal Data after termination solely:

(a) to the extent required by Applicable Privacy Law, in which case ProperForm will continue to protect the retained data in accordance with this DPA and will limit further processing to what is required by law; (b) as part of routine backup or archival systems, provided that retained copies are overwritten and deleted in the ordinary course of ProperForm's backup retention cycle; or (c) in a de-identified or anonymized form that cannot reasonably be re-identified or linked to Business or any individual.

12.3. PHI.

The return and deletion of PHI are governed exclusively by the BAA and are not subject to this Section 12.

13. CCPA/CPRA Service Business Provisions

13.1. Service Business Acknowledgment.

The parties acknowledge and agree that ProperForm processes Personal Data as a "Service Business" as defined under the CCPA/CPRA, and as a Processor or Contracted Processor as defined under other Applicable Privacy Laws. ProperForm will not engage in any processing activity that would disqualify ProperForm from its status as a Service Business under the CCPA.

ProperForm will not sell or share Personal Data as those terms are defined under the CCPA, and will not use Personal Data for cross-context behavioral advertising.

13.3. No Combining Data.

ProperForm will not combine Personal Data with personal information received from other sources or collected from ProperForm's own interactions with consumers, except as permitted under the CCPA/CPRA to provide a requested Service or as otherwise expressly permitted by Applicable Privacy Law.

13.4. Notification of Inability to Comply.

ProperForm will notify Business promptly if ProperForm determines that it can no longer meet its obligations as a Service Business under the CCPA or under Applicable Privacy Law with respect to Personal Data.

13.5. Business's Right to Remediate.

Upon written notice to ProperForm that ProperForm is processing Personal Data in a manner inconsistent with this DPA or Applicable Privacy Law, Business has the right to take reasonable and appropriate steps to remediate such unauthorized processing, including directing ProperForm to cease processing and to return or delete the affected Personal Data.

13.6. Sensitive Personal Data.

To the extent Personal Data includes Sensitive Personal Data, Prope rForm will process such data only as necessary to provide the Services and will not use or disclose Sensitive Personal Data for any purpose beyond those permitted for a Service Business under the CCPA and Applicable Privacy Law.

14. Multi-State Privacy Law Compliance

14.1. General Compliance.

Each party will comply with all Applicable Privacy Laws applicable to that party in connection with the processing of Personal Data.

14.2. Updates for New Laws.

The parties will cooperate in good faith to update this DPA as necessary to comply with newly enacted or amended Applicable Privacy Laws. The parties agree to negotiate in good faith and to execute any required amendments within a reasonable period before the effective date of any new law or amendment applicable to the processing of Personal Data.

15. Term and Termination

15.1. Term.

This DPA is effective as of the effective date of the Terms and will remain in effect for so long as the Terms remain in effect.

15.2. Termination.

This DPA terminates automatically upon termination or expiration of the Terms. Any provisions of this DPA that, expressly or by their nature, are intended to survive termination of the DPA will survive such termination.

16. General Provisions

16.1. Order of Precedence.

In the event of any conflict between this DPA and the Terms with respect to the subject matter of this DPA, this DPA controls. In the event of any conflict between this DPA and the BAA with respect to PHI, the BAA controls.

16.2. Governing Law.

This DPA is governed by the same governing law and subject to the same venue and dispute resolution provisions as the Terms.

16.3. Entire Agreement on Subject Matter.

This DPA, together with the Terms and the BAA, constitutes the entire agreement between the parties with respect to ProperForm's processing of Personal Data. This DPA supersedes and replaces any prior data processing agreements between the parties on the same subject matter.

16.4. Amendments.

This DPA may not be modified except by a written instrument executed by authorized representatives of both parties, except as otherwise expressly provided in the Terms or this DPA (including Section 14.3).

16.5. Severability.

If any provision of this DPA is determined by a court of competent jurisdiction to be invalid, illegal, or unenforceable, that provision will be enforced to the maximum extent permissible and all remaining provisions will continue in full force and effect.

16.6. Interpretation.

Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms or the BAA, as applicable. Any reference in this DPA to a statutory provision includes that provision.

Exhibit A — Details of Processing

Subject Matter of Processing: ProperForm processes Personal Data in connection with providing and operating the Services to Business, including hosting, storage, retrieval, and processing of data submitted through the Services.

Nature of Processing: Collection, storage, retrieval, use, disclosure, transmission, combination (as permitted), and deletion of Personal Data.

Business Purpose(s) for Processing:

Providing, operating, and maintaining the Services as described in the Terms
Enabling Business to create, store, assign, and deliver therapy plans, exercise programs, and related content to Clients through the Services
AI-based transcription of Business audio and video recordings as part of the Services
Enabling Client access to Business-assigned content and functionality through the client-facing portal of the Services
Technical support, security, and maintenance of the Services
Security monitoring, fraud prevention, and abuse detection in connection with the Services
Generating aggregated and de-identified analytics to improve Service performance, in compliance with Section 3.3(f)

Categories of Personal Data:

Business and Team Member account data: Includes name, email address, job title, professional licensing information, login credentials
Client account data: Includes name, email address, login credentials established through Business's invitation
Clinical Clinical Data: Includes Client plans, exercise instructions, AI-generated transcriptions, clinical notes, and related content created or assigned by Business
Audio and visual recordings
Client PHI and other health information logged by Clients through the Services
Technical and device data: Includes IP addresses, device identifiers, log data, browser type, and usage information

Categories of Data Subjects:

Business's employees, contractors, and other Team Members
Business's Clients (individuals to whom Business provides professional services through the Services)

Duration of Processing: Continuous for the duration of the Terms, subject to the return and deletion provisions of the Terms.