Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Rick Ryan Photography LLC ("KyoriaOS", "we", "us") and the customer ("Customer", "you"). For personal data that you and your clients submit to the platform, you are the data controller and KyoriaOS is the data processor. KyoriaOS processes such data only on your documented instructions, including as set out in this DPA and the Terms.

We process personal data to provide the KyoriaOS platform: booking management, scheduling, media delivery, client and agent communication, and payment facilitation. Categories of data subjects include your clients, real estate agents, and team members. Categories of personal data include names, email addresses, phone numbers, property addresses, booking and payment metadata, and media files you upload.

We do not sell personal data and do not use your or your clients' personal data for our own marketing.

You authorize KyoriaOS to engage the following sub-processors to deliver the service. Each is bound by data-protection obligations no less protective than this DPA:

• Google Firebase / Google Cloud — authentication and database hosting
• Cloudflare R2 — media file storage
• Vercel — application hosting
• Stripe — payment processing
• Resend — transactional email delivery
• Twilio — SMS delivery (where enabled)

We will give notice of any new sub-processor and a reasonable opportunity to object on legitimate data-protection grounds.

We maintain technical and organizational measures appropriate to the risk, including: encryption in transit (HTTPS), encryption of third-party credentials and OAuth tokens at rest, role-based access controls, tenant data isolation, signed/expiring URLs for media downloads, and least-privilege server-side access to provider APIs. Access to production data is restricted to authorized personnel.

Taking into account the nature of the processing, we will assist you with reasonable measures to respond to requests from data subjects to exercise their rights (access, correction, deletion, restriction, portability). Most such data is directly manageable by you within the platform; we will assist with anything that is not.

Personal data may be processed in the United States and other countries where our sub-processors operate. Where required, transfers are made under appropriate safeguards (such as Standard Contractual Clauses) implemented by the relevant sub-processor.

We retain personal data for as long as needed to provide the service and as described in our Media Storage & Retention Policy and Privacy Policy. On termination, you may export your data within a reasonable period, after which we will delete or anonymize it, except where retention is required by law.

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide information reasonably available to help you meet your own notification obligations.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

Data-protection questions: privacy@kyoriaos.com