Data Processing Addendum

Effective date: May 9, 2026

Last updated: May 9, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written or electronic agreement (the "Agreement") between Folio Solutions, an assumed name of Captain RevOps LLC, a Michigan limited liability company (assumed name filed with the Michigan Department of Licensing and Regulatory Affairs) ("Folio," "we," "us," or "our"), and the customer identified in the Agreement ("Customer," "you," or "your") for the provision of the Folio managed packages and related services (the "Services").

This DPA is automatically incorporated into the Agreement when Customer accepts the Folio Terms of Service. A signed copy is available upon request from privacy@foliosolutions.net.

In the event of any conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Customer Personal Data.

Scope and Architecture Overview

Folio is a Salesforce ISV partner. The Services consist of native AppExchange managed packages (Folio Jot and Folio Docs) that are installed in, and run entirely within, the Customer's own Salesforce organization. As a result:

• All document content and other Customer Data created with the Folio managed packages is stored in custom objects inside the Customer's own Salesforce org. It is governed by the Customer's existing Master Subscription Agreement and DPA with Salesforce, Inc.
• Folio does not host, copy, mirror, replicate, or back up Customer Data on its own infrastructure as part of operating the Services, and does not download Customer Data out of the Customer's Salesforce org.
• Folio's processing of Customer Personal Data is therefore limited to: (i) operational data necessary to license, sell, support, invoice, and communicate about the Services (for example, billing contact data, support correspondence, and contact data Customer voluntarily provides); (ii) license, package, and org metadata collected via the Salesforce License Management Application (LMA); (iii) aggregated, non-identifying usage telemetry; and (iv) Customer Data that is incidentally accessed only when, and only for as long as, the Customer affirmatively grants login access for support troubleshooting.

This DPA applies to that limited Folio-side processing. It does not purport to govern the Customer's underlying relationship with Salesforce, Inc. or the data inside the Customer's Salesforce org as such.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement or in applicable Data Protection Laws.

• "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other federal and state privacy laws of the United States.
• "Controller," "Processor," "Data Subject," "Personal Data," "Processing," and related terms have the meanings given in the GDPR, or equivalent terms under other Applicable Data Protection Laws (such as "Business" and "Service Provider" under CCPA/CPRA).
• "Customer Personal Data" means Personal Data processed by Folio on behalf of Customer in connection with the Services.
• "Sub-processor" means any third party engaged by Folio to process Customer Personal Data on behalf of Customer.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries, as updated from time to time.

2. Roles and Scope

2.1 Roles

The parties acknowledge and agree that with regard to the processing of Customer Personal Data:

• Customer is the Controller (or, where Customer is itself a Processor, has the role of Processor acting on behalf of the underlying Controller).
• Folio is the Processor acting on behalf of Customer.

For purposes of CCPA/CPRA, Folio acts as a Service Provider to Customer.

2.2 Scope of Processing

Consistent with the Scope and Architecture Overview above, Folio will process Customer Personal Data only:

• To provide the Services in accordance with the Agreement, which means licensing, supporting, invoicing, and communicating about the managed packages;
• In accordance with Customer's documented instructions, including those set out in the Agreement, this DPA, and as Customer may otherwise reasonably instruct from time to time;
• As required by applicable law (in which case Folio will, where legally permitted, inform Customer of the legal requirement before processing).

Folio will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.

2.3 Details of Processing

The details of processing are set out in Annex A of this DPA.

3. Folio's Obligations

3.1 Confidentiality

Folio will ensure that all personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and have received appropriate data protection training.

3.2 Security

Folio will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Annex B.

3.3 Sub-processors

(a) General authorization. Customer provides Folio with general authorization to engage Sub-processors to process Customer Personal Data, subject to the requirements of this Section 3.3.

(b) Current Sub-processors. A current list of Sub-processors is maintained at foliosolutions.net/sub-processors.

(c) New Sub-processors. Folio will provide notice (by updating the Sub-processor list and, for active Customers, by email) at least 30 days before authorizing any new Sub-processor. Customer may object in writing within 30 days of such notice on reasonable grounds related to data protection. The parties will work in good faith to resolve the objection. If they cannot, Customer may terminate the Agreement with respect to the Services that cannot be provided without the new Sub-processor, with a pro-rata refund of any prepaid fees for the unused portion.

(d) Sub-processor obligations. Folio will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. Folio remains liable for the acts and omissions of its Sub-processors.

3.4 Data Subject Requests

(a) Folio will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights.

(b) If Folio receives a request directly from a Data Subject relating to Customer Personal Data, Folio will, without undue delay, forward the request to Customer and not respond to the Data Subject directly except to confirm receipt and direct them to Customer.

3.5 Assistance with Compliance

Folio will provide reasonable assistance to Customer in complying with Customer's obligations under Applicable Data Protection Laws, including obligations relating to security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to Folio.

3.6 Personal Data Breach Notification

(a) Folio will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Folio will use reasonable efforts to provide initial notification within 72 hours of becoming aware of the breach, recognizing that initial notification may need to be supplemented as additional information becomes known.

(b) The notification will include, to the extent then known:

• A description of the nature of the breach, including categories and approximate numbers of Data Subjects and records concerned;
• Likely consequences of the breach;
• Measures taken or proposed to address the breach and mitigate its possible adverse effects;
• The name and contact details of Folio's privacy contact.

(c) Folio will provide ongoing updates as additional information becomes available and will reasonably cooperate with Customer's investigation and breach response activities.

3.7 Audits

(a) Folio will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. This includes responding to reasonable security questionnaires and providing summaries of any independent audits or certifications Folio has obtained (such as SOC 2 reports, when available), subject to confidentiality obligations.

(b) On reasonable prior written notice (at least 30 days), and not more than once per twelve-month period, Customer (or an independent third-party auditor mandated by Customer and reasonably acceptable to Folio) may conduct an audit of Folio's compliance with this DPA. Audits must be conducted during business hours, must not unreasonably interfere with Folio's operations, and the auditor must be subject to confidentiality obligations.

(c) Customer bears the cost of any audit it requests, except where the audit reveals material non-compliance by Folio, in which case Folio will bear reasonable audit costs.

(d) Where Folio has provided a recent (within the prior twelve months) independent third-party audit report or certification covering the relevant subject matter, that report or certification will satisfy this Section 3.7 unless Customer has a reasonable, documented basis for further inquiry.

3.8 Return or Deletion of Customer Personal Data

Because document content and other Customer Data created with the Folio managed packages is stored in the Customer's own Salesforce organization, return or deletion of that data is controlled by the Customer within its Salesforce org and not by Folio. Folio cannot return or delete data residing in the Customer's Salesforce org.

With respect to Customer Personal Data that Folio actually holds on its own systems — for example, business contact data, billing records, support correspondence, and LMA license metadata — upon termination or expiration of the Agreement, Folio will, at Customer's choice, delete or return such Customer Personal Data within 30 days, except to the extent retention is required by applicable law (including for tax, accounting, or legal-defense purposes). Backup copies may persist in routine backups for up to 90 days before automatic deletion. Folio will certify deletion in writing upon Customer's request.

4. International Transfers

4.1 Cross-Border Transfers

To the extent that Folio processes Customer Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the transfer will be governed by the applicable Standard Contractual Clauses, which are hereby incorporated by reference, with Customer as data exporter and Folio as data importer.

4.2 Module Selection

For transfers from Controllers to Processors, Module Two of the SCCs applies. For transfers from Processors to Sub-processors (where Customer is a Processor), Module Three applies. Optional clauses are included or omitted as set out in Annex C.

4.3 UK Transfers

For transfers subject to UK data protection law, the UK International Data Transfer Addendum to the SCCs (issued by the Information Commissioner's Office) applies in addition to the SCCs.

5. CCPA/CPRA Specific Provisions

For Personal Data subject to CCPA/CPRA:

• Folio is a Service Provider processing Personal Data on behalf of Customer (the Business) for the limited and specified purpose of providing the Services.
• Folio will not:
  • Sell or share Personal Data;
  • Retain, use, or disclose Personal Data outside of the direct business relationship between Folio and Customer or for any purpose other than the Business Purposes specified in the Agreement;
  • Combine Personal Data received from Customer with Personal Data received from any other source, except as permitted by CCPA/CPRA.
• Folio will notify Customer if it determines that it can no longer meet its obligations under CCPA/CPRA, and will permit Customer to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

6. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Agreement.

7. Term and Termination

This DPA is effective for the term of the Agreement and will continue thereafter for as long as Folio processes Customer Personal Data. Sections that by their nature should survive termination will survive.

8. Miscellaneous

8.1 Order of Precedence

In the event of any conflict between this DPA and the Agreement, this DPA will prevail. In the event of any conflict between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses will prevail.

8.2 Governing Law

This DPA is governed by the laws of the State of Michigan, except that the Standard Contractual Clauses are governed by the law specified in those clauses.

8.3 Updates

Folio may update this DPA from time to time to reflect changes in law, sub-processors, or operational practices. Material changes will be notified to Customer at least 30 days in advance. Continued use of the Services constitutes acceptance.

8.4 Signed Copies

A signed copy of this DPA is available upon request to privacy@foliosolutions.net. The DPA in effect at the time of acceptance applies regardless of whether a separate signed copy is executed.

Annex A — Details of Processing

Subject matter of the processing: Provision of the Folio managed packages (Folio Jot and Folio Docs) and related services as described in the Agreement.

Duration of the processing: For the term of the Agreement and any post-termination retention period set out in this DPA.

Nature and purpose of the processing: To license, distribute, sell, invoice, support, and communicate about the Folio managed packages, and (in aggregated and de-identified form) to improve them. The managed packages themselves run inside the Customer's Salesforce organization; document content and other Customer Data created using the packages is stored in the Customer's Salesforce org and is not transmitted to or processed by Folio in the ordinary course.

Types of Personal Data processed by Folio:

• Business contact data of Customer's billing, administrative, and authorized-user contacts (name, business email address, business phone, role, company name).
• License and org metadata collected via the Salesforce License Management Application (LMA), including Salesforce org ID, edition, package version, license counts, and license assignment data.
• Support and communications data when the Customer or its users contact Folio support (email correspondence, support tickets, chat logs).
• Aggregated, non-identifying usage telemetry relating to feature use of the Services.
• Customer Data that may be incidentally accessed only when, and only for as long as, the Customer affirmatively grants login access for support troubleshooting; such access is logged and time-limited, and Folio does not export or retain that Customer Data.

Types of Personal Data not processed by Folio in the ordinary course: Document content and other Customer Data stored within the Folio managed-package custom objects in the Customer's Salesforce organization. That data resides solely in the Customer's Salesforce org and is governed by the Customer's own agreement with Salesforce, Inc.

Categories of Data Subjects:

• Customer's billing, administrative, and authorized-user contacts.
• Individuals who contact Folio support (typically Customer's employees, contractors, and admins).

Frequency of the transfer: Ongoing for billing, license-management, and support data for the duration of the Agreement; ad hoc for support correspondence; only as initiated by Customer for support login access.

Retention period: As set out in Section 3.8 of this DPA and the Folio Privacy Policy.

Annex B — Technical and Organizational Measures

The technical and organizational measures below cover the systems Folio operates — for example, Folio's CRM, email, billing, support, and source-control systems used to license, support, and communicate about the Services. Customer Data created with the Folio managed packages is stored in the Customer's own Salesforce organization and is protected by the Salesforce platform's native security model and the Customer's configuration of that platform; that environment is not operated or controlled by Folio.

Within the systems Folio operates, Folio implements and maintains the following measures:

Access controls:

• Access to systems holding Customer Personal Data is limited to personnel who need it to operate or support the Services, applying least-privilege principles.
• Multi-factor authentication is enabled for personnel access to systems that hold Customer Personal Data, where the underlying tool or platform supports multi-factor authentication.
• Access rights are revoked promptly upon role change or termination, and access is reviewed when prompted by personnel changes, security events, or other reasonable cause.

Encryption:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest where supported by infrastructure providers.

Operational security:

• Salesforce platform-native security model leveraged for Customer data within the managed packages.
• Logging and monitoring of access to production systems.
• Regular review of security practices, including sub-processor security posture.

Personnel security:

• Confidentiality obligations imposed on all personnel with access to Customer Personal Data.
• Background checks where permitted by law and proportionate to the role; such checks may be limited or not applicable for sole-proprietor or single-owner operations.

Incident response:

• Breach notification to Customer without undue delay, with reasonable efforts to provide initial notification within 72 hours, as set out in Section 3.6.
• Reasonable efforts to investigate, contain, and remediate security incidents affecting Customer Personal Data, taking into account the nature of the incident and the resources available to Folio.

Business continuity:

• Backups of operational data and configuration.
• Reliance on Salesforce platform high-availability for in-org data and processing.

Compliance:

• Annual review of this DPA and underlying security measures.
• Alignment of internal security practices with industry-recognized frameworks. Folio does not currently hold an independent security certification; the current status of any audit, certification, or third-party assessment is available on request.

These measures are subject to continuous improvement. Folio may update them, provided that the updates do not materially diminish the level of protection.

Annex C — Standard Contractual Clauses Configurations

For the purposes of the Standard Contractual Clauses (Module Two and Module Three, as applicable):

• Clause 7 (Docking clause): Not applicable.
• Clause 9 (Use of sub-processors): Option 2 — General written authorization. Notice period for changes: 30 days as set out in Section 3.3.
• Clause 11 (Redress): The optional language regarding independent dispute resolution is not included.
• Clause 17 (Governing law): The SCCs are governed by the law of Ireland (where Module Two applies) or as otherwise required by the SCCs.
• Clause 18 (Choice of forum and jurisdiction): Disputes arising from the SCCs will be resolved in the courts of Ireland (where Module Two applies) or as otherwise required by the SCCs.
• Annex I.A (Parties): As identified in the Agreement.
• Annex I.B (Description of transfer): As set out in Annex A of this DPA.
• Annex I.C (Competent supervisory authority): As determined under Clause 13 of the SCCs.
• Annex II (Technical and organizational measures): As set out in Annex B of this DPA.
• Annex III (Sub-processors): As maintained at foliosolutions.net/sub-processors.

For questions or to request a signed copy of this DPA: privacy@foliosolutions.net