Data Processing Addendum

Scope and order of precedence

This Data Processing Addendum (the 'DPA') is entered into between Customer and Anilize, Inc. ('Anilize') and supplements the Master Services Agreement, order form, or Terms of Service in effect between the parties (the 'Agreement'). The DPA governs Anilize's processing of personal information on behalf of Customer. Capitalized terms not defined here have the meaning given in the Agreement.

If the parties have signed a separate, executed DPA, that signed DPA controls. This page documents Anilize's standing DPA terms for Customers without a separately negotiated agreement.

Definitions

'Personal Information' means any information relating to an identified or identifiable natural person processed under the Agreement, including borrower nonpublic personal information protected under the Gramm-Leach-Bliley Act.

'Customer Data' means data Customer or its authorized users submit to or generate through the Services, including borrower contact, loan application, document, communication, and integration data.

'Processing' has the meaning given under applicable data protection law and includes collection, storage, use, disclosure, retention, and deletion.

'Subprocessor' means a third party engaged by Anilize to process Personal Information on Customer's behalf.

Roles and processing instructions

For Personal Information processed under the Agreement, Customer is the controller (or business) and Anilize is the processor (or service provider) acting on Customer's documented instructions. Anilize will process Personal Information only as needed to provide the Services, comply with the Agreement, and meet legal obligations.

Anilize will not sell Personal Information and will not use Personal Information for purposes beyond providing the Services without Customer's written instruction. Anilize does not use Customer Data to train AI models without an executed Training Consent Form covering the specific tenant scope and data categories.

Subject matter, duration, and data categories

Subject matter: provision of the Anilize platform for mortgage origination, CRM, borrower verification, rate, document, communication, and analytics workflows configured by Customer.

Duration: the active term of the Agreement, plus any retention period required by mortgage compliance, audit, fraud-prevention, or legal-hold obligations.

Categories of data subjects: Customer's authorized users, borrower contacts, realtor partners, and other persons whose information Customer submits to the Services.

Categories of Personal Information: identity, contact, employment, income, asset, debt, property, transaction, communication, identity-verification, and authentication metadata.

Security measures

Anilize maintains administrative, technical, and physical safeguards reasonably designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Specific controls include: TLS for data in transit; provider-managed encryption at rest; AES-256-GCM application-level encryption for third-party credentials; row-level security on tenant data; least-privilege access; access logging and review; vulnerability scanning; and a documented incident-response process.

Anilize implements compliance boundary controls covering adverse-action reason codes (Regulation B / ECOA Appendix C, FCRA), fair-lending protected-class signal detection, valuation boundary controls (AVM/UCDP, appraiser independence), and an immutable audit log of compliance-relevant events.

Subprocessors

Customer authorizes Anilize to engage Subprocessors to process Personal Information for the purpose of providing the Services. The current list of Anilize Subprocessors is published at

Anilize will impose data protection obligations on each Subprocessor that are no less protective than those in this DPA. Anilize will provide notice of new Subprocessors before they begin processing Personal Information through publication on the subprocessor list page or by direct notice if Customer requests it.

Anilize remains responsible for each Subprocessor's performance of its obligations under this DPA.

/legal/subprocessors.

Data subject requests

Anilize will provide reasonable assistance to Customer in responding to requests by data subjects to exercise rights under applicable data protection law, including rights of access, correction, deletion, restriction, portability, and objection.

Where Anilize receives a data subject request directly, Anilize will promptly route the request to Customer for handling, except where applicable law requires Anilize to respond directly.

Personal information breach notification

Anilize will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Information breach affecting Customer Data.

The notification will describe the nature and scope of the breach to the extent known, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.

Audits and information rights

On Customer's written request, Anilize will provide information reasonably necessary to demonstrate compliance with this DPA, including current third-party security audit reports (such as SOC 2) where available, and will respond to Customer audit questionnaires within commercially reasonable timeframes.

Customer may not request information that would compromise the confidentiality, security, or integrity of other Customer's data or Anilize's infrastructure.

International data transfers

Where Personal Information is transferred from a jurisdiction with applicable cross-border transfer rules to another jurisdiction, the parties will rely on appropriate transfer mechanisms, including standard contractual clauses where required.

Customer and borrower data is stored in U.S.-region cloud infrastructure operated by Anilize's hosting and database providers.

Return or deletion of personal information

On expiration or termination of the Agreement, Anilize will, at Customer's election, return or delete Personal Information processed under this DPA, subject to retention requirements imposed by applicable law, mortgage compliance, audit, fraud-prevention, or legal-hold obligations.

Anilize will delete encrypted third-party credentials on disconnection of the related integration.

Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement.

Governing law and changes

This DPA is governed by the laws and dispute-resolution provisions of the Agreement.

Anilize may update this DPA as products, legal requirements, or security controls change. Material updates will be published on this page and, where required, communicated through the contact on file.

Contact

Anilize, Inc.

1608 Metropolitan Circle, Ste. A, Tallahassee, FL 32308

Legal: legal@anilize.com

Privacy: privacy@anilize.com